Bugtraq mailing list archives

Re: safe logging xterm

From: pelc () fb3-s7 math tu-berlin de (Bogdan Pelc)
Date: Fri, 17 Mar 1995 10:13:58 +0100

"RB" == Robert Banz <banz () umbc edu> writes:

  RB> On Tue, 14 Mar 1995, Adam Shostack wrote:
  >> Margarita Suarez wrote:
  >> 
  >> | we have modified xterm to make use of the POSIX saved id where
  >> possible; | otherwise, it uses setreuid() to switch back and forth
  >> between user and | superuser.  we provide enable() and disable()
  >> functions which swap the | euid and ruid so that the running xterm can
  >> give up root and take it | back.
  >> 
  >> | can anyone see a problem with this fix?
  >> 
  >> Yes, it leaves setuid on a program that is way too large.  Xterm tends
  >> to be setuid so it can write to utmp.  Thats a bad reason to make a
  >> large program setuid.

  RB> Hm.  Why not make utmp group "bob" writable, and make xterm setgid
  RB> "bob"?

[... TEXT DELETED ...]

I've done it (and made 
              chown root.utmp /dev/tty{p,q,r,s}
              chmod 662 /dev/tty{p,q,r,s}
(but I called this empty group utmp, not bob ;-))).

You get problems, because:

1) xterm wants to call chown, but it is not possible unless it is SUID-root
2) xterm does not make chmod, if chown failed.
so the pseudo terminal (ttyp) has the following access rights:
   root system 666 /dev/ttyp?
should be : 
   user system 622 /dev/ttyp (only write access for group and world).
3) until "mesg -n" is not SUID-root, it can not change the rights of ttyp

so everybody can read from you tty :-((

Under AIX 3.2.{4,5} there is a solution. You have to make 
   chown root.utmp /dev/pts (the slave of tty)
And everything works fine.

I've tried several ways to get around this problem on other UNIX-types
(BSD for example), but it did not work.

My idea was to make also USER named utmpusr und to make xterm SUID-utmpusr
und chown utmpusr /dev/tty{p,q,r,s}*, but it didn't work also :-((
In this case kernel was not able to free the ttyps after they were no more
in use.

____________________________________________________________________________
      Bogdan Pelc; Sekr. 6-3, Ma666; Tel: 030-31425746, 030-31422491
                          pelc () math tu-berlin de

Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ...  (FISH)

Current thread:

STROBE 1.02, (continued)
- - - STROBE 1.02 Julian Assange (Mar 14)
    - Re: STROBE 1.02 Neil Woods (Mar 22)
    - Sgi Xauthority Strangeness Paul Danckaert (Mar 14)
    - xdm and auth on Ultrix 4.4 Walter Zimmer (Mar 14)
    - safe logging xterm Margarita Suarez (Mar 14)
    - Re: safe logging xterm Adam Shostack (Mar 14)
    - Re: safe logging xterm Robert Banz (Mar 16)
    - Re: safe logging xterm Adam Shostack (Mar 16)
    - Re: safe logging xterm Valdis.Kletnieks () vt edu (Mar 16)
    - Re: safe logging xterm Robert M. Haas (Mar 16)
    - Re: safe logging xterm Bogdan Pelc (Mar 17)
    - Cancel Subscription TechnoInc () aol com (Mar 16)
    - Re: Cancel Subscription Anonymous the XXIIV (Mar 16)
    - Please help me get off this list Ivan Angus (Mar 17)
    - Re: STROBE v1.01 Super Optimised TCP port surveyor Kurt Jaeger aka PI (Mar 13)
  - Re: sigh. another Irix 5.2 hole. Christopher Klaus (Mar 08)
  - Re: sigh. another Irix 5.2 hole. David R. Sears (Mar 08)
    - Re: sigh. another Irix 5.2 hole. Dave Brookshire (Feb 23)
  - Request for subscription into the list Mike Neuman (Mar 08)
  - Request for subscription into the list Jon Diorio (Mar 08)
- Re: sigh. another Irix 5.2 hole. Ian Hoyle (Mar 08)