[105] in linux-security and linux-alert archive
Re: tty permissions
daemon@ATHENA.MIT.EDU (Kevin Buhr)
Fri Mar 10 20:47:04 1995
Date: Fri, 10 Mar 95 19:13 CST
To: linux-security@tarsier.cv.nrao.edu
In-reply-to: <199503101202.NAA03607@dutecai.et.tudelft.nl> (R.E.Wolff@et.tudelft.nl)
From: buhr@stat.wisc.edu (Kevin Buhr)
Reply-To: linux-security@tarsier.cv.nrao.edu
| You correctly indicate that stty operates on its INPUT.
|
| Giving people write permission on your tty doesn't affect this.
"stty" merely makes IOCTL calls on a file descriptor which happens to
be its standard input. You can easily roll your own program to make
these same calls on a file descriptor opened for output. (In fact,
you could simply run "stty" with its standard input directed to a
handle opened for write access, though presumably you'd have to write
a program to do that anyway, so...)
Anyway, the important thing is whether or not the kernel cares about
read or write permissions on handles passed in "ioctl" calls. In
fact, it doesn't, so having your "tty" world-readable does open you up
to all sorts of attacks.
Of course, it's also true that setting the baud rate of a Linux
console won't work and setting the baud rate of a Linux "pty" to 0
doesn't have any effect, at least in kernel version 1.2.0. So, this
particular attack isn't an issue.
Kevin <buhr@stat.wisc.edu>
