BSD tty security
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Wed May 8 18:02:20 AEST 1991
In article <26758 at adm.brl.mil> marco at email.ncsc.navy.mil (Barbarisi) writes:
> rm /bin/write
Another plausible idea along the same lines is to rm -rf / ...
I just put together a simple backwards-compatible write system
synchronizing through BSD's UNIX-domain sockets rather than through
ttys. There's a privileged server and a privileged client to set up
secure communication, but everything else---how write looks for ttys,
writing itself, the write daemon that produces output---is under user
control. Expert users can freely substitute their own write, ucommwrite,
and ucommwrited front-ends and back-ends, so the Multics hands should be
satisfied.
In the package I have a patch to 4.3 ntalk to send messages through
write rather than the tty; a ``biffmail'' that you can stick in .forward
instead of depending on comsat/biff; simple clones of mesg and write. To
address Jef's disgust for new features, I made sure that you could
retain backwards compatibility by setting a few environment variables.
The new mesg n does not turn off writes in progress, but as any write to
a user involves a process run by that user, appropriate kills will turn
off writes.
I do not know if these changes cover all the cases in which user
applications need ttys to be in the filesystem. If they do, then a
vendor could solve the tty security problems (though not the
denial-of-service attacks) by simply making /dev/tty* exclusive-open
like /dev/pty*. (The denial-of-service problem would be a lot less
important if more applications did random pseudo-tty searching like pty.
It can only really be solved, though, by protecting the files and making
a user pay one process or utmp entry per tty wasted.) This is really
easy to implement---it's almost like a permanent TIOCEXCL, which does
apply to /dev/tty btw---but would require some work in each
tty-allocating program.
Back to write: Any volunteer beta testers? Please don't respond just
because you're trying to find a better mousetrap or tighten up security.
The package will be available soon enough. What I'm looking for are
people who have some experience with various message systems, may want
to contribute extra front ends or back ends, know exactly what
compatibility users depend on, and can test the code on different BSD
machines. I'm also looking for a brave soul to do a System V port, but
this isn't immediately necessary (I do have some fifo-based
client-server stuff lying around somewhere).
> There is also an alternative to "write" called "talk", which appears to
> be far less susceptable to abuse. I believe it comes with modern
> flavors of BSD.
talk is, in fact, completely insecure. (Doesn't ``hunt'' forge talk
messages to everyone on a mailing list?) You can make BSD 4.3 ntalk
support RFC 931 with the patches in pub/hier/inet/rfc931/talk* on
stealth.acf.nyu.edu, but that only gives you authenticated usernames if
the other side of the connection has an RFC 931 server. This has very
little to do with tty security in any case.
---Dan
More information about the Comp.unix.wizards
mailing list