Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!uunet!virtech!cpcahil
From: cpcahil@virtech.UUCP (Conor P. Cahill)
Newsgroups: comp.unix.questions
Subject: Re: .plan
Message-ID: <1077@virtech.UUCP>
Date: 26 Aug 89 15:30:43 GMT
References: <61@towernet.UUCP> <1989Aug23.192105.21328@ee.rochester.edu> <1815@cunixc.cc.columbia.edu>
Organization: Virtual Technologies Inc
Lines: 36

In article <1815@cunixc.cc.columbia.edu>, fuat@cunixc.cc.columbia.edu (Fuat C. Baran) writes:
> In article <28110@news.Think.COM> barmar@think.com (Barry Margolin) writes:
> 
> I still think that the ability to send back arbitrary strings is too
> dangerous to be enabled by default in terminals.  User's should be
> aware of it when they enable that capability.  What's to prevent a
> nasty user from creating a /tmp/RUN-ME program that puts the tty in
> raw output mode and then does bad things?

If you can get somebody to run the program RUN-ME, they you don't have to 
do anything to the terminal because you are already running a program with
the full capabilities (permissions) of the user.  At this point you wouldn't
have to bind F10 to "rm -rf ." because you could just run "system("rm -rf .")" 
or do something like chown(program_in_your_directory,getuid()),
chmod(program_in_your_directory,04777)  which would then allow you to become
that user whenever you want.

ANY USER THAT RUNS A PROGRAM IN ANY DIRECTORY WHEN THE USER DOES NOT KNOW WHAT
THE PROGRAM IS (OR IS SUPPOSED TO DO) OPENS A VERRRRRRRRRRY LARGE SECURITY HOLE.

> Just out of curiosity, what unix applications make use of a terminal's
> capability to rebind function keys and/or have it type back arbitrary
> data on command?  (No, this is not a sarcastic comment, but a genuine
> question. I don't think I've ever run across an application that
> required that capability from my terminal other than silly programs
> written as jokes by friends.)

We routinely rebind the function keys at login time so that each user can 
have thier own set of meanings for the keys.


-- 
+-----------------------------------------------------------------------+
| Conor P. Cahill     uunet!virtech!cpcahil      	703-430-9247	!
| Virtual Technologies Inc.,    P. O. Box 876,   Sterling, VA 22170     |
+-----------------------------------------------------------------------+