A real hack way to "lock my tty"
Larry Wall
lwall at jpl-devvax.JPL.NASA.GOV
Sat Sep 29 03:47:27 AEST 1990
In article <1097 at travis.csd.harris.com> brad at SSD.CSD.HARRIS.COM (Brad Appleton) writes:
: Ive been using the following lock-script for several years without any problems:
Offhand, I see several little problems with your lock script.
1) There's a race condition between creating .lockpw and and
protecting it as unreadable. If I write a little busy loop
trying to open your .lockpw file, I'll get your passwd when
you change it.
2) Writing the password file with a here-document also gives a
window on the temp file that the shell creates in /tmp. On
my system, it's readable by the world.
3) The length of .lockpw gives away the length of your password.
Human nature being what it is, a lot of people will have a .lockpw
that's 2 characters long, and one of them is a line feed.
4) Suppose you lock up your terminal with the password "fiddle".
On my machine at least, if I come up to your locked terminal
and type "!" as a password, I get the message
"test: unknown operator fiddle".
Oops.
5) You should force PATH to known directories, or at least check
that '.' is only at the end. Otherwise, if you're cd'ed to
a directory I have control of...
6) You probably shouldn't store the password in plain text. If
your disk partition is ever left readable by the world, your
password is visible. (Of course, if anyone can read the disk,
your terminal locker is probably the least of your worries.)
7) On systems without a builtin test, a ps at the proper moment will
show the test command with your password visible.
Other than that, it looks great! :-)
Larry
More information about the Comp.unix.misc
mailing list