[1131] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] pty's and utmp - a disaster perpetrated long ago

daemon@ATHENA.MIT.EDU (Ian Jackson)
Mon Sep 2 03:59:29 1996

Date: Sun, 1 Sep 96 16:54 BST
From: Ian Jackson <ian@chiark.chu.cam.ac.uk>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <v03007805ae47edb3f572@[199.232.252.141]>

Rob Hagopian writes ("Re: [linux-security] vulnerability in splitvt"):
...
> I have changed our splitvt to a simple non-suid executable. This provides
> almost no change in features as far as I can tell. The manual doesn't say
> much about why it needs to be suid root, except for the following:
>   [ stuff about utmp ]

In the current world, any program which allocates and uses pty's needs
to be setuid root.  If it isn't then any other user on the system can
interfere with the pty, because the permissions on it can't be fixed.
In practice some such programs are setuid-root and some aren't.

We need
 (a) a clear idea of how we want utmp to work
and
 (b) a setuid root helper program which manipulates utmp and allocates
     and deallocates pty's, and a library to call it easily.

When we have this then xterm, splitvt, screen, script, ytalk, &c &c
will no longer have to be setuid root or insecure.

(b) is fairly easy given (a) - you just have to think a bit about the
API and then implement the wrapper and the library to call it.

(a) is hard.  It involves going through every current utmp-using
program and seeing what it does, so that you can figure out a design
for utmp-like functionality which interworks as well as possible with
the current scheme while not having the bugs, race conditions,
failures to clean up, security holes, &c &c &c.

Ian.

home help back first fref pref prev next nref lref last post