[1133] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] pty's and utmp - a disaster perpetrated long ago

daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Tue Sep 3 08:03:35 1996

From: Miquel van Smoorenburg <miquels@cistron.nl>
To: ian@chiark.chu.cam.ac.uk (Ian Jackson)
Date: Mon, 2 Sep 1996 23:33:35 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0uxErF-0004PwC@chiark.chu.cam.ac.uk> from "Ian Jackson" at Sep 1, 96 04:54:00 pm

You (Ian Jackson) wrote:
> We need
>  (a) a clear idea of how we want utmp to work
> and
>  (b) a setuid root helper program which manipulates utmp and allocates
>      and deallocates pty's, and a library to call it easily.
> 
> When we have this then xterm, splitvt, screen, script, ytalk, &c &c
> will no longer have to be setuid root or insecure.
> 
> (b) is fairly easy given (a) - you just have to think a bit about the
> API and then implement the wrapper and the library to call it.

You would need a special library call that calls a setuid helper
program to allocate a pty, that gets chowned to the user. Or even
better, the kernel could be fixed so that when you open the master
side of a pty the slave gets chown()ed to the euid of the process
opening it. In fact I think that would be very elegant, and I don't
think it will break existing programs.

> (a) is hard.  It involves going through every current utmp-using
> program and seeing what it does, so that you can figure out a design
> for utmp-like functionality which interworks as well as possible with
> the current scheme while not having the bugs, race conditions,
> failures to clean up, security holes, &c &c &c.

>From the Solaris manpage for pututline():

   When
     called  by  a  non-root user, pututline() invokes a setuid()
     root program to verify and write the entry, since  /etc/utmp
     is  normally  writable  only  by  root.   In this event, the
     ut_name field must correspond to the actual user name  asso-
     ciated  with  the  process; the ut_type field must be either
     USER_PROCESS or DEAD_PROCESS; and the ut_line field must  be
     a device special file and be writable by the user.


I think that would do nicely..

Mike.
-- 
   Miquel van      | Cistron Internet Services   --    Alphen aan den Rijn.
   Smoorenburg,    | mailto:info@cistron.nl          http://www.cistron.nl/
miquels@cistron.nl | Tel: +31-172-419445 (Voice) 430979 (Fax) 442580 (Data)

home help back first fref pref prev next nref lref last post