Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.csd.uwm.edu!bionet!apple!vsi1!wyse!bob
From: bob@wyse.wyse.com (Bob McGowen Wyse Technology Training)
Newsgroups: comp.unix.questions
Subject: Re: .plan
Message-ID: <2411@wyse.wyse.com>
Date: 6 Sep 89 22:04:31 GMT
References: <61@towernet.UUCP> <1989Aug23.192105.21328@ee.rochester.edu> <1815@cunixc.cc.columbia.edu> <1077@virtech.UUCP>
Sender: news@wyse.wyse.com
Reply-To: bob@wyse.UUCP (Bob McGowen Wyse Technology Training)
Organization: Wyse Technology
Lines: 42

In article <1077@virtech.UUCP> cpcahil@virtech.UUCP (Conor P. Cahill) writes:
>In article <1815@cunixc.cc.columbia.edu>, fuat@cunixc.cc.columbia.edu (Fuat C. Baran) writes:
>> In article <28110@news.Think.COM> barmar@think.com (Barry Margolin) writes:
>> 
>> I still think that the ability to send back arbitrary strings is too
>> dangerous to be enabled by default in terminals.  User's should be
---deleted---
>ANY USER THAT RUNS A PROGRAM IN ANY DIRECTORY WHEN THE USER DOES NOT KNOW WHAT
>THE PROGRAM IS (OR IS SUPPOSED TO DO) OPENS A VERRRRRRRRRRY LARGE SECURITY HOLE.
>
>> Just out of curiosity, what unix applications make use of a terminal's
>> capability to rebind function keys and/or have it type back arbitrary
---deleted---
>We routinely rebind the function keys at login time so that each user can 
>have thier own set of meanings for the keys.
>
---deleted---

Binding a function key may not require the user(owner)'s ID or permissions.
When a user logs in the device they are on is set to rw--w--w-, which
allows others to write (using the command of the same name) to other
users.  If the proper sequences can be sent to this device and the terminal
will accept them, then when the user on the terminal tries the function
key the result will be sent to the system and run with that users ID.
The ways to stop this include:

	1) having the driver convert control characters to printing
	   ascii unless in raw mode (which hopefully can only be
	   done by the owner of the tty);

	2) setting the permissions on the tty to rw-------, using
	   mesg n.

	3) use a terminal that has no function keys or that cannot
	   be programmed from the computer side.

Otherwise, caveat emptor!

Bob McGowan  (standard disclaimer, these are my own ...)
Customer Education, Wyse Technology, San Jose, CA
..!uunet!wyse!bob
bob@wyse.com