Xref: utzoo comp.unix.wizards:25162 alt.security:2311 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!ucbvax!dog.ee.lbl.gov!ee.lbl.gov!jef From: jef@ee.lbl.gov (Jef Poskanzer) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 3: How to Fix It Message-ID: <12535@dog.ee.lbl.gov> Date: 26 Apr 91 16:48:30 GMT References: <7299:Apr2510:22:2091@kramden.acf.nyu.edu> Reply-To: Jef Poskanzer Organization: Acme Software Lines: 35 X-Local-Date: Fri, 26 Apr 91 09:48:30 PDT In the referenced message, brnstnd@kramden.acf.nyu.edu (Dan Bernstein) wrote: }13. Fix write. Many people don't appreciate how poor write's security }is; I quote from my pty paper's description of a write clone: }: Finally, write is a vastly improved clone. The old write had several big }: security holes: 1. Control characters were passed through. This version }: converts anything unprintable into a caret. 2. Lines were not }: distinctively marked. A user could manually simulate the ``EOT'' or }: ``EOF'' sequence, wait a few minutes, then start sending anything to the }: other tty without identification. This version precedes each line with }: the name of the sending user, and prints something more informative than }: EOT for an ended message. 3. write could be used to flood a terminal. }: (This is an accident waiting to happen.) This version puts a one-second }: pause between each line and restricts line length. 4. Originally, write }: would only check the protection on the tty being written to. But this }: meant that a user could be interrupted by someone hiding behind mesg n }: and have no recourse. (Footnote: Remember that UNIX has no enforce() }: call to enforce new permissions on an object. Setting mesg n does not }: stop a write in progress.) So many versions of write included }: ``revenge'': X was allowed to write to Y only if Y could write back. }: However, these versions tested tty protection only at the beginning of a }: message---which was useless. This version does the correct test: it }: simply checks write permission before sending each new line. }My write clone is public-domain, so I invite you---I beg you---to steal }code from it. Don't even give me any credit, just fix the bugs. Please. As the co-author of the current BSD write, I can respond to this. Our version does make control chars visible. Checking the permissions on the recipient before each line is a good idea. The rest of your changes are disgusting. --- Jef Jef Poskanzer jef@well.sf.ca.us {apple, ucbvax, hplabs}!well!jef "In my poor, lean, lank face nobody has ever seen that any cabbages were sprouting out." -- Abraham Lincoln