Xref: utzoo comp.unix.wizards:25203 alt.security:2341 Path: utzoo!utgpu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!casbah.acns.nwu.edu!navarra From: navarra@casbah.acns.nwu.edu (John 'tms' Navarra) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 3: How to Fix It Message-ID: <1991Apr29.023136.13435@casbah.acns.nwu.edu> Date: 29 Apr 91 02:31:36 GMT References: <7299:Apr2510:22:2091@kramden.acf.nyu.edu> <12535@dog.ee.lbl.gov> <15896:Apr2714:35:3991@kramden.acf.nyu.edu> Organization: Northwestern University Lines: 71 In article <15896:Apr2714:35:3991@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >(Note that the changes to ``write'' being discussed here are entirely >optional suggestions; only steps 1-12 are necessary to fix the basic >problems.) > > >Well, I'm glad you agree with two of them, but I'd like to ask the net's >opinion on the other two. Let me split this into three questions: > >1. Do people think it's a problem that lines from ``write'' are not >identified? If nothing else, I like the ability to carry on two or three >write conversations at once without getting totally confused. If others >don't like this, though, then I'll stop pushing for it. I don't really have a problem with this. But I suppose it is no big deal to include a username: message at the begining of each line. As far as making write multi-user -- THAT would be useful and then you would need this utility to identify users. I guess you are pretty much writing a local irc? > >2. Do people think it's a problem that someone can start a ``write'', >then just type EOF or EOT to simulate ending it, then continue typing >without identification? While most experienced users will guess exactly >what's going on, novice users are really up the creek. Does anyone agree >with Jef that it's ``disgusting'' to see > > Message from operator@kramden on ttyp7 at 10:24 ... > operator: this is where the text goes > operator: and so on > End of message from operator@kramden on ttyp7 at 10:25 > >instead of > > Message from operator@kramden on ttyp7 at 10:24 ... > this is where the text goes > and so on > EOF Again, this is an EASY thing to do. You could do some checking to see if the string eof (EOF) is passed and then exit automatically and in addition, print out the username of the person sending the message at the end of the session. > >Maybe I'm biased from my RELAY days, but I really find the first format >more informative. > >3. Do people think it's a problem that ``write'' can flood a terminal >with output before the recipient has a chance to react? My version >limits output to 500 characters per line and one line a second. Does >anyone think that this affects legitimate uses of ``write''? If not, is >there any harm in adding the protection against accidents and abuse? Another good point. I once (along with a friend of mine) just swamped our super users terminal whenever he logged in. Write should have some limit to the number of characters it sends at a time. Or perhaps a better way to deal with large amounts of characters being transferred at one time -- like if a char/min ratio was too big, write would pause a coupla seconds to accept a kill signal from the receiver. > >---Dan Good luck with your program. -- From the Lab of the MaD ScIenTiST: navarra@casbah.acns.nwu.edu