Xref: utzoo comp.unix.wizards:25199 alt.security:2338 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!crdgw1!uakari.primate.wisc.edu!samsung!munnari.oz.au!cs.mu.OZ.AU!kre From: kre@cs.mu.oz.au (Robert Elz) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 3: How to Fix It Message-ID: Date: 28 Apr 91 19:45:29 GMT References: <7299:Apr2510:22:2091@kramden.acf.nyu.edu> <12535@dog.ee.lbl.gov> <15896:Apr2714:35:3991@kramden.acf.nyu.edu> Sender: news@cs.mu.oz.au Lines: 67 brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >1. Do people think it's a problem that lines from ``write'' are not >identified? >2. Do people think it's a problem that someone can start a ``write'', >then just type EOF or EOT to simulate ending it, >3. Do people think it's a problem that ``write'' can flood a terminal >with output before the recipient has a chance to react? The real problem is that the whole model used by "write" is simply wrong - sure its simple, and in a sense, elegant, but its simply not the way that things should be done. The whole concept of some other random process, owned by some other random user, being able to open a direct channel onto my terminal, however the output is massaged, or identified, or restricted, is simply silly. The "traditional" way, where /dev/ttyX is mode 622, and anything can dump anything it likes onto my terminal is just a giant hole, as everyone knows by now I expect. The "modern" way where /dev/ttyX is mode 620 and "write" is setgid "tty" is safer, but now means that I can't create my own "write" like program with my own preferred user interface, I can only use one of the standard ones. What's worse, the appearance of the message that I get to see depends on the interface that the sending user has decided to select. This is all absurd - clearly the intelligent way to run things is for messages that come from another user to be displayed the way I want them using a process I control - then I can have the message displayed using whatever interface I desire (in practice, the way it happens is that I have a window popped up on my display if I'm using a window system at the time, or I have something very much like traditional "write" if I'm on a dumb terminal). Similarly, the user sending the message can use whatever interface he desires, and there's no reason at all that the interfaces need be similar - he can be sending a message from a "talk" like X windows interface, and I can be receiving and responding on my trusty old ASR33 using something just like 6th edition write, and the whole thing can be traversing the world. While part of what I have described is still fantasy (I don't really have an asr33), much of it is in use here now - we still have to integrate it with talk, and do some reasonable X interfaces, etc, but this stuff all works, and is a much better way to operate (obviously misc other message to the terminal schemes like comsat, wall, ... get integrated as well). Basically, there's a daemon process, to send a message you connect to it, it becomes the destination user, and runs a user supplied process (shell script commonly) which determines who is sending the message, and what kind of message it is, and based on that info, what should be done with the message. Messages can be forwarded to other hosts, rejected out of hand, transferred to mail, ... whatever your process decides to do with it. All a little more fine grained than "mesg [yn]"! Clearly the daemon process needs to be trusted, and needs a methor to authenticate processes connecting to it to get accurate user identification, but onto that anyone can add whatever kind of user interface they prefer. This stuff is not available (yet) so don't bother asking - the guy who is actually writing the code has other things to do as well. (My role is largely to tell him just why its not quite right yet...) kre