BSD tty security, part 3: How to Fix It

Mon Apr 29 05:45:29 AEST 1991

brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:

>1. Do people think it's a problem that lines from ``write'' are not
>identified?
>2. Do people think it's a problem that someone can start a ``write'',
>then just type EOF or EOT to simulate ending it,
>3. Do people think it's a problem that ``write'' can flood a terminal
>with output before the recipient has a chance to react?

The real problem is that the whole model used by "write" is simply
wrong - sure its simple, and in a sense, elegant, but its simply
not the way that things should be done.

The whole concept of some other random process, owned by some other
random user, being able to open a direct channel onto my terminal,
however the output is massaged, or identified, or restricted, is
simply silly.

The "traditional" way, where /dev/ttyX is mode 622, and anything can
dump anything it likes onto my terminal is just a giant hole, as
everyone knows by now I expect.

The "modern" way where /dev/ttyX is mode 620 and "write" is setgid "tty"
is safer, but now means that I can't create my own "write" like program
with my own preferred user interface, I can only use one of the standard
ones.

What's worse, the appearance of the message that I get to see depends
on the interface that the sending user has decided to select.

This is all absurd - clearly the intelligent way to run things is for
messages that come from another user to be displayed the way I want them
using a process I control - then I can have the message displayed using
whatever interface I desire (in practice, the way it happens is that
I have a window popped up on my display if I'm using a window system
at the time, or I have something very much like traditional "write"
if I'm on a dumb terminal).   Similarly, the user sending the message
can use whatever interface he desires, and there's no reason at all
that the interfaces need be similar - he can be sending a message from
a "talk" like X windows interface, and I can be receiving and responding
on my trusty old ASR33 using something just like 6th edition write,
and the whole thing can be traversing the world.

While part of what I have described is still fantasy (I don't really
have an asr33), much of it is in use here now - we still have to
integrate it with talk, and do some reasonable X interfaces, etc,
but this stuff all works, and is a much better way to operate (obviously
misc other message to the terminal schemes like comsat, wall, ... get
integrated as well).

Basically, there's a daemon process, to send a message you connect
to it, it becomes the destination user, and runs a user supplied
process (shell script commonly) which determines who is sending
the message, and what kind of message it is, and based on that
info, what should be done with the message.  Messages can be
forwarded to other hosts, rejected out of hand, transferred to
mail, ... whatever your process decides to do with it.  All a little
more fine grained than "mesg [yn]"!  Clearly the daemon process needs
to be trusted, and needs a methor to authenticate processes connecting
to it to get accurate user identification, but onto that anyone can
add whatever kind of user interface they prefer.

This stuff is not available (yet) so don't bother asking - the guy
who is actually writing the code has other things to do as well.
(My role is largely to tell him just why its not quite right yet...)

kre