Path: utzoo!attcan!uunet!cs.utexas.edu!csd4.csd.uwm.edu!mailrus!ncar!boulder!hartzell@boulder.Colorado.EDU
From: hartzell@boulder.Colorado.EDU (George Hartzell)
Newsgroups: comp.unix.questions
Subject: Re: .plan
Message-ID: <11023@boulder.Colorado.EDU>
Date: 24 Aug 89 21:19:26 GMT
References: <61@towernet.UUCP> <1989Aug23.192105.21328@ee.rochester.edu> <10814@smoke.BRL.MIL>
Sender: news@boulder.Colorado.EDU
Reply-To: hartzell@boulder.Colorado.EDU (George Hartzell)
Organization: MCD Biology, University of Colorado, Boulder
Lines: 24
In-reply-to: gwyn@smoke.BRL.MIL (Doug Gwyn)

In article <10814@smoke.BRL.MIL>, gwyn@smoke (Doug Gwyn) writes:
>In article <1989Aug23.192105.21328@ee.rochester.edu> deke@ee.rochester.edu (Dikran Kassabian) writes:
>>In article <61@towernet.UUCP> larrym@rigel.uucp (24121-E R Inghrim(3786)556) writes:
>>>when I finger some users, they've got these plans with simple animated
>>>figures jumping and beeping.
>>these users have terminal-dependant cursor addressing and the like in
>>their .plan file.
>
>If "finger" really does dump the contents of .plan literally to a terminal,
>then you could exploit that misfeature to force-feed one of the terminal's
>programmable function keys, then dump it back.  That's a good way to run
>commands under somebody else's UID!  This would be a security hole that
>needs to be fixed.

A program called dotplan was posted a while back that used combinations 
of backspaces and carriage returns to draw simple animations.  I've used 
this in my dotplan in the past.  

I can understand how you one could program the functions keys, but how
could you simulate one being pressed?
g.
George Hartzell			                  (303) 492-4535
 MCD Biology, University of Colorado-Boulder, Boulder, CO 80309
hartzell@Boulder.Colorado.EDU  ..!{ncar,nbires}!boulder!hartzell