Interactive shells in emacs: a security problem?

Mark Sienkiewicz mark at umbc3.UMBC.EDU
Thu Aug 24 01:32:28 AEST 1989 

In article <6973 at sdcsvax.UCSD.Edu> mattson at beowulf.UCSD.EDU (Jim Mattson) writes:
>
>When I run an interactive shell in GNU emacs or Jove, the editor provides me
>with a pty that looks like this:
>crw-rw-rw-  1 root      10,   4 Aug 22 17:31 /dev/ttyp4
...
>As a result, my interactive shell is at everyone's mercy.  I might as well
>post the password to my account.
...
>of the pty connection.  Maybe there should be an ioctl that allows a
>regular user to make himself/herself the owner of an open pty connection.
>That seems really awful, though.  Are there other solutions?

You could arrange for the pty device driver to change the owner of the 
tty?? file for you.  Suppose the steps looked like this:

1) emacs (or whatever) opens ptyp0 to use as a master for an interactive shell.
2) the driver notes the uid & gid of the emacs (or whatever) process.
3) A child processes is created which opens ttyp0 for it's control terminal.
   The pty driver does a little tracing back through the kernel structures
   to find the inode (in core, of course) for ttyp0 and changes it's owner
   fields to match the owner of the process that allocated the pty.
4) the last close of ttyp0 changes the owner back to root and the permissions
   back to 0666.

Then the only responsibility remaining for the user program is to fix
the protections after allocating the pty.  

Doing something like this should be relatively painless except for finding
the inode that open was using.  Even for that, you could brute force search
all in-core inodes for something that matches the major/minor number that
was handed to ptyopen().  I can see 2 problems with this approach:

1) it's kind of a non-elegant way to do it.  device drivers aren't really
	supposed to mess with things like that.

2) If you do 2 mknod's for the same minor number of a tty device, you
	can see your original problem come back.  Don't do this.

Anybody see why this should'nt work?


-- 
			Mark S.

uunet!umbc3!nerwin!zilla!mark
nerwin!zilla!mark at umbc3.umbc.edu

More information about the Comp.bugs.4bsd.ucb-fixes mailing list