brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (05/08/91)
In article <19119@sdcc6.ucsd.edu> muller@sdcc10.ucsd.edu (Keith Muller) writes: > After grinding through as many unix src as I could find, it turns out > that Dan and I are addressing two completely different tty bugs. They > have similar end results, but are done in very different ways. Well, I must admit that I don't know what Muller is talking about here. If he means to imply that my changes don't solve a certain tty hole, I'm reasonably sure he's wrong. Anyone who wants to know why a particular attack is stopped can send me e-mail about it. > The bug I was talking has been fixed in 4.3 RENO, but is in > many other UNIX variants. I think Muller is trying to say here that he finally understands that he was wrong about u_ttyd. BSD 4.3-Reno has u_ttyvp; contrary to his previous statements, previous BSD releases have u_ttyd, so his fixes won't work except under Reno. And, contrary to Muller's implication here, my changes do address this problem: once you replace the old /dev/tty driver as instructed, users cannot abuse u_ttyd. I must say, Muller, that the mud you keep throwing at my solution is getting rather tiresome. There's nothing wrong with reasonable doubt, but insisting on six separate occasions that I've failed to address something (which, in fact, I have addressed) is a bit repetitive, don't you think? What I can't tolerate, though, is how you keep claiming that a non-solution is a solution. You can't play around with security! If you say that your fixes work on even one platform where they don't (viz., all the production BSD releases), you may do huge damage. Don't you understand that the right thing is to post a realistic assessment of the limitations of your changes? You'll be off to a good start with ``They don't work on systems with p_ttyd/u_ttyd in place of u_ttyvp.'' > This bug was reported early last year (before the > Reno release) to the appropriate places. Sheesh. I reported these bugs years ago to comp.unix.wizards, when there wasn't any other appropriate place. Bellovin reported System V's version of the holes even before that. In fact, the particular bug that you're referring to here is nothing more than what's always been noted in the vhangup() man page: ``Access to the controlling terminal using /dev/tty is still possible.'' ---Dan