Bug#988: Pty allocation: additional info

To: 988@bugs.debian.org
Subject: Bug#988: Pty allocation: additional info
From: dark@xs4all.nl (Richard Braakman)
Date: Thu, 21 Aug 1997 02:20:31 +0200 (CEST)
Message-id: <[🔎] m0x1KzI-001NJaC@night>
Reply-to: dark@xs4all.nl (Richard Braakman), 988@bugs.debian.org

I forgot to explain the security aspects when seen from the other
side: that the three setuid-root binaries can't be exploited even when
the caller does not follow the recipe.

The worst getpty can do is set tty access to root-only.  If the caller
is persistent, it could do this to all free ptys.  Most programs that
allocate pty/tty pairs won't mind if this happens, since they run as
root anyway.  The ones that don't can use getpty ;-).  The caller
could do far more damage by simply opening all the free pty master
devices.

claimpty and releasepty both change the tty permissions for an in-use
pty.  This could be a problem, which is why they both require that the
caller pass an open file descriptor for that pty.  Since a pty can be
opened only once, this guarantees that the caller is the process in
charge of that pty/tty pair.

I'll include this information in the man page if/when I make a getpty
package.

Richard Braakman
<dark@xs4all.nl>


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Prev by Date: Re: IRC Clients
Next by Date: Re: Can't find "fakeroot" anywhere
Previous by thread: Bug#988: Solution to pty allocation problem
Next by thread: ldso downgrade [weg@purdue.edu: need HELP in RECOVERING a DEBIAN SYSTEM]
Index(es):
- Date
- Thread