Re: /etc/utmp

smb@research.att.com
Mon, 28 Mar 94 19:47:19 EST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bob Manson: "Re: /etc/utmp"
Previous message: Pat Myrto: "Re: /etc/utmp"
In reply to: Pat Myrto: "Re: /etc/utmp"
Next in thread: Marc W. Mengel: "Re: /etc/utmp"

	 I guess I didn't make myself totally clear.  I said the fix was to make
	 utmp not world writtable (and I believe I mentioned a workaround using
	 a group (the tty group temporarily, since only staff types would be using
	 xterms on the given system).  But the fact remains Xterm really needs to be
	 SUID root so it can change perms and OWNERSHIP on its pty to the user.

Let me suggest that you take a look at the SysV Release 4 pty mechanism.
I'll be vain enough to claim partial credit for the design.  With it,
you don't need root to allocate a pty.  A single subroutine -- and a
hidden setuid root program allocate the pty, change the ownership,
set the modes -- and do it all without the usual race conditions
that BSD-derived systems need root privileges, vhangup(), and assorted
other misfeatures to bypass.

It works like this.  The pty user opens a pty master (which, btw, is
a clone device; no nonsense about looping through some fixed number
of possible ptys).  The open file descriptor for the master end -- and
that's not reopenable, and it won't be allocated unless the slave end
is idle -- is passed to this setuid root program.  From the master
fd, it determines the name of the corresponding slave device, and
chowns and chmods it.  It then issues an ioctl unlocking it -- until
that ioctl is issued, attempts to open the slave device will fail.
Presto -- no race on open permissions.  I forget if the subroutine
opens the slave end for the caller, or just passes back the name, but
either way, the interface is much easier.  I also don't remember if
utmp is handled by this routine, but the extension is obvious -- you
pass around the master end fd, and a small trusted program does the
appropriate diddles.

	 But since xterm was SUID root to accomplish this, and a bug in XTERM
	 made it possible to alter system files, Sun's apparant fix was to
	 make utmp world-writeable, all the pty's world-writeable, and remove
	 the SUID bit from Xterm.

You've got the causality wrong.  Sun had a writable wtmp years ago,
precisely to avoid making terminal emulators setuid root.  The bug --
probably inevitable -- bit folks who used MIT's xterm, because MIT
didn't see the danger.

	 One could use a variation on that pty command available off the net,
	 it works fine, but, alas, *IT* has to run SUID root, too in order
	 to be able to chown the pty to the user...

Something has to run setuid root, but it doesn't have to be a whale.

Next message: Bob Manson: "Re: /etc/utmp"
Previous message: Pat Myrto: "Re: /etc/utmp"
In reply to: Pat Myrto: "Re: /etc/utmp"
Next in thread: Marc W. Mengel: "Re: /etc/utmp"