stty bug + effects

brian at muddcs.UUCP brian at muddcs.UUCP
Thu Aug 16 06:25:56 AEST 1984 

>   Forgive me if this is already understood, but being able to read the
>terminal settings of another's terminal also means that you can set some
>of those definitions for them - including the famous 'stty 0' - and force
>another's terminal to do funny things to them....
>   Does anybody know of any way to protect themselves against this other
>than the 'mesg n' which disallows ANY writing to your device?
>
>(piggott at bnl for replies + comments)

	Actually, you can do far worse than that to someone else's
terminal.  Under 4.2bsd at least, you can send a command line to someone
else's terminal and have it executed as it that person typed it themselves.
(Using a short 'C' program to do a ioctl TIOCSTI call).
Also, people can send out control strings to terminals to put them into
funny modes (on dec vt100's and vt200's you can put someone in inverse
video, etc.)
	We saw this as a security problem so I elected to do the following
fix.  login, talk, write, and mesg were all changed so that a terminal
is *ALWAYS* protected so that only it's owner has rw protections.  Write
now runs setuid to root (the shell escape doesn't have root privleges, I
thought of that), the talkd already ran setuid; thus these programs can
still access the other users terminal.  I use the world "x" protection
bit as a flag for whether or not a user doesn't want to be bothered.
Talk and write use that as their criteria, and mesg now changes that bit
rather than the actual terminal rw protections.  This prevents other
users from writing directly to terminals, they must use talk or write
if they want to bother someone.  We've been running it a couple of weeks
now with no problems.  I don't see any security holes in it, let me know
if anyone out there sees any.
	If you don't want to waste the time looking for where to make all
of these changes (and I wouldn't if I were you), send me mail and I'll
send you the diff's on the files I changed.  Oh, I also changed finger
to accurately say whether or not a user had messages off under the new
criteria.  If I get enough requests for this, I'll post the diffs to
the net.
				-brian
-- 
Brian Zill			621-8000 x3497
Harvey Mudd College		{ihnp4,allegra,seismo}!scgvaxd!muddcs!brian

More information about the Net.bugs mailing list