Peter Wemm wrote: > Hmm. something else I though of too. Imagine: root is logged in on > /dev/pts/34, and has the tty set to mode 0622. Guess what this would > do if you were a normal user: /usr/lib/pt_chmod 1 > /dev/pts/34 > You could then TIOCSTI to your hearts content. We don't support TIOCSTI, at least partly for security reasons (that, and it's never appeared in any of the standards we support -- is it in Spec1170?) Of course, if you own someone's tty they're screwed anyway. SCO UNIX sets ttys to group terminal, 600, or 620 for writable, so the attacker wouldn't be able to do this in the first place. > A plea to OS programmers: > *dont* use "chown" on the result of the ptsname() - use fchown() - the > user might have passed a fd in that's from a network mounted partition in > an attempt to change the ownership of the local alias of the device. This won't work: the fd that's passed to ptsname() is a nameless clone inode, the master side of the pty. (Try it -- compile your pt_chmod replacement, add in an fstat call and print out the rdev; compare with the expected device # of the pty). The purpose of grantpt(), which is implemented via /usr/lib/pt_chmod, is to provide access to the slave side of this nameless master side device. The user program doesn't have the slave side open yet and won't be able to open it until it's been pt_chmod'd him. The ioctl that ptsname() calls only applies to the master side; ptsname() will return NULL when called on a slave side fd. This attack wouldn't work from an identical system anyway, since there wouldn't be a device node in the filesystem for the master side. From a system with a different major number mapping he can probably find some device (probably something less complex to attack than a pty) which is innocuous there but dangerous here. If he's root over there, he can just make one -- anywhere in any filesystem of his you've got mounted. So if your NFS does anything at all with device nodes, you're in trouble. In fact, NFS is pretty dangerous no matter how you slice it. >Bela<