POSIX bashing

[Dan Bernstein]

In article <1991Mar30.202637.8629 at kithrup.COM> sef at kithrup.COM (Sean Eric Fagan) writes:
> The pty driver does not allow the master side to do an TIOCGPGRP on the
> slave side (as they are running in different process groups, and POSIX says
> that this should not happen for normal ttys).

Idiotic. Absolutely idiotic. UNIX has always worked on the principle
that if you have permission to open a file, you can open it, and use the
descriptor forever. *Normal file access permissions handle security*.

Now POSIX has to introduce more than thirty changes (by my count) to the
tty and signal-handling systems, all in the name of tty security. Not a
single change was justified by experience from more than one vendor, and
most of them were entirely new. Few of them make sense.

Why did POSIX make these changes? Because they did not understand that
*normal file access permissions handle security*. They thought
(correctly) that the tty subsystem was insecure, and they thought
(incorrectly) that a bunch of ad-hoc changes would fix the problem.

Convex UNIX 9.0 is a (supposedly) POSIX-compliant system. Not only does
the OS follow every stupid POSIX restriction, but it introduces several
new ad-hoc restrictions on tty access. You would think that this would
eliminate all tty security holes.

Not so. On every available BSD-based system---including Convex UNIX 9.0
and mainstream systems like SunOS and Ultrix---I can gain invisible
write and TIOCSTI access to any tty, with a short program and no
privileges. I sent such a sample program to Tom Christiansen not long
ago, and it was both funny and sad to watch the ensuing panic.

I keep telling people that the tty subsystem is insecure. I keep telling
them how to fix it, with a simple set of basic changes, not the huge
pile of inconsistent, senseless, ad-hoc rules that has found its way
into every POSIX system. Berkeley still doesn't listen.

Keith Bostic, are you listening? I'm sure someone will forward this to
you if not. If I can write a program to break tty security under a
standard BSD 4.4 setup, I will distribute that program as widely as I
can. I guarantee you that this will happen if you do not make some
fundamental changes to the BSD 4.3 + POSIX tty system.

You think this is a threat? Then take it as a threat. It's only sympathy
for the huge BSD 4.3 installed base that has kept me from distributing
such a program already. BSD 4.4 will not have that installed base, and I
see absolutely no ethical or legal reason to remain quiet about such a
pervasive set of security holes.

On the flip side, if you have enough interest in security to want to
eliminate the holes, I'm perfectly willing to tell you how. You don't
have to break POSIX compatibility (though it would be easier that way),
and none of the necessary changes are very difficult (though again it
would make a simpler system if you did put in more effort), and I'm not
even going to pretend that you need a pty manager (though that would
greatly reduce the number of lines you'd have to change in applications).
Hell, you can get most of this information from Steve Bellovin. But if
you're too lazy to ask, I'm not going to tolerate tty insecurity any
more.

> I found this in emacs,
> incidently.

The POSIX folks don't even understand backwards compatibility. Shameful.

---Dan