Xref: utzoo comp.unix.wizards:25362 alt.security:2417
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!ucsd!sdcc6!sdcc10!muller
From: muller@sdcc10.ucsd.edu (Keith Muller)
Newsgroups: comp.unix.wizards,alt.security
Subject: Re: BSD tty security, part 4: What You Can Look Forward To
Message-ID: <18954@sdcc6.ucsd.edu>
Date: 3 May 91 10:11:10 GMT
References: <1991Apr30.164646.11693@pcserver2.naitc.com> <721@seqp4.UUCP> <11974: <1991May2.202847.15537@wpi.WPI.EDU>
Sender: news@sdcc6.ucsd.edu
Followup-To: comp.unix.wizards,alt.security
Lines: 18

In article <1991May2.202847.15537@wpi.WPI.EDU>, entropy@wpi.WPI.EDU (Lawrence C Foard) writes:
> One other possible attack occurs to me, and I don't think the fixs I have seen
> posted would prevent it:
> 
> 1) Make an unused tty device into your controlling terminal, 
> 2) Close it. 
> 3) You currently have no open files.
> 4) Wait for a victim to log in on the tty, open /dev/tty and use TIOCSTI on it.
If #4 restores access to a previous controlling terminal, then there is
a good arguement that the semantics of /dev/tty are broken (the fact you
have a tty listed as you controlling terminal should give you no special
access rights to it unless MAYBE you also have a current fd that references it).
I would tend to want an open of /dev/tty to always check the current
access to the controlling terminal.

Keith Muller
University of California
kmuller@ucsd.edu