Bugtraq mailing list archives
Re: pt_chmod
From: peter () haywire DIALix COM (Peter Wemm)
Date: Sun, 4 Dec 1994 18:36:49 +0800 (WST)
Peter Wemm writes:
Hmm. something else I though of too. Imagine: root is logged in on /dev/pts/34, and has the tty set to mode 0622. Guess what this would do if you were a normal user: /usr/lib/pt_chmod 1 > /dev/pts/34 You could then TIOCSTI to your hearts content.
As has been pointed out to me, this does not work.. (Hi Bela!) /usr/lib/pt_chmod works on an unnamed clone of /dev/ptmx. It wont chown anything unless you've passwd a /dev/ptmx descriptor in.
If you a SYSV derived system, you might like to replace /usr/lib/pt_chmod with something like the code below. No promises that it even works, but at least it should prevent some of the abuse above. Read through it and once you are happy that it wont screw up any more than the standard pt_chmod, make it mode 4111.
And here's a fixed version... It doesn't go overboard on unnecessary fascism that it gets wrong. This is called by the grantpt(fd) library call on a descriptor that is opened from /dev/ptmx. This should run on just about anything with /dev/ptmx. -------------------- /* Copyright (C) 1994, Peter Wemm. All rights reserved. Standard disclaimer: If this doesn't work: tough. If you lose millions because this messes up, it's you that's out the millions, not me. If you don't like this disclaimer: tough. I reserve the right to do the absolute minimum provided by law, up to and including nothing. This is basically the same disclaimer that comes with all software packages, but this is in plain English and theirs is in legalese. I didn't want to include any disclaimer at all, but the lawyers insist. [inspired by Haventrees Software's EasyFlow disclaimer, as posted on usenet] */ #include <sys/types.h> #include <stdio.h> #include <grp.h> #include <unistd.h> int main(int ac, char **av) { int fd; int gid = getgid(); int uid = getuid(); int mode = 0600; char *name; struct group *gr; if (ac != 2) exit(255); /* not enough args */ /* look for a secure tty group, and alter the permissions if found */ if ((gr = getgrnam("tty")) != NULL) { gid = gr->gr_gid; /* found protected group 'tty' */ mode = 0620; } else if ((gr = getgrnam("terminal")) != NULL) { gid = gr->gr_gid; /* found protected group 'terminal' */ mode = 0620; } fd = atoi(av[1]); name = ptsname(fd); if (name == NULL) exit(255); /* not a pty */ if (chmod(name, mode) < 0) exit(255); /* couldn't chmod */ if (chown(name, uid, gid) < 0) exit(255); /* couldn't chown */ exit(0); } -------------------- -Peter
Current thread:
- Re: pt_chmod Bela Lubkin (Dec 02)
- Re: pt_chmod Karl Strickland (Dec 03)
- Re: pt_chmod Peter Wemm (Dec 03)
- Re: pt_chmod Peter Wemm (Dec 04)
- Re: pt_chmod Casper Dik (Dec 04)
- <Possible follow-ups>
- Re: pt_chmod Bela Lubkin (Dec 03)
- SCO (was Re: pt_chmod) Karl Strickland (Dec 04)
- Re: pt_chmod Bela Lubkin (Dec 04)
- Re: pt_chmod Peter Wemm (Dec 04)
- Re: pt_chmod Jeff Smith (Dec 04)