Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!jpl-devvax!lwall
From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Newsgroups: comp.unix.misc
Subject: Re: A real hack way to "lock my tty"
Message-ID: <9729@jpl-devvax.JPL.NASA.GOV>
Date: 28 Sep 90 17:47:27 GMT
References: <2863@litchi.bbn.com> <2874@idunno.Princeton.EDU> <1097@travis.csd.harris.com>
Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Organization: Jet Propulsion Laboratory, Pasadena, CA
Lines: 41

In article <1097@travis.csd.harris.com> brad@SSD.CSD.HARRIS.COM (Brad Appleton) writes:
: Ive been using the following lock-script for several years without any problems:

Offhand, I see several little problems with your lock script.

	1) There's a race condition between creating .lockpw and and
	   protecting it as unreadable.  If I write a little busy loop
	   trying to open your .lockpw file, I'll get your passwd when
	   you change it.

	2) Writing the password file with a here-document also gives a
	   window on the temp file that the shell creates in /tmp.  On
	   my system, it's readable by the world.

	3) The length of .lockpw gives away the length of your password.
	   Human nature being what it is, a lot of people will have a .lockpw
	   that's 2 characters long, and one of them is a line feed.

	4) Suppose you lock up your terminal with the password "fiddle".
	   On my machine at least, if I come up to your locked terminal
	   and type "!" as a password, I get the message
	   
	        "test: unknown operator fiddle".

	   Oops.

	5) You should force PATH to known directories, or at least check
	   that '.' is only at the end.  Otherwise, if you're cd'ed to
	   a directory I have control of...

	6) You probably shouldn't store the password in plain text.  If
	   your disk partition is ever left readable by the world, your
	   password is visible.  (Of course, if anyone can read the disk,
	   your terminal locker is probably the least of your worries.)

	7) On systems without a builtin test, a ps at the proper moment will
	   show the test command with your password visible.

Other than that, it looks great!   :-)

Larry