Xref: utzoo comp.unix.wizards:24620 alt.security:2050 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!rpi!uupsi!cmcl2!kramden.acf.nyu.edu!brnstnd From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein) Newsgroups: comp.unix.wizards,alt.security Subject: Re: POSIX bashing Message-ID: <4269:Apr105:57:0091@kramden.acf.nyu.edu> Date: 1 Apr 91 05:57:00 GMT References: <1991Mar30.012025.28876@kithrup.COM> <25262@hydra.gatech.EDU> <1991Mar30.202637.8629@kithrup.COM> Organization: IR Lines: 64 In article <1991Mar30.202637.8629@kithrup.COM> sef@kithrup.COM (Sean Eric Fagan) writes: > The pty driver does not allow the master side to do an TIOCGPGRP on the > slave side (as they are running in different process groups, and POSIX says > that this should not happen for normal ttys). Idiotic. Absolutely idiotic. UNIX has always worked on the principle that if you have permission to open a file, you can open it, and use the descriptor forever. *Normal file access permissions handle security*. Now POSIX has to introduce more than thirty changes (by my count) to the tty and signal-handling systems, all in the name of tty security. Not a single change was justified by experience from more than one vendor, and most of them were entirely new. Few of them make sense. Why did POSIX make these changes? Because they did not understand that *normal file access permissions handle security*. They thought (correctly) that the tty subsystem was insecure, and they thought (incorrectly) that a bunch of ad-hoc changes would fix the problem. Convex UNIX 9.0 is a (supposedly) POSIX-compliant system. Not only does the OS follow every stupid POSIX restriction, but it introduces several new ad-hoc restrictions on tty access. You would think that this would eliminate all tty security holes. Not so. On every available BSD-based system---including Convex UNIX 9.0 and mainstream systems like SunOS and Ultrix---I can gain invisible write and TIOCSTI access to any tty, with a short program and no privileges. I sent such a sample program to Tom Christiansen not long ago, and it was both funny and sad to watch the ensuing panic. I keep telling people that the tty subsystem is insecure. I keep telling them how to fix it, with a simple set of basic changes, not the huge pile of inconsistent, senseless, ad-hoc rules that has found its way into every POSIX system. Berkeley still doesn't listen. Keith Bostic, are you listening? I'm sure someone will forward this to you if not. If I can write a program to break tty security under a standard BSD 4.4 setup, I will distribute that program as widely as I can. I guarantee you that this will happen if you do not make some fundamental changes to the BSD 4.3 + POSIX tty system. You think this is a threat? Then take it as a threat. It's only sympathy for the huge BSD 4.3 installed base that has kept me from distributing such a program already. BSD 4.4 will not have that installed base, and I see absolutely no ethical or legal reason to remain quiet about such a pervasive set of security holes. On the flip side, if you have enough interest in security to want to eliminate the holes, I'm perfectly willing to tell you how. You don't have to break POSIX compatibility (though it would be easier that way), and none of the necessary changes are very difficult (though again it would make a simpler system if you did put in more effort), and I'm not even going to pretend that you need a pty manager (though that would greatly reduce the number of lines you'd have to change in applications). Hell, you can get most of this information from Steve Bellovin. But if you're too lazy to ask, I'm not going to tolerate tty insecurity any more. > I found this in emacs, > incidently. The POSIX folks don't even understand backwards compatibility. Shameful. ---Dan