carroll@snail.CS.UIUC.EDU (11/04/86)
/* Written 11:34 am Nov 1, 1986 by page@ulowell.UUCP in snail:net.unix */ Harder to deal with: If you log in as root on the console and somebody sends a message via syslog(3). Anybody found a resonable defense against this, other than ``don't use block-mode terminals for consoles'' (an academic question, we don't anyway) or ``don't log in to the console''? (...) /* end of text */ What about 3b2's, where you HAVE to be at console to login as root?
campbell@maynard.UUCP (Larry Campbell) (11/05/86)
In article <3800016@snail> carroll@snail.CS.UIUC.EDU writes: >What about 3b2's, where you HAVE to be at console to login as root? I suspect this is true of any System V system; I know it is true of Microport UNIX (a sanctioned System V port for the PC/AT). I complained to Microport about it and they said "That's the way it came from AT&T". You can still log in as yourself and then su. -- Larry Campbell MCI: LCAMPBELL The Boston Software Works, Inc. UUCP: {alliant,wjh12}!maynard!campbell 120 Fulton Street, Boston MA 02109 ARPA: campbell%maynard.uucp@harvisr.harvard.edu (617) 367-6846
roy@phri.UUCP (Roy Smith) (11/05/86)
Maybe I'm missing something obvious, but why are block-mode
terminals a security problem?
--
Roy Smith, {allegra,philabs}!phri!roy
System Administrator, Public Health Research Institute
455 First Avenue, New York, NY 10016les8070@ritcv.UUCP (Lance E. Shepard) (11/06/86)
The SV I've used allowed you to recompile login to allow root to login to terminals other than the console. I believe there was also a #define you could set to prevent other users from logging into the console. Lance Shepard
gwyn@brl-smoke.ARPA (Doug Gwyn ) (11/07/86)
In article <2481@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: > Maybe I'm missing something obvious, but why are block-mode >terminals a security problem? Actually, this applies to any terminal that can be told by the host to store characters and then be told by the host to transmit stored characters. Programmable function keys sometimes have this property. The problem is that these features allow anyone who can transmit more-or-less unmolested information to the terminal to force-feed input from that terminal, which so far as UNIX knows was typed by the logged-in user. This can be protected against to some degree by changing the "write" utility, mail-reading interface, etc. to not send ESC and other possibly harmful characters unmapped to the terminal. However, "cat file" can still trip a mine like this.
campbell@maynard.UUCP (Larry Campbell) (11/07/86)
In article <2481@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: > > Maybe I'm missing something obvious, but why are block-mode >terminals a security problem? They're not all security holes, but the ones that have the following pair of escape-sequence driven commands are: 1. "Put the following string in your buffer." (say, "rm -rf *") 2. "Send the buffer to the host." On such a terminal, one cute mail message can ruin your whole day. :-) -- Larry Campbell MCI: LCAMPBELL The Boston Software Works, Inc. UUCP: {alliant,wjh12}!maynard!campbell 120 Fulton Street, Boston MA 02109 ARPA: campbell%maynard.uucp@harvisr.harvard.edu (617) 367-6846
henry@utzoo.UUCP (Henry Spencer) (11/07/86)
> Maybe I'm missing something obvious, but why are block-mode > terminals a security problem? Any terminal which can be caused, remotely, to send part of what's on its screen is a security problem on a normal Unix. Just write something out to the screen and then send the send-screen sequence, and the characters come in just as if the user had typed them. Do it when somebody is signed in as root on such a terminal, and you've got superuser powers. The only fixes are to either (a) avoid such terminals, or (b) carefully control what other people can write to your terminal. The latter is harder than it looks, because the bad guy can always put the interesting sequences in mail messages ("letterbombs") or in files rather than sending them directly. Remotely-programmable function keys can also cause trouble this way. If their contents can be read back remotely, the same technique works. If there is no read-back, you have to choose a key that the user will hit in the course of normal use. -- Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry