BSD tty security, part 3: How to Fix It

Tue May 14 23:57:09 AEST 1991

In article <10581:May1315:01:2891 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>I don't understand this. Why should the application need such assurance?
>It's just an unprivileged program.

OK, how would a privileged application get the assurances it wants that
the port it is talking to is the real port.  For example, how does
"passwd" know that it really has the real user, and isn't being run in
some pipeline with a little expect script that looks for "Old Password"
and then keeps anything else that comes along, including the new
password?  Oh.

>If the system supports normal UNIX security, my changes guarantee that
>when a user starts a program through telnet or rlogin or script or
>whatever, no other program initially has access to the same tty. It's
>not the program's job to make such checks, just as it's not the job of
>each new process to check at user level that it has a unique pid.

BZZZT.  Wrong answer.  Your scam does nothing to protect against
applications that start on non-network ports.  I can always emulate the
login sequence (unless you dream up some exotic login sequence to add
as the next layer of hacks).  I can login and start my little trojan
horse then walk away from the screen with a login banner displayed.
How do you insure that there are no programs, including trojan horses,
running on that port?

>Every new telnet or rlogin or script will skip that pty, so who cares?
>In the meantime the session will be accounted to you.

Sure.  And I'll have your password.  How do you know that I was 
actually the person that started the trojan horse once I can
demostrate that I can break an account?  Program gets your password,
pretends you entered it wrong, exits, and gives you the real banner.
Move on to next victim, signed on as first victim ...

>So use a different secure attention key. The point is that if getty is
>the only program with a hardwired tty open, then there's no way for user
>programs to mangle that tty except as getty allows.

What is the difference between getty having a hardwired port open, and
clone-of-getty sitting on a pty that you just handed me when I logged in?
Or do we throw out all the glass tubes being used today?  As for using
different SAK keys, what to do about UUCP, etc?
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"If liberals interpreted the 2nd Amendment the same way they interpret the
 rest of the Constitution, gun ownership would be mandatory."