Hello guys ! Using Sun's Openwin under SunOS4.1.3, I noticed that the /usr/openwin/bin/xterm wasn't setuid ROOT. It seems to be a good thing (remember the "xterm -lf" + file link bug ?). When you launch an xterm, the system attachs a device to the xterm's shell. You can see this device by typing 'tty' in the xterm's window. OK. The pb is : Under SunOS, the terminal devices (/dev/ttyp?) are owned by root, with rights rw-rw-rw-. When you log on the machine, the login process changes the owner of the terminal, so the tty belongs to you, with minimum access rights. BUT when using an xterm, you don't have the permissions to change the owner and access rights of the newly allocated tty. So the device stays owned by root, WORLD READABLE and WORLD WRITEABLE !!! I think this introduces a major security hole, since everybody can read on a xterm's shell terminal device to get secret informations, including a password ! You can try this by using the "cat" command redirected from (or to) an xterm terminal device : it works ! The problem doesn't exists under Solaris 2.3 : the xterm terminal belongs to you. Since I also use Solaris, I wondered how the system manages to change the permissions of the device : the xterm is not setuid under Solaris Openwin... After a few experiment, I noticed that the system was using an undocumented program : /usr/lib/pt_chmod. This little executable is - guess what ? - setuid ROOT ! It does *exactly what I was looking for : change the access rights and owner of a terminal device. Hmm .. The questions are now : ----------------------- 1) what are the risks of using such a mecanism ? How can we be sure that this "pt_chmod" is secure ? 2) using a "regular" X11R6 xterm, it also changes the owner and rights of the device. It seems that pt_chmod is called by the system, not xterm. I suppose pt_chmod is called by ioctl() or termio(), but I'm not so sure... Anybody can confirm this ? # Gillus (IT Security Dep. French Space Agency, Toulouse Space Center) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~