POSIX bashing

Sean Eric Fagan sef at kithrup.COM
Mon Apr 1 18:35:03 AEST 1991


In article <4269:Apr105:57:0091 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
(Dan and I have had this argument before, and we'll have it again 8-).)
>In article <1991Mar30.202637.8629 at kithrup.COM> sef at kithrup.COM (Sean Eric Fagan) writes:
>> The pty driver does not allow the master side to do an TIOCGPGRP on the
>> slave side (as they are running in different process groups, and POSIX says
>> that this should not happen for normal ttys).
>Idiotic. Absolutely idiotic. UNIX has always worked on the principle
>that if you have permission to open a file, you can open it, and use the
>descriptor forever. *Normal file access permissions handle security*.

So.  I start a pty session, that means I can send any arbitrary signal to
any process on the slave side?  Gee, that doesn't sound right.

The issue in question was that BSD pty's allow the master side of the pty to
query (using TIOCGPGRP) to get the process group of the slave side.  This is
the same ioctl as one would normally use on a normal tty, to find out the
process group of one's own tty.  emacs then uses the resulting value to send
a signal to it.  This, incidently, does not work when the slave side of the
pty is running under a different uid.

Now:  SCO's OS's never had this ioctl until 3.2, which added (broken until
3.2v2) job control.  Therefore, they never had any backwards compatability.
The reason sco doesn't do what berkeley does is because POSIX says that any
process attempting to read (or do an tcgetpgrp, which essentially does the
TIOCGPGRP ioctl in sco's implementation) shall have certain things happen
under certain circumstances.  For example, if the process in question is in
a different pgrp than the tty in question, it shall get a signal (or
something like that; I don't have 1003.1 with me right now, so I can't quote
verbatim).  In SCO's implementations of pty's, all ioctls, except for one or
two, get passed to the tty driver, which is where the checks mentioned in
passing above happen.  Therefore, it doesn't allow that to happen.  When I
found this, it was too late to change it for 3.2v2, and, besides, I wasn't
sure what should happen.  So I enquired of the folks at CSRG, and a query
was sent to the POSIX folks.  CSRG responded with, essentially, "Ooops, we
hadn't noticed that, you're right, here's what we're going to do," so I did
what they said they did (although I want to confer with them again about
it).

Meanwhile, the POSIX query (as well as a query to rms) indicated that, since
pty's are an extension, any behaviour is allowed by posix, so we could have
"made" the old behaviour work.  However, since I didn't like it, for a
reason listed above, I didn't do that.  (Besides, I liked the TIOCSIG ioctl
8-)).

>Why did POSIX make these changes? Because they did not understand that
>*normal file access permissions handle security*. 

Not entirely.  Part of it is for *sanity*.  Most of the changes I think
you're referring to deal with what should happen when different pgrp's try
to access a tty.  Guess what:  they all can have the same uid.  I am not
going to make any definitive statement without 1003.1 handy, though.

Please tell me, for example, why a different process group should be able to
change the pgrp associated with *my* tty?  Since that pgrp may even be in a
different session, on a different tty, but still have my uid, why should it
be able to lock me out?

>Not so. On every available BSD-based system---including Convex UNIX 9.0
>and mainstream systems like SunOS and Ultrix---I can gain invisible
>write and TIOCSTI access to any tty, with a short program and no
>privileges. 

Several people have commented that TIOCSTI is an abomination that should be
forgotten.  Neither SCO nor POSIX have it.

>On the flip side, if you have enough interest in security to want to
>eliminate the holes, I'm perfectly willing to tell you how. 

I think I asked you about your objections to POSIX, about a year ago, and
you just complained that it broke things.  Nothing about security.

>> I found this in emacs,
>> incidently.
>The POSIX folks don't even understand backwards compatibility. Shameful.

Gee, they broke some SysV'isms, yet I bet you don't complain about that.

-- 
Sean Eric Fagan  | "I made the universe, but please don't blame me for it;
sef at kithrup.COM  |  I had a bellyache at the time."
-----------------+           -- The Turtle (Stephen King, _It_)
Any opinions expressed are my own, and generally unpopular with others.



More information about the Comp.unix.wizards mailing list