Xref: utzoo comp.unix.wizards:25436 alt.security:2472 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!convex!usenet From: tchrist@convex.COM (Tom Christiansen) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <1991May06.223332.13054@convex.com> Date: 6 May 91 22:33:32 GMT References: <11974: May214:00:3691@kramden.acf.nyu.edu> <729@seqp4.UUCP> <19248@rpp386.cactus.org> Sender: usenet@convex.com (news access account) Reply-To: tchrist@convex.COM (Tom Christiansen) Organization: CONVEX Software Development, Richardson, TX Lines: 37 Nntp-Posting-Host: pixel.convex.com From the keyboard of jfh@rpp386.cactus.org (John F Haugh II): :>That's a very nice piece of name-dropping there, but the fact remains that we :>mere mortals have no evidence of your claims. : :Given that many of those people read this newsgroup, you don't have to :verify his claims. Tom Christiansen regularly reads this group, along :with Steve Bellovin. Perhaps they can verify what Dan is saying (they :already have from what I've seen). Dan's program does indeed compromise ConvexOS 9.0; I will vouch for no other system. (There's something terribly ironic about me having Dan for a customer, eh? :-) We've closed up the hole at least for rlogin, telnet, and xterm for the 9.1 release. It required a kernel change, so there aren't patched versions of these programs available. The script and window utilities will still be insecure as they can't chown and chmod their ttys. I'm personally hoping for a more complete long-term solution using a session manager, but there's no way to anticipate if or when this might occur. I think anybody who's been working on this stuff for a while already knows the scoop about the particular hole we've all been dancing around here. One poster mentioned he'd gotten working code exploiting the problem in about 20 minutes. That means the crackers can, too, and have probably already done so. The signal-to-noise ratio in this discussion is discouraging. Insults aren't going to buy anyone anything. They will neither persuade someone to your cause who was on the other side, nor do they invalidate Dan's working code, nor (I imagine) will they stop him from posting details a child (as opposed to professionals, who already understand) could follow come October. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."