Xref: utzoo comp.unix.wizards:25595 alt.security:2528 Path: utzoo!utgpu!cs.utexas.edu!chinacat!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F Haugh II) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 3: How to Fix It Message-ID: <19270@rpp386.cactus.org> Date: 14 May 91 13:57:09 GMT References: <19253@rpp386.cactus.org> <21553:May1020:06:0791@kramden.acf.nyu.edu> <19262@rpp386.cactus.org> <10581:May1315:01:2891@kramden.acf.nyu.edu> Reply-To: jfh@rpp386.cactus.org (John F Haugh II) Organization: Lone Star Cat Emporium and BBQ Grill Lines: 47 X-Clever-Slogan: Help Prevent Robbery. Tax the IRS. In article <10581:May1315:01:2891@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >I don't understand this. Why should the application need such assurance? >It's just an unprivileged program. OK, how would a privileged application get the assurances it wants that the port it is talking to is the real port. For example, how does "passwd" know that it really has the real user, and isn't being run in some pipeline with a little expect script that looks for "Old Password" and then keeps anything else that comes along, including the new password? Oh. >If the system supports normal UNIX security, my changes guarantee that >when a user starts a program through telnet or rlogin or script or >whatever, no other program initially has access to the same tty. It's >not the program's job to make such checks, just as it's not the job of >each new process to check at user level that it has a unique pid. BZZZT. Wrong answer. Your scam does nothing to protect against applications that start on non-network ports. I can always emulate the login sequence (unless you dream up some exotic login sequence to add as the next layer of hacks). I can login and start my little trojan horse then walk away from the screen with a login banner displayed. How do you insure that there are no programs, including trojan horses, running on that port? >Every new telnet or rlogin or script will skip that pty, so who cares? >In the meantime the session will be accounted to you. Sure. And I'll have your password. How do you know that I was actually the person that started the trojan horse once I can demostrate that I can break an account? Program gets your password, pretends you entered it wrong, exits, and gives you the real banner. Move on to next victim, signed on as first victim ... >So use a different secure attention key. The point is that if getty is >the only program with a hardwired tty open, then there's no way for user >programs to mangle that tty except as getty allows. What is the difference between getty having a hardwired port open, and clone-of-getty sitting on a pty that you just handed me when I logged in? Or do we throw out all the glass tubes being used today? As for using different SAK keys, what to do about UUCP, etc? -- John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh@rpp386.cactus.org "If liberals interpreted the 2nd Amendment the same way they interpret the rest of the Constitution, gun ownership would be mandatory."