Path: utzoo!utgpu!cs.utexas.edu!usc!jarthur!ucivax!orion.oac.uci.edu!ucsd!sdcc6!sdcc6.ucsd.edu!cg108dbd From: cg108dbd@icogsci1.ucsd.edu (Steve -Social Hacker) Newsgroups: alt.hackers Subject: TIOCSTI Message-ID: Date: 15 May 91 07:09:22 GMT Sender: news@sdcc6.ucsd.edu Reply-To: dbrown@ucsd.edu Distribution: alt Organization: University of California, San Diego -- Cognitive A. I. Lines: 32 Approved: alias@ucsd.edu Originator: cg108dbd@icogsci1 In article <1991May13.211622.1452@sbcs.sunysb.edu> god@csserv2.ic.sunysb.edu (The Lord God your Creator) writes: The TIOCSTI ioctl lets you simulate keyboard input on other peoples terminals while they're logged in as long as you have write perminssion for the tty (mesg y). So you could write the string: "rm -r *\n" and it would be executed if the user was in a shell. Whoever made this system call goofed. Most vendors have ``fixed'' this problem by not allowing the TIOCSTI unless the process is the owner of the port. There is a disgustion allong these lines in alt.security. However, most of what is being discussed is whether or not the topic should be discussed. Here is one basic approach to get around this ``fix'': A process closes its controlling tty, thus losing its controlling tty. It opens a free pty (slave end) and waits. Once a process has also opened the pty, the process opens /dev/tty and performs the TIOCSTI. Many vendors have fixes even around this. Supposedly, Dan Bernstein has a program that even gets around this, but he's only telling those who ``have a need to know,'' which, as far as I can tell, excludes everyone. David Brown. dbrown@ucsd.edu ---------------------------------------------------------------------- Wise man say: mail signatures are annoying and bothersome and should generally be avoided. ----------------------------------------------------------------------