[378] in linux-security and linux-alert archive
Re: Problem with /dev/ttyp*
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Wed Sep 20 17:46:15 1995
Date: Wed, 20 Sep 1995 16:22:15 -0400
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: Adrian Miranda <ade@psg.com>
Cc: pfnguyen@netcom.com, linux-security@tarsier.cv.nrao.edu
In-Reply-To: Adrian Miranda's message of Wed, 20 Sep 95 11:38 PDT,
<m0svU2C-0001bMC@vancouver.wsu.edu>
Date: Wed, 20 Sep 95 11:38 PDT
From: ade@vancouver.wsu.edu (Adrian Miranda)
I don't think this will work if the rogue process already has the tty
open before you do the chmod.
That's what the vhangup() system call is supposed to do. Although I
haven't had time to analyze what telnetd/login is doing, it's probably
not calling vhangup() at the right time. Note that vhangup() only works
on the controlling tty --- so you have to obtain the tty as a
controlling tty, do a vhangup(), and then reacquire it as a controlling
tty. While you're doing the vhangup, you need to keep a file discriptor
open on the tty, to prevent someone else from acquiring the master pty
(remember, master pty opens are exclusive opens).
One of the problems here is that vhangup() isn't completely portable, so
what's secure on one operating system isn't necessarily secure on
another system. BSD 4.4 doesn't have vhangup() at all; I'm not sure how
they handle this particular problem.
- Ted
