Xref: utzoo comp.emacs:6719 comp.bugs.4bsd:1370
Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!network!sdcsvax!beowulf!mattson
From: mattson@beowulf.ucsd.edu (Jim Mattson)
Newsgroups: comp.emacs,comp.bugs.4bsd
Subject: Interactive shells in emacs:  a security problem?
Keywords: emacs, ptys, security
Message-ID: <6973@sdcsvax.UCSD.Edu>
Date: 23 Aug 89 00:40:19 GMT
Sender: nobody@sdcsvax.UCSD.Edu
Reply-To: mattson@beowulf.UCSD.EDU (Jim Mattson)
Distribution: na
Organization: EE/CS Dept. U.C. San Diego
Lines: 23


When I run an interactive shell in GNU emacs or Jove, the editor provides me
with a pty that looks like this:
crw-rw-rw-  1 root      10,   4 Aug 22 17:31 /dev/ttyp4

Of course, the editor cannot run setuid root, so it cannot change the owner
or mode of the pty.  Unfortunately, it is possible for someone else to
run a program that:
  a) detaches from its controlling terminal
  b) opens _my_ pty RDWR  (establishing it as the controlling terminal)
  c) uses TIOCSTI to stuff characters into my psuedo-terminal input

As a result, my interactive shell is at everyone's mercy.  I might as well
post the password to my account.

It seems that this is an inherent problem in the way 4BSD programs use ptys.
If the program does not run setuid root, it cannot guarantee the security
of the pty connection.  Maybe there should be an ioctl that allows a
regular user to make himself/herself the owner of an open pty connection.
That seems really awful, though.  Are there other solutions?

--jim