Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pt_chmod

From: peter () haywire DIALix COM (Peter Wemm)
Date: Sun, 4 Dec 1994 18:36:49 +0800 (WST)

Peter Wemm writes:


Hmm. something else I though of too.  Imagine:  root is logged in on
/dev/pts/34, and has the tty set to mode 0622.  Guess what this would
do if you were a normal user: /usr/lib/pt_chmod 1 > /dev/pts/34
You could then TIOCSTI to your hearts content.


As has been pointed out to me, this does not work.. (Hi Bela!)
/usr/lib/pt_chmod works on an unnamed clone of /dev/ptmx. It wont
chown anything unless you've passwd a /dev/ptmx descriptor in.


If you a SYSV derived system, you might like to replace
/usr/lib/pt_chmod with something like the code below.  No promises
that it even works, but at least it should prevent some of the abuse
above.  Read through it and once you are happy that it wont screw up
any more than the standard pt_chmod, make it mode 4111.


And here's a fixed version...  It doesn't go overboard on unnecessary
fascism that it gets wrong.  This is called by the grantpt(fd) library
call on a descriptor that is opened from /dev/ptmx.

This should run on just about anything with /dev/ptmx.

--------------------
/*
Copyright (C) 1994, Peter Wemm. All rights reserved.

Standard disclaimer:
If this doesn't work: tough. If you lose millions because this messes
up, it's you that's out the millions, not me. If you don't like this
disclaimer: tough. I reserve the right to do the absolute minimum
provided by law, up to and including nothing. This is basically the
same disclaimer that comes with all software packages, but this is in
plain English and theirs is in legalese. I didn't want to include any
disclaimer at all, but the lawyers insist.
[inspired by Haventrees Software's EasyFlow disclaimer, as posted on usenet]
*/

#include <sys/types.h>
#include <stdio.h>
#include <grp.h>
#include <unistd.h>

int
main(int ac, char **av)
{
        int fd;
        int gid = getgid();
        int uid = getuid();
        int mode = 0600;
        char *name;
        struct group *gr;

        if (ac != 2)
                exit(255);      /* not enough args */
        
        /* look for a secure tty group, and alter the permissions if found */
        if ((gr = getgrnam("tty")) != NULL) {
                gid = gr->gr_gid;       /* found protected group 'tty' */
                mode = 0620;
        } else if ((gr = getgrnam("terminal")) != NULL) {
                gid = gr->gr_gid;       /* found protected group 'terminal' */
                mode = 0620;
        }
        fd = atoi(av[1]);
        name = ptsname(fd);
        if (name == NULL)
                exit(255);      /* not a pty */
        if (chmod(name, mode) < 0)
                exit(255);      /* couldn't chmod */
        if (chown(name, uid, gid) < 0)
                exit(255);      /* couldn't chown */
        exit(0);
}
--------------------

-Peter
Previous By Date Next
Previous By Thread Next

Current thread: