Re: SunOS's xterm pb : again !

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jason Matthews: "Re: Security through obscurity, etc."
• Previous message: Christopher Samuel: "Re: Race condition"
• In reply to: Gilles SOULET: "SunOS's xterm pb : again !"
• Next in thread: Pug: "Re: SunOS's xterm pb : again !"

	hello!

> Using Sun's Openwin under SunOS4.1.3, I noticed that the
> /usr/openwin/bin/xterm wasn't setuid ROOT. It seems to be a
> good thing (remember the "xterm -lf" + file link bug ?).

	heh... sun closed the xterm hole with minimal cost ?! ;)

> When you launch an xterm, the system attachs a device to the
> xterm's shell. You can see this device by typing 'tty' in the xterm's
> window. OK.
>
> The pb is : Under SunOS, the terminal devices (/dev/ttyp?) are
> owned by root, with rights rw-rw-rw-. When you log on the machine,
> the login process changes the owner of the terminal, so the tty
> belongs to you, with minimum access rights. BUT when using an xterm,
> you don't have the permissions to change the owner and access rights
> of the newly allocated tty. So the device stays owned by root,
> WORLD READABLE and WORLD WRITEABLE !!!

	i think you may try to fix that bug by compiling xterm
	without -lf option and install it suid.

	i found this bug (?) few months ago, but just now found
	time to fix it; we're testing this now, and can send you
	results and src code of modified xterm after testing, in
	few days.. :-)

> I think this introduces a major security hole...

	yes, 666 is not the best mode for tty.. :)

					--alex.

  Alexander L. Haiut
  Dept. of Computer Science
  Ben-Gurion University, Israel
 _________________________________
  e-mail : alx@cs.bgu.ac.il
  voice  : +972-7-461658

• Next message: Jason Matthews: "Re: Security through obscurity, etc."
• Previous message: Christopher Samuel: "Re: Race condition"
• In reply to: Gilles SOULET: "SunOS's xterm pb : again !"
• Next in thread: Pug: "Re: SunOS's xterm pb : again !"