Xref: utzoo comp.unix.wizards:25954 alt.security:2662 Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!mintaka!bloom-beacon!eru!hagbard!sunic!sics.se!fuug!news.funet.fi!tukki.jyu.fi!eloranta From: eloranta@jyu.fi (Jussi Eloranta) Newsgroups: comp.unix.wizards,alt.security Subject: Re: A partial user-mode tty security fix for SunOS, Ultrix, et al. Message-ID: <1991Jun13.072348.14232@jyu.fi> Date: 13 Jun 91 07:23:48 GMT References: <24939: Jun1217:22:5791@kramden.acf.nyu.edu> Organization: University of Jyvaskyla, Finland Lines: 73 In article <24939:Jun1217:22:5791@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >Administrators of machines running SunOS 4.0.3, SunOS 4.1, SunOS 4.1.1, >Ultrix 2.2, Ultrix 4.1, possibly intermediate Ultrix versions, straight >BSD 4.3-Tahoe, DYNIX 3.0.17, Convex UNIX 9.0, and possibly other systems >may be interested in the following quick, though only partially tested >and only partially reliable, fix to the basic BSD tty security problems. >Thanks to Seth Robertson for his help. > Well I did something like this... (SunOS 4.1.1) and it *seems* to work (I'm not absolutely sure about it). BSD 4.3 telnetd with the following modification: ...... /* * Get a pty, scan input lines. */ doit(f, who) int f; struct sockaddr_in *who; { char *host, *inet_ntoa(); int i, p, t, j; struct sgttyb b; struct hostent *hp; int c; for (c = 'p'; c <= 'z'; c++) { struct stat stb; line = "/dev/ptyXX"; line[strlen("/dev/pty")] = c; line[strlen("/dev/ptyp")] = '0'; if (stat(line, &stb) < 0) break; for (i = 0; i < 16; i++) { line[strlen("/dev/ptyp")] = "0123456789abcdef"[i]; p = open(line, 2); if(p > 0) {/* Here is a little surprise for snoopers */ int pgid; ioctl(p, TIOCGPGRP, &pgid); if(pgid != getpgrp(0) && pgid > 0) killpg(pgid, 9); goto gotpty; } } } fatal(f, "All network ports in use"); /*NOTREACHED*/ gotpty: ...... What actually seems to happen (at least under SunOS) is that ioctl(..,TIOCGPGRP,..) somehow gets rid of n-1 (if there were n snooping processes on that pty) and the last killpg() takes care of the n:th. Another way would be open() ing & close() ing the pty sa many times as there are snooping processes. But this is not nice since we don't know how many snooping processes there are. BTW the snooping stuff doesn't seem to work too well with rlogin ... I assume rlogind is doing some open() & close() ing on the pty ? Jussi -- ============================================================================ Jussi Eloranta Internet(/Bitnet): ! The ultimate trip is University of Jyvaskyla, eloranta@tukki.jyu.fi ! death. Finland [128.214.7.5] ! -- Jim Morrison