brnstnd@kramden.acf.nyu.edu (Dan Bernstein) (04/25/91)
Three weeks ago Keith Bostic gave me an account on vangogh.berkeley.edu, running one of the latest revisions of BSD 4.3-Reno, so that I could test the system for tty bugs. (What a remarkable coincidence. :-) ) I have bad news, good news, and a quick summary of what Berkeley is planning to do about tty security. The bad news: The system allows any user to take over a session started by script. Presumably this also applies to xterm, emacs, expect, et al. ``Take over'' means invisible writing, tty mode mangling, and TIOCSTI. Modulo some races, it lets any user output any number of characters at the beginning of another user's telnetd connection, and may allow more access (I haven't tested this thoroughly). Furthermore, it lets any user log any other user out, given preparation. There are several minor holes which should not be serious problems and which I won't describe here. The good news: BSD now has a revoke(filename) syscall which achieves similar effects to the enforce() that has been proposed here before; telnetd uses revoke() in a way that I believe guarantees the security of the tty. This does not stop I/O before the revoke(), but Marc Teitelbaum says (and I agree) that proper flushing and a bit more paranoia will completely shield login sessions from attack. Unfortunately, revoke() is not usable by unprivileged programs like script, so for most purposes ptys are as insecure as they were in BSD 4.2. Last-minute good news: Marc has found the bug that allowed the logout problem. He will fix it. What BSD plans to do in the future about tty security: Apparently 4.4 will have ``bstreams'', roughly equivalent to the other stream systems in the world. ptys will be re-implemented as bstreams, so they will (finally!) be dynamically allocatable. Hopefully everyone at Berkeley will agree that ptys do not belong in the filesystem; the ones who know this are working to convince those who aren't sure, or so I hear. Given this radical reorganization, it appears that BSD 4.4 ttys will be secure. If this is true, I withdraw my previous threat. (But see part 4 for further comments.) In the meantime (i.e., until someone gets up the courage to implement bstreams) I have outlined to Marc a reasonably simple plan for making ttys completely secure without radically changing the kernel or system applications. I hope he sees that the plan involves at most a couple of hours of work, so that with luck secure ttys will make it into the next interim BSD release. As my plan also applies to BSD 4.2 and 4.3 and popular systems derived from them, I have included it here as part 3. ---Dan