[1133] in linux-security and linux-alert archive
Re: [linux-security] pty's and utmp - a disaster perpetrated long ago
daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Tue Sep 3 08:03:35 1996
From: Miquel van Smoorenburg <miquels@cistron.nl>
To: ian@chiark.chu.cam.ac.uk (Ian Jackson)
Date: Mon, 2 Sep 1996 23:33:35 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0uxErF-0004PwC@chiark.chu.cam.ac.uk> from "Ian Jackson" at Sep 1, 96 04:54:00 pm
You (Ian Jackson) wrote:
> We need
> (a) a clear idea of how we want utmp to work
> and
> (b) a setuid root helper program which manipulates utmp and allocates
> and deallocates pty's, and a library to call it easily.
>
> When we have this then xterm, splitvt, screen, script, ytalk, &c &c
> will no longer have to be setuid root or insecure.
>
> (b) is fairly easy given (a) - you just have to think a bit about the
> API and then implement the wrapper and the library to call it.
You would need a special library call that calls a setuid helper
program to allocate a pty, that gets chowned to the user. Or even
better, the kernel could be fixed so that when you open the master
side of a pty the slave gets chown()ed to the euid of the process
opening it. In fact I think that would be very elegant, and I don't
think it will break existing programs.
> (a) is hard. It involves going through every current utmp-using
> program and seeing what it does, so that you can figure out a design
> for utmp-like functionality which interworks as well as possible with
> the current scheme while not having the bugs, race conditions,
> failures to clean up, security holes, &c &c &c.
>From the Solaris manpage for pututline():
When
called by a non-root user, pututline() invokes a setuid()
root program to verify and write the entry, since /etc/utmp
is normally writable only by root. In this event, the
ut_name field must correspond to the actual user name asso-
ciated with the process; the ut_type field must be either
USER_PROCESS or DEAD_PROCESS; and the ut_line field must be
a device special file and be writable by the user.
I think that would do nicely..
Mike.
--
Miquel van | Cistron Internet Services -- Alphen aan den Rijn.
Smoorenburg, | mailto:info@cistron.nl http://www.cistron.nl/
miquels@cistron.nl | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)