<strong>Report forwarded</strong> to <code>debian-devel@pixar.com</code>:<br>
<code>Bug#988</code>; Package <code>bsdutils</code>.


debian-devel@pixar.com

Subject: Bug#988: `script' is insecure, and general tty insecurity
Reply-To: iwj10@cus.cam.ac.uk (Ian Jackson), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: iwj10@cus.cam.ac.uk (Ian Jackson)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Wed, 14 Jun 1995 13:03:04 GMT
Resent-Message-ID: <debian-bugs-handler.988.06141256209927@pixar.com>
X-Debian-PR-Package: bsdutils
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Wed, 14 Jun 1995 13:03:04 GMT
Received: with rfc822 via encapsulated-mail id 06141256209927;
          Wed, 14 Jun 1995 12:56:20 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0sLrxe-0007mTC; Wed, 14 Jun 95 05:54 PDT
Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA25300
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 14 Jun 1995 05:52:52 -0700
Received: by bootes.cus.cam.ac.uk
	(Smail-3.1.29.0 #36) id m0sLrxB-000C01C; Wed, 14 Jun 95 13:53 BST
Received: by chiark
	id <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>
	(Debian /\oo/\ Smail3.1.29.1 #29.32); Wed, 14 Jun 95 13:37 BST
Message-Id: <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>
Date: Wed, 14 Jun 95 13:37 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: Debian bugs submission address <debian-bugs@pixar.com>

Package: bsdutils
Version: 1.2-1

chiark:~> tty
/dev/ttyp3
chiark:~> script
Script started, output file is typescript
chiark:~> tty
/dev/ttyp7
chiark:~> ls -al /dev/ttyp3 /dev/ttyp7
crw--w--w-   1 ian      ian        4, 195 Jun 14 13:31 /dev/ttyp3
crw-rw-rw-   1 root     root       4, 199 Jun 14 13:31 /dev/ttyp7
chiark:~> exit
exit
Script done, output file is typescript
chiark:~> ls -al /dev/ttyp3 /dev/ttyp7
crw--w--w-   1 ian      ian        4, 195 Jun 14 13:31 /dev/ttyp3
crw-rw-rw-   1 root     root       4, 199 Jun 14 13:31 /dev/ttyp7
chiark:~>

Clearly /dev/ttyp7 should, while script is running:

* not be readable by everyone
* be owned by the user (so that they can use mesg and biff)
* have mesg off by default

Fixing this will require the intervention of a setuid root program
(either script will have to be setuid or another program will have to
be made).

There may be other security problems, notably races in the pty
allocation.

In general this is a very messy area, and the solutions to the
problems here are likely to involve nontrivial amounts of thought,
coding and/or introduction of additional software.  This problem with
programs like `script' is common on many unices, but we should arrange
to find solutions at least for programs we supply.

There are other problems related to having globally-writeable tty's.
IMO tty's should be made group-writeable only by a special group
(conventially called `tty'), to which all programs like `write' and
`talk' will have to be setgid.  This is probably a major undertaking,
though, requiring changes to login, telnet, &c &c

Ian.



<strong>Acknowledgement sent</strong> to <code>iwj10@cus.cam.ac.uk (Ian Jackson)</code>:<br>
New bug report received and forwarded.


-t

From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: iwj10@cus.cam.ac.uk (Ian Jackson)
Subject: Bug#988: Acknowledgement (was: `script' is insecure, and general tty insecurity)
In-Reply-To: <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>
References: <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>

Thank you for the problem report you have sent regarding Debian GNU/Linux.
This is an automatically generated reply, to let you know your message has
been received.  It is being forwarded to the developers' mailing list for
their attention; they will reply in due course.

If you wish to submit further information on your problem, please send
it to debian-bugs@pixar.com, but please ensure that the Subject
line of your message starts with "Bug#988" or "Re: Bug#988" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)




From nobody@pixar.com Wed Jun 14 13:56:19 1995
Return-Path: <nobody@pixar.com>
Received: from grus.cus.cam.ac.uk [131.111.8.3] (ident = root) 
	by bootes.cus.cam.ac.uk with smtp 
	(Smail-3.1.29.0 #36) id m0sLrzW-000BzNC; Wed, 14 Jun 95 13:56 BST
Received: from mongo.pixar.com [138.72.50.60] 
	by grus.cus.cam.ac.uk with smtp 
	(Smail-3.1.29.0 #36) id m0sLrz9-0007bHC; Wed, 14 Jun 95 13:55 BST
Received: by mongo.pixar.com (Smail3.1.28.1 #15)
	id m0sLrxf-0007mWC; Wed, 14 Jun 95 05:54 PDT
Message-Id: <m0sLrxf-0007mWC@mongo.pixar.com>
Date: Wed, 14 Jun 95 05:54 PDT
From: nobody@pixar.com (SVR4 nobody uid)
To: iwj10@cus.cam.ac.uk
Errors-To: iwj10@cus.cam.ac.uk
X-Debian-Bugs: This is an autoforward from debian-bugs

XFrom cus.cam.ac.uk!iwj10 Wed Jun 14 05:54:23 1995
XReturn-Path: <iwj10@cus.cam.ac.uk>
XReceived: from pixar.com by mongo.pixar.com with smtp
X	(Smail3.1.28.1 #15) id m0sLrxe-0007mTC; Wed, 14 Jun 95 05:54 PDT
XReceived: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA25300
X  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 14 Jun 1995 05:52:52 -0700
XReceived: by bootes.cus.cam.ac.uk 
X	(Smail-3.1.29.0 #36) id m0sLrxB-000C01C; Wed, 14 Jun 95 13:53 BST
XReceived: by chiark
X	id <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>
X	(Debian /\oo/\ Smail3.1.29.1 #29.32); Wed, 14 Jun 95 13:37 BST
XMessage-Id: <m0sLrhb-0000XRZ@chiark.al.cl.cam.ac.uk>
XDate: Wed, 14 Jun 95 13:37 BST
XFrom: iwj10@cus.cam.ac.uk (Ian Jackson)
XTo: Debian bugs submission address <debian-bugs@pixar.com>
XSubject: `script' is insecure, and general tty insecurity
X
XPackage: bsdutils
XVersion: 1.2-1
X
Xchiark:~> tty
X/dev/ttyp3
Xchiark:~> script
XScript started, output file is typescript
Xchiark:~> tty
X/dev/ttyp7
Xchiark:~> ls -al /dev/ttyp3 /dev/ttyp7
Xcrw--w--w-   1 ian      ian        4, 195 Jun 14 13:31 /dev/ttyp3
Xcrw-rw-rw-   1 root     root       4, 199 Jun 14 13:31 /dev/ttyp7
Xchiark:~> exit
Xexit
XScript done, output file is typescript
Xchiark:~> ls -al /dev/ttyp3 /dev/ttyp7
Xcrw--w--w-   1 ian      ian        4, 195 Jun 14 13:31 /dev/ttyp3
Xcrw-rw-rw-   1 root     root       4, 199 Jun 14 13:31 /dev/ttyp7
Xchiark:~> 
X
XClearly /dev/ttyp7 should, while script is running:
X
X* not be readable by everyone
X* be owned by the user (so that they can use mesg and biff)
X* have mesg off by default
X
XFixing this will require the intervention of a setuid root program
X(either script will have to be setuid or another program will have to
Xbe made).
X
XThere may be other security problems, notably races in the pty
Xallocation.
X
XIn general this is a very messy area, and the solutions to the
Xproblems here are likely to involve nontrivial amounts of thought,
Xcoding and/or introduction of additional software.  This problem with
Xprograms like `script' is common on many unices, but we should arrange
Xto find solutions at least for programs we supply.
X
XThere are other problems related to having globally-writeable tty's.
XIMO tty's should be made group-writeable only by a special group
X(conventially called `tty'), to which all programs like `write' and
X`talk' will have to be setgid.  This is probably a major undertaking,
Xthough, requiring changes to login, telnet, &c &c
X
XIan.

YReceived: with rfc822 via encapsulated-mail id 06141256209927;
Y          Wed, 14 Jun 1995 12:56:20 GMT



<strong>Information forwarded</strong> to <code>debian-devel@pixar.com</code>:<br>
<code>Bug#988</code>; Package <code>bsdutils</code>.


debian-devel@pixar.com

Subject: Bug#988: script' is insecure, and general tty insecurity
Reply-To: bruce@pixar.com (Bruce Perens), debian-bugs@pixar.com
Resent-To: debian-devel@pixar.com
Resent-From: bruce@pixar.com (Bruce Perens)
Resent-Sender: iwj10@cus.cam.ac.uk
Resent-Date: Wed, 14 Jun 1995 19:48:02 GMT
Resent-Message-ID: <debian-bugs-handler.988.061419452012573@pixar.com>
X-Debian-PR-Package: bsdutils
X-Debian-PR-Keywords: 
Received: via spool for debian-bugs; Wed, 14 Jun 1995 19:48:02 GMT
Received: with rfc822 via encapsulated-mail id 061419452012573;
          Wed, 14 Jun 1995 19:45:20 GMT
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0sLyMD-0007hOC; Wed, 14 Jun 95 12:44 PDT
Received: from mongo.pixar.com by pixar.com with SMTP id AA16863
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 14 Jun 1995 12:42:42 -0700
Received: by mongo.pixar.com (Smail3.1.28.1 #15)
	id m0sLyKr-00051OC; Wed, 14 Jun 95 12:42 PDT
Message-Id: <m0sLyKr-00051OC@mongo.pixar.com>
Date: Wed, 14 Jun 95 12:42 PDT
From: bruce@pixar.com (Bruce Perens)
To: debian-bugs@pixar.com, iwj10@cus.cam.ac.uk (Ian Jackson)

Here is a get_pseudo_tty() function that attempts to jettision pernicious
listeners on the slave side. You can easily hack this to change the slave
to be owned by the real UID. I've also included an execute() function that
redirects input and output to the pseudo-tty. You can see how these are used
and also find a driver for doing asynchronous I/O using the select() system
call if you download the source for ax25-util. The calling sequence for
get_pseudo_tty() and execute() is:

int
main(int argc, char * * argv, char * * environment)
{
	int	masterFD;
	int slaveFD;
	static const char *	argumentVector = { "/bin/sh", 0 };

	masterFD = get_pseudo_tty(&slaveFD);

	if ( masterFD < 0 )
		complain_and_die();

	/*
	 * Start the client program  with input and output directed
	 * to the slave FD. Do I/O to that from the master FD.
	 */
	if ( !execute("/bin/sh", argumentVector, environment, slaveFD) )
		complain_and_die();

	...
}

	- Bruce


BEGIN pseudo_tty.c

/* AX.25 Utilities: Attach an interface.
 * Bruce Perens, November 1994
 *
 * Copyright 1994 Bruce Perens.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 */
#include <stdlib.h>
#include <unistd.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>

#define	NAME_SIZE	64

static const char	Prototype[] = "/dev/pty";
#define	PROTOTYPE_BASE	5 /* index to "pty" in prototype. */

static int
open_pseudo_tty(const char * name, int * slave)
{
	char		slaveName[NAME_SIZE];
	int		master = open(name, O_RDWR, 0);
	struct termios	t;

	if ( master < 0 )
		return -1;

	strcpy(slaveName, name);

	slaveName[PROTOTYPE_BASE] = 't';

	/* Close master again to jettison any pernicious listeners on slave
	 * side. I'd like to be able to lock opens on the slave side while
	 * this is going on. This won't work if you're not root.
	 */
	chown(slaveName, 0, 0);
	chmod(slaveName, 0600);
	close(master);

	/*
	 * Closing the master hung up on any listeners on the slave side. They
	 * can't open it again unless they are root.
 	 */
	if ( (master = open(name, O_RDWR, 0)) < 0 )
		return -1;

	if ( (*slave = open(slaveName, O_RDWR, 0)) < 0 ) {
		close(master);
		return -1;
	}

	if ( tcgetattr(*slave, &t) == 0 ) {
		/*
		 * Attempt to provide a consistent environment upon open.
		 * Of course if you are running a script you can override
		 * this by running stty.
		 */
		t.c_cc[VINTR]	= 'c' & 0x1f;
		t.c_cc[VQUIT]	= '\\' & 0x1f;
		t.c_cc[VERASE]	= 'h' & 0x1f;
		t.c_cc[VKILL]	= 'u' & 0x1f;
		t.c_cc[VEOF]	= 'd' & 0x1f;
		t.c_cc[VEOL]	= '\n';
		t.c_cc[VSTOP]	= 's' & 0x1f;
		t.c_cc[VSTART]	= 'q' & 0x1f;
		t.c_cc[VSUSP]	= 'z' & 0x1f;
		t.c_cc[VLNEXT]	= 'v' & 0x1f;
		t.c_cc[VWERASE]	= 'w' & 0x1f;
		t.c_cc[VREPRINT]= 'r' & 0x1f;
		t.c_cc[VDISCARD]= 'o' & 0x1f;
		t.c_iflag = BRKINT|ICRNL;
		t.c_oflag = OPOST;
		t.c_cflag = B9600|CS8|CREAD|HUPCL;
		t.c_lflag = ISIG|ICANON|ECHO|ECHOE;
		t.c_line = 0;
		tcsetattr(*slave, TCSANOW, &t);
	}

	return master;
}

int
get_pseudo_tty(int * slave)
{
	char			name[NAME_SIZE];
	char * const		ones = &name[sizeof(Prototype)];
	char * const		tens = &name[sizeof(Prototype) - 1];

	strcpy(name, Prototype);
	name[sizeof(Prototype) + 1] = '\0';

	for ( *tens = 'p'; *tens <= 's'; ++*tens ) {
		int	n;
		for ( n = 0; n < 16; n++ ) {
			static const char Hexits[16] = "0123456789abcdef";
			int	master;

			*ones = Hexits[n];
			master = open_pseudo_tty(name, slave);

			if ( master >= 0 )
				return master;
		}
	}
	return -1;
}

BEGIN execute.c

/* AX.25 Utilities: Run a program, with input and output directed
 *	to a file descriptor.
 *
 *
 * Bruce Perens, November 1994
 *
 * Copyright 1994 Bruce Perens.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 */
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>

int
execute(
 const char *	file
,char * const *	argv
,char * const *	envp
,int		ioFile)
{
	int	pid;

	signal(SIGCLD, SIG_IGN);	/* No zombies */

	pid = fork();

	if ( pid < 0 )
		return -1;
	else if ( pid == 0 ) {
		/* In the child process */

		int	max = (int)sysconf(_SC_OPEN_MAX);
		int	fd;
		int	n;

		for ( fd = 0; fd < max; fd++ ) {
			if ( fd != ioFile )
				close(fd);
		}
		/*
		 * If the IO file isn't 0, 1, or 2, I'm starting a new
		 * session on some other device.
		 */
		if ( ioFile > 2 )
			setsid();

		for ( fd = 0; fd <= 2; fd++ ) {
			if ( fd != ioFile && dup2(ioFile, fd) != fd )
				_exit(-1);
		}

		if ( ioFile > 2 )
			close(ioFile);

		/*
		 * Try to give the process as pristine an environment
		 * as possible.
		 */
		for ( n = 0; n < NSIG; n++ )
			signal(n, SIG_DFL);

		/*
		 * If I started a new session above, set the tty process
		 * group to match it.
		 */
		if ( ioFile > 2 )
			tcsetpgrp(0, getpgrp());

		execve(file, argv, envp);
		_exit(-1);
	}
	return pid;
}
--
-- Attention Ham Radio Operators: For information on "Linux for Hams", read
-- the World Wide Web page http://www.hams.com/perens/LinuxForHams, or send
-- an e-mail message containing the word "help" to info@hams.com .



<strong>Acknowledgement sent</strong> to <code>bruce@pixar.com (Bruce Perens)</code>:<br>
Extra info received and forwarded.


-t

From: iwj10@thor.cam.ac.uk (Ian Jackson)
To: bruce@pixar.com (Bruce Perens)
Subject: Bug#988: Info received (was Bug#988: `script' is insecure, and general tty insecurity)
In-Reply-To: <m0sLyKr-00051OC@mongo.pixar.com>
References: <m0sLyKr-00051OC@mongo.pixar.com>

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developers to
accompany the original report.

If you wish to continue to submit further information on your problem,
please do the same thing again: send it to debian-bugs@pixar.com, ensuring
that the Subject line starts with "Bug#988" or "Re: Bug#988" so that
we can identify it as relating to the same problem.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, debian-bugs)




From nobody@pixar.com Wed Jun 14 20:45:19 1995
Return-Path: <nobody@pixar.com>
Received: from mongo.pixar.com [138.72.50.60] 
	by bootes.cus.cam.ac.uk with smtp 
	(Smail-3.1.29.0 #36) id m0sLyNJ-000BzPC; Wed, 14 Jun 95 20:45 BST
Received: by mongo.pixar.com (Smail3.1.28.1 #15)
	id m0sLyMD-00051OC; Wed, 14 Jun 95 12:44 PDT
Message-Id: <m0sLyMD-00051OC@mongo.pixar.com>
Date: Wed, 14 Jun 95 12:44 PDT
From: nobody@pixar.com (SVR4 nobody uid)
To: iwj10@cus.cam.ac.uk
Errors-To: iwj10@cus.cam.ac.uk
X-Debian-Bugs: This is an autoforward from debian-bugs

XFrom pixar.com!bruce Wed Jun 14 12:44:09 1995
XReturn-Path: <bruce@pixar.com>
XReceived: from pixar.com by mongo.pixar.com with smtp
X	(Smail3.1.28.1 #15) id m0sLyMD-0007hOC; Wed, 14 Jun 95 12:44 PDT
XReceived: from mongo.pixar.com by pixar.com with SMTP id AA16863
X  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 14 Jun 1995 12:42:42 -0700
XReceived: by mongo.pixar.com (Smail3.1.28.1 #15)
X	id m0sLyKr-00051OC; Wed, 14 Jun 95 12:42 PDT
XMessage-Id: <m0sLyKr-00051OC@mongo.pixar.com>
XDate: Wed, 14 Jun 95 12:42 PDT
XFrom: bruce@pixar.com (Bruce Perens)
XTo: debian-bugs@pixar.com, iwj10@cus.cam.ac.uk (Ian Jackson)
XSubject: Re:  Bug#988: `script' is insecure, and general tty insecurity
X
XHere is a get_pseudo_tty() function that attempts to jettision pernicious
Xlisteners on the slave side. You can easily hack this to change the slave
Xto be owned by the real UID. I've also included an execute() function that
Xredirects input and output to the pseudo-tty. You can see how these are used
Xand also find a driver for doing asynchronous I/O using the select() system
Xcall if you download the source for ax25-util. The calling sequence for
Xget_pseudo_tty() and execute() is:
X
Xint
Xmain(int argc, char * * argv, char * * environment)
X{
X	int	masterFD;
X	int slaveFD;
X	static const char *	argumentVector = { "/bin/sh", 0 };
X
X	masterFD = get_pseudo_tty(&slaveFD);
X
X	if ( masterFD < 0 )
X		complain_and_die();
X
X	/*
X	 * Start the client program  with input and output directed
X	 * to the slave FD. Do I/O to that from the master FD.
X	 */
X	if ( !execute("/bin/sh", argumentVector, environment, slaveFD) )
X		complain_and_die();
X
X	...
X}
X
X	- Bruce
X
X
XBEGIN pseudo_tty.c
X
X/* AX.25 Utilities: Attach an interface.
X * Bruce Perens, November 1994
X *
X * Copyright 1994 Bruce Perens.
X *
X *  This program is free software; you can redistribute it and/or modify
X *  it under the terms of the GNU General Public License as published by
X *  the Free Software Foundation; either version 2 of the License, or
X *  (at your option) any later version.
X *
X *  This program is distributed in the hope that it will be useful,
X *  but WITHOUT ANY WARRANTY; without even the implied warranty of
X *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
X *  GNU General Public License for more details.
X */
X#include <stdlib.h>
X#include <unistd.h>
X#include <termios.h>
X#include <sys/types.h>
X#include <sys/stat.h>
X#include <fcntl.h>
X#include <string.h>
X
X#define	NAME_SIZE	64
X
Xstatic const char	Prototype[] = "/dev/pty";
X#define	PROTOTYPE_BASE	5 /* index to "pty" in prototype. */
X
Xstatic int
Xopen_pseudo_tty(const char * name, int * slave)
X{
X	char		slaveName[NAME_SIZE];
X	int		master = open(name, O_RDWR, 0);
X	struct termios	t;
X
X	if ( master < 0 )
X		return -1;
X
X	strcpy(slaveName, name);
X	
X	slaveName[PROTOTYPE_BASE] = 't';
X
X	/* Close master again to jettison any pernicious listeners on slave
X	 * side. I'd like to be able to lock opens on the slave side while
X	 * this is going on. This won't work if you're not root.
X	 */
X	chown(slaveName, 0, 0);
X	chmod(slaveName, 0600);
X	close(master);
X
X	/*
X	 * Closing the master hung up on any listeners on the slave side. They
X	 * can't open it again unless they are root.
X 	 */
X	if ( (master = open(name, O_RDWR, 0)) < 0 )
X		return -1;
X
X	if ( (*slave = open(slaveName, O_RDWR, 0)) < 0 ) {
X		close(master);
X		return -1;
X	}
X
X	if ( tcgetattr(*slave, &t) == 0 ) {
X		/*
X		 * Attempt to provide a consistent environment upon open.
X		 * Of course if you are running a script you can override
X		 * this by running stty.
X		 */
X		t.c_cc[VINTR]	= 'c' & 0x1f;
X		t.c_cc[VQUIT]	= '\\' & 0x1f;
X		t.c_cc[VERASE]	= 'h' & 0x1f;
X		t.c_cc[VKILL]	= 'u' & 0x1f;
X		t.c_cc[VEOF]	= 'd' & 0x1f;
X		t.c_cc[VEOL]	= '\n';
X		t.c_cc[VSTOP]	= 's' & 0x1f;
X		t.c_cc[VSTART]	= 'q' & 0x1f;
X		t.c_cc[VSUSP]	= 'z' & 0x1f;
X		t.c_cc[VLNEXT]	= 'v' & 0x1f;
X		t.c_cc[VWERASE]	= 'w' & 0x1f;
X		t.c_cc[VREPRINT]= 'r' & 0x1f;
X		t.c_cc[VDISCARD]= 'o' & 0x1f;
X		t.c_iflag = BRKINT|ICRNL;
X		t.c_oflag = OPOST;
X		t.c_cflag = B9600|CS8|CREAD|HUPCL;
X		t.c_lflag = ISIG|ICANON|ECHO|ECHOE;
X		t.c_line = 0;
X		tcsetattr(*slave, TCSANOW, &t);
X	}
X
X	return master;
X}
X
Xint
Xget_pseudo_tty(int * slave)
X{
X	char			name[NAME_SIZE];
X	char * const		ones = &name[sizeof(Prototype)];
X	char * const		tens = &name[sizeof(Prototype) - 1];
X
X	strcpy(name, Prototype);
X	name[sizeof(Prototype) + 1] = '\0';
X
X	for ( *tens = 'p'; *tens <= 's'; ++*tens ) {
X		int	n;
X		for ( n = 0; n < 16; n++ ) {
X			static const char Hexits[16] = "0123456789abcdef";
X			int	master;
X
X			*ones = Hexits[n];
X			master = open_pseudo_tty(name, slave);
X
X			if ( master >= 0 )
X				return master;
X		}
X	}
X	return -1;
X}
X
XBEGIN execute.c
X
X/* AX.25 Utilities: Run a program, with input and output directed
X *	to a file descriptor.
X *
X * 
X * Bruce Perens, November 1994
X *
X * Copyright 1994 Bruce Perens.
X *
X *  This program is free software; you can redistribute it and/or modify
X *  it under the terms of the GNU General Public License as published by
X *  the Free Software Foundation; either version 2 of the License, or
X *  (at your option) any later version.
X *
X *  This program is distributed in the hope that it will be useful,
X *  but WITHOUT ANY WARRANTY; without even the implied warranty of
X *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
X *  GNU General Public License for more details.
X */
X#include <stdlib.h>
X#include <unistd.h>
X#include <signal.h>
X
Xint
Xexecute(
X const char *	file
X,char * const *	argv
X,char * const *	envp
X,int		ioFile)
X{
X	int	pid;
X
X	signal(SIGCLD, SIG_IGN);	/* No zombies */
X
X	pid = fork();
X
X	if ( pid < 0 )
X		return -1;
X	else if ( pid == 0 ) {
X		/* In the child process */
X
X		int	max = (int)sysconf(_SC_OPEN_MAX);
X		int	fd;
X		int	n;
X
X		for ( fd = 0; fd < max; fd++ ) {
X			if ( fd != ioFile )
X				close(fd);
X		}
X		/*
X		 * If the IO file isn't 0, 1, or 2, I'm starting a new
X		 * session on some other device.
X		 */
X		if ( ioFile > 2 )
X			setsid();
X
X		for ( fd = 0; fd <= 2; fd++ ) {
X			if ( fd != ioFile && dup2(ioFile, fd) != fd )
X				_exit(-1);
X		}
X
X		if ( ioFile > 2 )
X			close(ioFile);
X
X		/*
X		 * Try to give the process as pristine an environment
X		 * as possible.
X		 */
X		for ( n = 0; n < NSIG; n++ )
X			signal(n, SIG_DFL);
X
X		/*
X		 * If I started a new session above, set the tty process
X		 * group to match it.
X		 */
X		if ( ioFile > 2 )
X			tcsetpgrp(0, getpgrp());
X
X		execve(file, argv, envp);
X		_exit(-1);
X	}
X	return pid;
X}
X--
X-- Attention Ham Radio Operators: For information on "Linux for Hams", read
X-- the World Wide Web page http://www.hams.com/perens/LinuxForHams, or send
X-- an e-mail message containing the word "help" to info@hams.com .

YReceived: with rfc822 via encapsulated-mail id 061419452012573;
Y          Wed, 14 Jun 1995 19:45:20 GMT



<strong>Bug reassigned from package `bsdutils' to `general'.</strong>
Request was from <code>Ian Jackson &lt;ian@chiark.greenend.org.uk&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 7 Feb 1997 19:06:42 +0000
Received: (qmail 16892 invoked from network); 7 Feb 1997 19:06:34 -0000
Received: from login.chiark.greenend.org.uk (HELO chiark.greenend.org.uk) (root@194.159.240.210)
  by master.debian.org with SMTP; 7 Feb 1997 19:06:32 -0000
Received: by chiark.greenend.org.uk
	id m0vsvXq-0004NyC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 7 Feb 97 19:01 GMT
Message-Id: <m0vsvXq-0004NyC@chiark.greenend.org.uk>
Date: Fri, 7 Feb 97 19:01 GMT
From: Ian Jackson <ian@chiark.greenend.org.uk>
To: Debian bugs control server <control@bugs.debian.org>
Subject: ttys

retitle 7112 xterm should use not-yet-existing pty allocation method
reassign 7112 general
reassign 988 general
merge 988 7112



<strong>Merged 988 7112.</strong>
Request was from <code>Ian Jackson &lt;ian@chiark.greenend.org.uk&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 7 Feb 1997 19:06:42 +0000
Received: (qmail 16892 invoked from network); 7 Feb 1997 19:06:34 -0000
Received: from login.chiark.greenend.org.uk (HELO chiark.greenend.org.uk) (root@194.159.240.210)
  by master.debian.org with SMTP; 7 Feb 1997 19:06:32 -0000
Received: by chiark.greenend.org.uk
	id m0vsvXq-0004NyC
	(Debian /\oo/\ Smail3.1.29.1 #29.37); Fri, 7 Feb 97 19:01 GMT
Message-Id: <m0vsvXq-0004NyC@chiark.greenend.org.uk>
Date: Fri, 7 Feb 97 19:01 GMT
From: Ian Jackson <ian@chiark.greenend.org.uk>
To: Debian bugs control server <control@bugs.debian.org>
Subject: ttys

retitle 7112 xterm should use not-yet-existing pty allocation method
reassign 7112 general
reassign 988 general
merge 988 7112



<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org</code>:<br>
<code>Bug#988</code>; Package <code>general</code>.


debian-bugs-dist@lists.debian.orgdebian-devel@lists.debian.org

Subject: Bug#988: script' is insecure, and general tty insecurity
Reply-To: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>, 988@bugs.debian.org
Resent-From: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
Orignal-Sender: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org
Resent-Date: Tue, 18 Feb 1997 11:48:09 GMT
Resent-Message-ID: <handler.988.B988.8562658061069@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Package: general
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by 988-bugs@bugs.debian.org id=B988.8562658061069
          (code B ref 988); Tue, 18 Feb 1997 11:48:09 GMT
From: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
To: Nag <bcwhite@debian.org>
Cc: 988@bugs.debian.org
In-Reply-To: <m0vwi0O-0003k3C@callandor.verisim.com>
References: <m0vwi0O-0003k3C@callandor.verisim.com>
Message-Id: <E0vwnkE-0004nd-00@ivatt.cl.cam.ac.uk>
Sender: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
Date: Tue, 18 Feb 1997 11:29:58 +0000

On Tue, 18 Feb 1997, bcwhite@debian.org wrote:

> Package: bsdutils
> Message: overdue

This bug is one of the fundamental problems with unix.  Eventually, a
proper fix for it (in the form of a daemon whose sole purpose is to
hand out master/slave pty pairs while filling in a correct utmp entry)
might be attempted.

The bug is mainly there as a reminder.

Please consider taking this bug off the 'nag' list.

Thanks,
Austin
PS: I think the nag system is otherwise rather good :)



<strong>Acknowledgement sent</strong> to <code>Austin Donnelly &lt;Austin.Donnelly@cl.cam.ac.uk&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>debian-devel@lists.debian.org</code>.


-t

From: owner@bugs.debian.org (Ian Jackson)
To: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
Subject: Bug#988: Info received (was Bug#988: `script' is insecure, and general tty insecurity)
Message-ID: <handler.988.B988.8562658061069.ackinfo@bugs.debian.org>
In-Reply-To: <E0vwnkE-0004nd-00@ivatt.cl.cam.ac.uk>
References: <E0vwnkE-0004nd-00@ivatt.cl.cam.ac.uk>

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers' mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 debian-devel@lists.debian.org

If you wish to continue to submit further information on your problem,
please send it to 988@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, Debian bug tracking system)



Received: (at 988) by bugs.debian.org; 18 Feb 1997 11:36:46 +0000
Received: (qmail 1016 invoked from network); 18 Feb 1997 11:36:37 -0000
Received: from heaton.cl.cam.ac.uk (exim@128.232.32.11)
  by master.debian.org with SMTP; 18 Feb 1997 11:36:36 -0000
Received: from ivatt.cl.cam.ac.uk [128.232.0.114] (and1000)
	by heaton.cl.cam.ac.uk with smtp (Exim 1.59 #2)
	id 0vwnkG-00066K-00; Tue, 18 Feb 1997 11:30:00 +0000
Received: from and1000 by ivatt.cl.cam.ac.uk with local (Exim 0.55 #1)
	id E0vwnkE-0004nd-00; Tue, 18 Feb 1997 11:29:58 +0000
From: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
To: Nag <bcwhite@debian.org>
Cc: 988@bugs.debian.org
Subject: Re: Bug#988: `script' is insecure, and general tty insecurity
In-Reply-To: <m0vwi0O-0003k3C@callandor.verisim.com>
References: <m0vwi0O-0003k3C@callandor.verisim.com>
Message-Id: <E0vwnkE-0004nd-00@ivatt.cl.cam.ac.uk>
Sender: Austin Donnelly <Austin.Donnelly@cl.cam.ac.uk>
Date: Tue, 18 Feb 1997 11:29:58 +0000

On Tue, 18 Feb 1997, bcwhite@debian.org wrote:

> Package: bsdutils
> Message: overdue

This bug is one of the fundamental problems with unix.  Eventually, a
proper fix for it (in the form of a daemon whose sole purpose is to
hand out master/slave pty pairs while filling in a correct utmp entry)
might be attempted.

The bug is mainly there as a reminder.

Please consider taking this bug off the 'nag' list.

Thanks,
Austin
PS: I think the nag system is otherwise rather good :)



<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org</code>:<br>
<code>Bug#988</code>; Package <code>general</code>.


debian-bugs-dist@lists.debian.orgdebian-devel@lists.debian.org

Subject: Bug#988: Solution to pty allocation problem
Reply-To: Richard Braakman <dark@xs4all.nl>, 988@bugs.debian.org
Resent-From: Richard Braakman <dark@xs4all.nl>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org
Resent-Date: Wed, 20 Aug 1997 21:18:01 GMT
Resent-Message-ID: <handler.988.B988.8721113215877@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Message: report 988
X-Debian-PR-Package: general
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by 988-bugs@bugs.debian.org id=B988.8721113215877
          (code B ref 988); Wed, 20 Aug 1997 21:18:01 GMT
From: Richard Braakman <dark@xs4all.nl>
Message-Id: <199708202108.XAA10553@xs2.xs4all.nl>
To: 988@bugs.debian.org
Date: Wed, 20 Aug 1997 23:08:41 +0200 (MET DST)
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi.  I have invested a non-trivial amount of thought into this problem :-)
and I think I have found a solution that works and that avoids all
race conditions.  It involves three small suid-root binaries that
have to be called according to a certain recipe.  (An example is 
provided).  The caller does not need _any_ special privileges.
Thus, xterm could be patched to not need to run as root, and 
script could be made spy-proof.  (And an ancient bug report
could be closed :)

The tar.gz is only 133 lines, uuencoded, so I'll just append it
to the mail.  There is a manpage inside the archive.

If there is agreement that this approach is a Good Idea, I will create
a getpty package from it and supply patches for xterm to use it.

Richard Braakman
<dark@xs4all.nl>

begin 600 pty.tar.gz
M'XL(`#!5^S,``^T\_7/;-K+Y-?PK4+]K+:6R+,FVG(\Z]US'3CR7VGF6,[E.
MDO%0)"3Q0I$\DK*M7O/^]ML/``0ERG+ZSD[NG3B=QB*!Q6(7N]@O(,FGFP_N
M^!';K=V='?%`"+&[VZ9_V]O;]*]Z6D)TMW:[W9W.5K<#7UOMK=T'8N>N$<-G
MDN5N*L0#WTT_W=Q.IME]('2_3P+\'\H<_FEZ=S5&N]7J*GY7\7][!WFN^;^S
M#5_;NYWM!Z)U5PC9SW\X_S<?.>*1T"M`;(A!$/G"%8-42@'OA`L_,QG\)D60
MBT&<BGPDA>>&H4RAYZ;C,(3S49"))(V'J3L65VXFKM(@SV4D^E-Q%G@C-_7%
MSZGK?AJ[D?@)B?W?U]DV@&E&X?,F0Y#"G>0C&"()74]F-&"0CL.I""(:-IGT
MP\`3?CQV@ZAI#\\3:(@\AK]&,A5703X"`("3F^81L$YXH1N,]8Q2&4HWD]0'
ML$40OKR489Q('X`(0"R^TO/)\`UU%TDF)WZ<`Y2QF^4RW<Q"]Q(0<X.4@`"B
M+I#+FZ02X")PP".>Y##@WR=!&D1#F$B<R1+H$8)(XSA'"*X'4\^:0KP;`?5X
M7H1R@3_`#J++^!.@J@CCQ6DJ/>J?P4`R\F0#YR!2("1\C?P@#^(HH[[N91SX
MT!>!(JT`6B:B&/%%!B.0F&@(."(NDI`,@PS9"0/&BAFP8(38CX2\=L=)2%"@
MQR7"9D2`]&XN@7VUP+1J>G6$%H0A"!Y^!EC0$>?CN8BCF0#RMV`M0O=E%@PC
M9E`ZB9C'V23PB7@-II(;13&LFTGD$32$H'D0Y!IF3TJ:`\.N/:X+7):).P2R
M!9$73GQ-VP!IYHV"2ZG6VW^I[^*G200D\9NCY]:[;)IM@D+)RV\'7I2'Y5<R
M3:,87Q7OUI"BHS7'0?[`@DGB-+^(XG&<RAJ^JHM_.*@O$3Y(`<J4Z$\&[]L?
MQ9Y8^]!:>^;0]\U'XAT('S!:1),0!!")'$,W'XD`<\!&*)ZRUFX@A(9HUY\Y
MG\L#`S*1.RZ/;"`K_F.#`C2LAN,<^>2&J73]*8Z^`3(R#B+@L]^<&QH@7""(
M!@!(0QG5](NZ^%&C%$2YR--I)3KX#=X/?#5Q^AMH`4)<P&J(TXNS%^_.`!SU
M&8@:M_M)M!#00WQ#W!![>^+PY/3PY)S>ZPF#:,+:0-+%`QPB`W1!6%`)PF+-
MXT2DP7"4@P1=T12I8YE[,#:]E==!7FOAK\]"AJ`%_J%;YY,T$AMM_$)H?BY8
M*5D_N&(8QS[/$2C=DSES`>F;923<2C!1.Y%:(G0(SMC])"_@_<4@C<=(RYHB
MAS>*KZ):;FC5@O_,IW'LVY^Z+?RD\3H(48VIA8`4R4<ND&B2JLV!R(.<0#7N
M#D%ABQ"60=HD`'K'<$/HF8T`/4!_,``1GMIJAT`"#.GKF>G>[B!'+2_MSUI3
M]B6H,8D?,YGS)E!020-`'0):8R..0$%II:M6J(=SXV5BS;@WH5:ZD6):RRQ3
MW)1J^(>;#KT&R^<C^/OR_4>S8F&MX5=<:AU:94A)IE<V29(P(+V,$"9C&:%(
M'8RD]PD[!ODZT`NIDZ!NAKD27V`%/5*;=&XD2B"?4=\!LH*7.'S60L2K`&0.
MMJ,:(=@&#+4\F(7:IH5:@6)&U*9Q0"1"V`C%Q<`-0NE?"-I163XR4+JA3_CU
M)^,$UP$0'50N*B9Y);3V`/%FP4$T01FF$J=N)+Z,V5+!LL7'C[6`VRJD+I[O
MS4,T7Q>!%%<CF&(UA@10K90Y#$O0/CM?V^(K/VC__P+B-X"YW=482^S_=JNS
MK>S_K7:[@_Y?N]MMK>S_^W@.CE[OO^SM;;Q#:W'CM..\.?_U9/^7PSVUN!T'
M/CS51IBQ00O[V7$\^#-ZZCS<2,<WM!./FK%X]+]HJ@)0;J?API<_U=3`]6;L
M//Q3[>"@#N\8NWIU,_CQ^H5JL!&K-H@.C_W48`%-)WD0+AWEYO8SP^G&CE/,
M\:DUW]L.NJS'S+`VX355GI(M/G(*_/4;&[A^QV/H7_90^MW77I.KY_X>U/_$
M]3L<8XG^%UN[NZS_=W:A70OU?Z?=6>G_^WC`N".%X*$%AL:K!S9RGDZ\'/T%
M,F^,FX46#K17.P-W(9=QWKT@-^T9`5QD>+)]C&_(Y5O0V)>7@<<XI/"W:C9O
M@ZD!Y36X!1';WMH8?O^Q_#ZWWG]M\G_U!^7?VB7N)`:\1/X[6[O;6OYW6ULH
M_YV=;GLE__?Q</C47@%B0[N2'"&$?^T@0]\%=Q1C/M,LEV/ARX$["?/F-Q0+
MMFS./Q8TK(X9'JFOMI&'T>6,L,N,S]Y`1]$;B3&L+-'G$(DOO6#LAHQ=DLH,
MVG&T,\:8!\=)T`5#=+TT2/(X!=\?R3#S%D$4D%T*2KG$+`Y("U:8'(N["L"H
MSS&.#$2/AH0+A7>O,"(^"A*:_3CVR9$W@>0LP8`QAJIU)$E!)>8['#S!UI5K
MH(AQ#M.D'/2\?<04FH5!O_1N-CQ*/,!=1^TD\%<1(<4-3`S3>)+0!\!$>>?\
M0^RANS!,81NHK<&K->VF1_XP!=[4M#-/L0/J0O$"$RZC2!E_V'@^3"^&M/L\
M-#$S#)=UNPIJ$>PK]V_=T.5+@DI%&)3C=M@DL29`$:?O=,3)Q':L0(F.G`+A
M\CC4,:&&^"%I@'MNA4[5E_>MCQC"6O_06A>__PZC(7C\I6-:63R6E'K1"XLW
M?=(&*&JNN'1#8*,?#`.*25>BA2/.VR-LBYBH4%5'>W7H[?Y;C\1\G0?W?Y.:
MN:,Q;M[_VRVS_T.K+N__K9W=U?Y_'P]OF68%X.;/V3P5Q=<97Q7805\AR`.9
M+=SO/=Q-[G/3+VT:0;Q\QZG(QN$FE$\3F<V_OG*#G/-TL,T%D11OS@Z/CO\J
MUC9'H.,V<2+H0&^ND6]T%*>?:%.5U]*S"=</(C>=(L(FG`XD&L48HT:%.,:T
M.R[%'-6D*[*1A+W;PPBZF&"^F)):=4'Y6N6J85![R`Z3V@/CT%<.D=XJM#,%
MMDQ#[Q3T(I11:0,)U/9!7ACLQY/LF?4QD0/_?>=C\2K"%)^UQV"3&K<K5+.5
MU[(WFP"W&EA8GVIV4B[@E%RI5^GK=SIJCSZHB]NT0.9DM$:]41"2C8?ZO4F=
M\"\U%30$,T[?<,($L2]E,2EA0B]@#IR.0.`P+HX-.R$#4ILVHO3N^.CPK\?G
MAR]J_*DN?OA!O,-7O?/]\[<]\WK/SC80W6#Z^(^B%VRF#5'BD\TCE8ZPOK^W
M/F/JMZ6:J*R5AEFO>MTVKX&(&VTBG4S3.(6)T0]8BR,R_6)"L2'@'3?[&UJ=
ME%)F`)AVPFH"6*9]F)+.?")I>)(_[8DVL-/FIYWM;'%VJ0+K"HQG5Y*QJ&`:
MS'KP63(!YIY*<VL9S+0`(GX,N#TW!@_K3Y).,2HGQ8G3A519"3+IA36M"GB(
MM8;UERV)2CCKHB+UNQ303&>:,2D7SKA5V4Z?%Z@B$Y6_01E%Z\MU$9O]%<J(
M!B!U5,2,;J-C:(I@6K;?MUL?BX0KYJ5`;#F5>T6HQ9<R'6!I#LX'>F#YPD"7
M^Y"=F8"=F0],EOE,NJ$8^)F:VC#FFHY1,!QALOG*G9JL;U$:\%P\T4_=T5'*
M6;7T+U1C)%J%+B->:7WFQ;@=Y_+N5)(MC\O*$M1W(2S)0\1*W"*_E`1L(XXV
M>+&&[A"5\`7HEPN*+^!$F=K8G_9DIGY#'%WT#L^/7JB)*8ZBZ]$&P?C>7VN8
M<.3#LOCH!8X"9/W-/<N"=%LIXC('V\/6(0.LKK*R6W]T8Y\3IDVVA,B.`HK!
M@@<G/!@'(88N8^/TE^6M;L*WB.]*!+4%4J[D6&"0W+%DSN"P$E2Q5@@.BFKI
MU_]!6"E*-U.^JF765"+I2DKX@75G6"A$W`7(E._F(LZ2.<8%HT1BW;0<I[,,
M,J`=!<A0#K!H5H4_W#1UIV#$`X$X%`E>D34&^3]GFHNX(+DP$PVL*#:SR<`6
M255Q)M(">%AG+PC%&:=H^0*WMORM"CI=*J.]BH(--UBH"_:[V6J\HK,IR.-R
M0"ZK*1?E<9J)_$@P+H'$?Y$R09V'2G02@1>*"@GCN59AGBDBLJ=0B?:B.<PJ
MF8>WF(2E2`#KEZ#RXPCCKR>@(O5**RFXLN:>B6;=2F&IMXIS=J1P07FDT?!J
M"N]WC)*W9V@3K"%V[,!?F3T#)>I@;(/W`")\0/L9[G<D:!BJ_1"ML>"7!!7_
M/]?[E&OXD./?PQJ'@;[WZ]#?\*A0)$5]GD6]9]5@:>_V+638X%[%_ZQ'Y?\Y
MH7M'8RS)_^UV6SLF_[_3V:7XW^[.*OYW'P_OFD5*?T.%^*8F&\:6S]B-W"$J
M7SLOB'V^H4B@QD&"Y5-@CWLHL!CV`]`%.!57%\_B=#)O)%7X!SMO^O(2Y2%I
MP2AI/`$35;_Z;8"Q$/WK;,!G.^8S9@B&",-MX<WU=9-/<U0%4@D_K!AENX#=
M@4RG(-5FSUB"01GDZIA%W^T#,<!L"F3*P1JB%)O69*&`<1>I7!W69V!7K$@%
M!"*9!A[L4'.<PW[KF:8MVBKI0!T@R8(LS[0U$X&UJ$XA&#HW:!V%$U4<7"K]
MU]X%V$!94:.L5A']X&1G1N97?A6KVF%,<M+8H-"E3P$IJM>NB/QB=ND/)QOQ
M[30;NUX:9PO.9+!;!C32R5>JTD[QB`_GL]BV2Q&QF>H3/)U1K*NU9R:2_/-^
M[_#B]>')R_-70CP6<P\,^5I&0UP%`[/P.*L&HYAX]/FO%P>G;T_.#\_:"Z"<
M#@9HR0.43.)A(+&>K"\`T1%/EH!8;ZVK=5,FB+QVO1QKZ3,1QNCJ6JS61,GG
MB9+/$.7\S<7IT1'X%6)G'I%97$`GP.#KN<%HG^QL^(+#`3[HC).7H\\'L&1Z
M4X\DA"2\J;SN=Y*/<\#:X[QE#Z;EN>BDAT$TN49W/<,I]!Z1'H$-(0#/EE/C
M?'C`/IH#HX&7CVNBS=--_@[(3BZOKJ>_O?F?,YAR=>L.MVZU.UO;.]W=QT_<
MO@>TL4BDN:W73GM[]E/'?.H268Y!.Y$:-4>WU&!**)OB%^1BH<MTAO_2#2<R
M*YPBYIZ]Y#Z2'%=]ZGRDXP="SU/9HS1RF^/6%5\Z]$40VGC(99)8G=10JB%I
MMMP;%<<1+"1I(SD")PG-5[,0`^5/%+Q256>31%$D*]G0Y61ZPBER;Y36+.XV
M%A#&MI[):K8GG\!.:\&8#6LOR)Q4C=^I'K^S>/S.W/B=VXU?.O)2\$=+-6[P
M7IQ,E9E0:'FJ/N&SCY)T#W!.">U-]8.*!V,Y]I*I=1(I*<Z-@8L=#XH4OYJR
M43-&F:!(P8B$>)GQY7+#RD6@_!_%N^=[<P+X^^_6JBR^:RE<%`PV(,&M*L-8
MZ%%7R=]>2=48J"I95[TV2ITZII/.\,V=;;IE$6=Q3M`<6])E470P</;TDNT6
M`\3(&R?6P3T-MF'OE'4.T\U3QQZ4S23:AF1$5IPUD`8[2\:BGJ6J1<>TJ!Z[
M)TV$I4@FFLFKX1=RL!JG)1RL1O.9=7*0(ZX>G1BV6'&E]F@T'4$T120Q,ZI2
M0O:$%BM?,MC09`0-FZF`E9Z_#OR:Z(W-Y9*J710[FE4T![H(J-`K)>6ORM.B
MR;@/<QH&E^QM8,5P4X?'EI86EXO'4$O`_PK1,ZH;C-HXK7&73=AAGY5:=&9:
M?$\MS`J=GP@K2+5P-67(*\`#G[/$6Z"N%A$2^8@3*8\6CS&\7:8:'?+N<V"X
M/"CTMX3RARQ?-!BW;F;Y!4X=Y91(L(2]-]1S*XX8TO[XX[,Y[5FI<&=W.PR9
M&Q9J*$70CE>R/C).S#!KNL21+,>*2BY=0TJZ/B8(S)E28WO,G!&]@6]$@J_H
M_V/\QYP;NJ,`T)+XSU:K6YS_V&WC_1^=SE9W%?^YCX>]_V(%@%E(T0)5_D65
MPN@+T2EJ??G%-U3L;6H:[J;4VX#_#ROTSF+!MZ+@B6W83C$,DZ=QJ/W"%'.Z
M2%D-CI;+W52`5T1CF/<O$3%$'9.QA,!Z)FJ(6AUQ0](@S:C`6Q6#RVN,8S4H
ML:EHQ!]49AWZG&+$[2K(I&YDMY!S`PUA(`1SK'-V?)F*-:B.VN&Z"X-/>"$*
M,53=@U%'WB"$01K(R,_XNH<L@94$-.:;">A(/=^5H'"ZBM/09Q`4>#,G-'1<
MCQPKLK:^7HT\]`<^U.I+2^4[.M5462I?@$&$\*]Y`)TB%8S_K(KG_WCQ?+%H
M5J7S_^\?M/_X`.C=C;'L_H>MEF7_[6SA^=^M[JK^_UX>WDG5$>`-=`W'8*R4
M<W__-O7_58:$93.P*XQP!OX"<ZJA7'':H.G&';+8T'HBG4M9+O:AM2./\"@2
M@2I:F4^ZFL@$'VXZ57U3W('B5=H#'_A+W>_O>A?'O8-79\H/1XNO7AT6*/N\
M9%M<RC08!-+*F!BT91'B1U.&3"?V>3-\I:;-*9_!DJ"%BKL4D8)%$UIX:]5\
M$.%KB]&_[9,4]W\^OJLQENC_;KNS8^[_;.UTZ?Z?[57]Q[T\S?-7XN7A^9OS
M7\5CL=9IB?W)$+W.]I,GNVMB[87L!Z"O7YZ\W7R-.=`UI]E[)?"^&$=?N:E=
MY(9=#OUA0]^"6=R8B7=J\AV/!*3WZ\GIF]YQSVG^K._N:9X=B_<FBO[1:?93
M_&JNVFD>LW[1'ZS+<(I/`/K%8>_@[/C-^?'IB=-\\\;ADI!\A&641>'%E>08
MZ-);/YV;;OV\]96?3N65G^7[/BU:H%-HSWWQK9^WO_+367#EY]Q]GS5^0<D!
MQ/+#!D82?,>TJ"^\$I0(OD_A"*I:U9/F@',Y0.-FP+<SID/#N0Q<]G8DC(?B
M]F$#G)Q^L.!F3T-F[)VDP27LN4,)XY^_L<@(GI.ZKVYNKR?6:=JIHM(@+^XM
MY#).8@N\'KF9OFO0Y5ON@IP/'2VXAG&^,(A7C;DJ$2\>).2MFQ(Y%D25RE3D
M6*#.5RCBJB"GGS]H.T,[BMA0[<6U<@D.W[H*V(*ZBT#7^0[0+L'*XX)6<8*$
MA34T%3G?R!C)N6A74+[]S[7&I("+4\I[T;D[OM>PH6U("E;1B0A&2.(%JT)9
M')&\SIT2R"(>P\?YTCPK]Z,U9!5N-9WC@1X+5EEFE0@;SJLK(LG`Q)B+JAB'
M"1-?$46F,P;M)$4`E1.^C*["T)77H1'@+XL@SH</G2\*'\['#IWYV&$)OZH8
MXI<$$)WY`.*71@\5R2RU_HT2S<+P7TLV?;M*U>T:N+.][>V_/-1[F@[2X]F(
M":@$2Y2U<M1$RUB'%B=9^#).=5CV..<9N."PP5I`OCE$-5O'V-#3F.\4KEKX
M0H5"%=TQ/TPR-98NR"+&MIS2=B-@?^CWK2M<J:@+P43J@(JK+II5MXZKVL`\
MU4H1RT[@$Q!TA@*X!(TJ*NE+U*^EDG767;-3-,*O.UHSX7V4C`C82:FT$EIF
MO`$>VPN;BV=YVS-D-5N(F@W27S&R)):URHEHG*S%2YI(AX?Y2F*GO`YOLTFI
MFX.=URX=FRD0)`^1#9`9":"UBD0EZT=I5MR]=,4/FP5HEQWOOSPY[9T?'_06
MF0E8;8=4OR8.L=RT:*EA"1O>%Z[.<=-6V"Y]44=B9EG)CF)FP6PS&]6US3E;
M8SI>X493<P0:UK<SK]AA)D?'KP][6E_IO>?/?R:IG#<TFJ66N6EY<Q)FIAMM
M;@YK+:QZK-),@-E:[_!0[+_NG8*I_O,97_`L:IUZ0_T$953\I--<^-,QI]OF
M3H,UV=H&T/MOSU^=GCE+HSDK;WSUK)[5LWI6S^I9/:MG]:R>U;-Z5L_J63VK
09_6LGF_C^2=/D#]^`'@`````
`
end



<strong>Acknowledgement sent</strong> to <code>Richard Braakman &lt;dark@xs4all.nl&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>debian-devel@lists.debian.org</code>.


-t

From: owner@bugs.debian.org (Ian Jackson)
To: Richard Braakman <dark@xs4all.nl>
Subject: Bug#988: Info received (was Solution to pty allocation problem)
Message-ID: <handler.988.B988.8721113215877.ackinfo@bugs.debian.org>
In-Reply-To: <199708202108.XAA10553@xs2.xs4all.nl>
References: <199708202108.XAA10553@xs2.xs4all.nl>
X-Debian-PR-Message: ack-info-maintonly 988

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers' mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 debian-devel@lists.debian.org

If you wish to continue to submit further information on your problem,
please send it to 988@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, Debian bug tracking system)



Received: (at 988) by bugs.debian.org; 20 Aug 1997 21:08:41 +0000
Received: (qmail 5874 invoked from network); 20 Aug 1997 21:08:37 -0000
Received: from smtp1.xs4all.nl (smtp1.xs4all.nl@194.109.6.51)
  by 205.229.104.5 with SMTP; 20 Aug 1997 21:08:37 -0000
Received: from xs2.xs4all.nl (dark@xs2.xs4all.nl [194.109.6.43]) by smtp1.xs4all.nl (8.8.6/XS4ALL) with ESMTP id XAA01556 for <988@bugs.debian.org>; Wed, 20 Aug 1997 23:08:43 +0200 (MET DST)
Received: (from dark@localhost)
	by xs2.xs4all.nl (8.8.6/8.8.6) id XAA10553
	for 988@bugs.debian.org; Wed, 20 Aug 1997 23:08:42 +0200 (MET DST)
From: Richard Braakman <dark@xs4all.nl>
Message-Id: <199708202108.XAA10553@xs2.xs4all.nl>
Subject: Solution to pty allocation problem
To: 988@bugs.debian.org
Date: Wed, 20 Aug 1997 23:08:41 +0200 (MET DST)
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi.  I have invested a non-trivial amount of thought into this problem :-)
and I think I have found a solution that works and that avoids all
race conditions.  It involves three small suid-root binaries that
have to be called according to a certain recipe.  (An example is 
provided).  The caller does not need _any_ special privileges.
Thus, xterm could be patched to not need to run as root, and 
script could be made spy-proof.  (And an ancient bug report
could be closed :)

The tar.gz is only 133 lines, uuencoded, so I'll just append it
to the mail.  There is a manpage inside the archive.

If there is agreement that this approach is a Good Idea, I will create
a getpty package from it and supply patches for xterm to use it.

Richard Braakman
<dark@xs4all.nl>

begin 600 pty.tar.gz
M'XL(`#!5^S,``^T\_7/;-K+Y-?PK4+]K+:6R+,FVG(\Z]US'3CR7VGF6,[E.
MDO%0)"3Q0I$\DK*M7O/^]ML/``0ERG+ZSD[NG3B=QB*!Q6(7N]@O(,FGFP_N
M^!';K=V='?%`"+&[VZ9_V]O;]*]Z6D)TMW:[W9W.5K<#7UOMK=T'8N>N$<-G
MDN5N*L0#WTT_W=Q.IME]('2_3P+\'\H<_FEZ=S5&N]7J*GY7\7][!WFN^;^S
M#5_;NYWM!Z)U5PC9SW\X_S<?.>*1T"M`;(A!$/G"%8-42@'OA`L_,QG\)D60
MBT&<BGPDA>>&H4RAYZ;C,(3S49"))(V'J3L65VXFKM(@SV4D^E-Q%G@C-_7%
MSZGK?AJ[D?@)B?W?U]DV@&E&X?,F0Y#"G>0C&"()74]F-&"0CL.I""(:-IGT
MP\`3?CQV@ZAI#\\3:(@\AK]&,A5703X"`("3F^81L$YXH1N,]8Q2&4HWD]0'
ML$40OKR489Q('X`(0"R^TO/)\`UU%TDF)WZ<`Y2QF^4RW<Q"]Q(0<X.4@`"B
M+I#+FZ02X")PP".>Y##@WR=!&D1#F$B<R1+H$8)(XSA'"*X'4\^:0KP;`?5X
M7H1R@3_`#J++^!.@J@CCQ6DJ/>J?P4`R\F0#YR!2("1\C?P@#^(HH[[N91SX
MT!>!(JT`6B:B&/%%!B.0F&@(."(NDI`,@PS9"0/&BAFP8(38CX2\=L=)2%"@
MQR7"9D2`]&XN@7VUP+1J>G6$%H0A"!Y^!EC0$>?CN8BCF0#RMV`M0O=E%@PC
M9E`ZB9C'V23PB7@-II(;13&LFTGD$32$H'D0Y!IF3TJ:`\.N/:X+7):).P2R
M!9$73GQ-VP!IYHV"2ZG6VW^I[^*G200D\9NCY]:[;)IM@D+)RV\'7I2'Y5<R
M3:,87Q7OUI"BHS7'0?[`@DGB-+^(XG&<RAJ^JHM_.*@O$3Y(`<J4Z$\&[]L?
MQ9Y8^]!:>^;0]\U'XAT('S!:1),0!!")'$,W'XD`<\!&*)ZRUFX@A(9HUY\Y
MG\L#`S*1.RZ/;"`K_F.#`C2LAN,<^>2&J73]*8Z^`3(R#B+@L]^<&QH@7""(
M!@!(0QG5](NZ^%&C%$2YR--I)3KX#=X/?#5Q^AMH`4)<P&J(TXNS%^_.`!SU
M&8@:M_M)M!#00WQ#W!![>^+PY/3PY)S>ZPF#:,+:0-+%`QPB`W1!6%`)PF+-
MXT2DP7"4@P1=T12I8YE[,#:]E==!7FOAK\]"AJ`%_J%;YY,T$AMM_$)H?BY8
M*5D_N&(8QS[/$2C=DSES`>F;923<2C!1.Y%:(G0(SMC])"_@_<4@C<=(RYHB
MAS>*KZ):;FC5@O_,IW'LVY^Z+?RD\3H(48VIA8`4R4<ND&B2JLV!R(.<0#7N
M#D%ABQ"60=HD`'K'<$/HF8T`/4!_,``1GMIJAT`"#.GKF>G>[B!'+2_MSUI3
M]B6H,8D?,YGS)E!020-`'0):8R..0$%II:M6J(=SXV5BS;@WH5:ZD6):RRQ3
MW)1J^(>;#KT&R^<C^/OR_4>S8F&MX5=<:AU:94A)IE<V29(P(+V,$"9C&:%(
M'8RD]PD[!ODZT`NIDZ!NAKD27V`%/5*;=&XD2B"?4=\!LH*7.'S60L2K`&0.
MMJ,:(=@&#+4\F(7:IH5:@6)&U*9Q0"1"V`C%Q<`-0NE?"-I163XR4+JA3_CU
M)^,$UP$0'50N*B9Y);3V`/%FP4$T01FF$J=N)+Z,V5+!LL7'C[6`VRJD+I[O
MS4,T7Q>!%%<CF&(UA@10K90Y#$O0/CM?V^(K/VC__P+B-X"YW=482^S_=JNS
MK>S_K7:[@_Y?N]MMK>S_^W@.CE[OO^SM;;Q#:W'CM..\.?_U9/^7PSVUN!T'
M/CS51IBQ00O[V7$\^#-ZZCS<2,<WM!./FK%X]+]HJ@)0;J?API<_U=3`]6;L
M//Q3[>"@#N\8NWIU,_CQ^H5JL!&K-H@.C_W48`%-)WD0+AWEYO8SP^G&CE/,
M\:DUW]L.NJS'S+`VX355GI(M/G(*_/4;&[A^QV/H7_90^MW77I.KY_X>U/_$
M]3L<8XG^%UN[NZS_=W:A70OU?Z?=6>G_^WC`N".%X*$%AL:K!S9RGDZ\'/T%
M,F^,FX46#K17.P-W(9=QWKT@-^T9`5QD>+)]C&_(Y5O0V)>7@<<XI/"W:C9O
M@ZD!Y36X!1';WMH8?O^Q_#ZWWG]M\G_U!^7?VB7N)`:\1/X[6[O;6OYW6ULH
M_YV=;GLE__?Q</C47@%B0[N2'"&$?^T@0]\%=Q1C/M,LEV/ARX$["?/F-Q0+
MMFS./Q8TK(X9'JFOMI&'T>6,L,N,S]Y`1]$;B3&L+-'G$(DOO6#LAHQ=DLH,
MVG&T,\:8!\=)T`5#=+TT2/(X!=\?R3#S%D$4D%T*2KG$+`Y("U:8'(N["L"H
MSS&.#$2/AH0+A7>O,"(^"A*:_3CVR9$W@>0LP8`QAJIU)$E!)>8['#S!UI5K
MH(AQ#M.D'/2\?<04FH5!O_1N-CQ*/,!=1^TD\%<1(<4-3`S3>)+0!\!$>>?\
M0^RANS!,81NHK<&K->VF1_XP!=[4M#-/L0/J0O$"$RZC2!E_V'@^3"^&M/L\
M-#$S#)=UNPIJ$>PK]V_=T.5+@DI%&)3C=M@DL29`$:?O=,3)Q':L0(F.G`+A
M\CC4,:&&^"%I@'MNA4[5E_>MCQC"6O_06A>__PZC(7C\I6-:63R6E'K1"XLW
M?=(&*&JNN'1#8*,?#`.*25>BA2/.VR-LBYBH4%5'>W7H[?Y;C\1\G0?W?Y.:
MN:,Q;M[_VRVS_T.K+N__K9W=U?Y_'P]OF68%X.;/V3P5Q=<97Q7805\AR`.9
M+=SO/=Q-[G/3+VT:0;Q\QZG(QN$FE$\3F<V_OG*#G/-TL,T%D11OS@Z/CO\J
MUC9'H.,V<2+H0&^ND6]T%*>?:%.5U]*S"=</(C>=(L(FG`XD&L48HT:%.,:T
M.R[%'-6D*[*1A+W;PPBZF&"^F)):=4'Y6N6J85![R`Z3V@/CT%<.D=XJM#,%
MMDQ#[Q3T(I11:0,)U/9!7ACLQY/LF?4QD0/_?>=C\2K"%)^UQV"3&K<K5+.5
MU[(WFP"W&EA8GVIV4B[@E%RI5^GK=SIJCSZHB]NT0.9DM$:]41"2C8?ZO4F=
M\"\U%30$,T[?<,($L2]E,2EA0B]@#IR.0.`P+HX-.R$#4ILVHO3N^.CPK\?G
MAR]J_*DN?OA!O,-7O?/]\[<]\WK/SC80W6#Z^(^B%VRF#5'BD\TCE8ZPOK^W
M/F/JMZ6:J*R5AEFO>MTVKX&(&VTBG4S3.(6)T0]8BR,R_6)"L2'@'3?[&UJ=
ME%)F`)AVPFH"6*9]F)+.?")I>)(_[8DVL-/FIYWM;'%VJ0+K"HQG5Y*QJ&`:
MS'KP63(!YIY*<VL9S+0`(GX,N#TW!@_K3Y).,2HGQ8G3A519"3+IA36M"GB(
MM8;UERV)2CCKHB+UNQ303&>:,2D7SKA5V4Z?%Z@B$Y6_01E%Z\MU$9O]%<J(
M!B!U5,2,;J-C:(I@6K;?MUL?BX0KYJ5`;#F5>T6HQ9<R'6!I#LX'>F#YPD"7
M^Y"=F8"=F0],EOE,NJ$8^)F:VC#FFHY1,!QALOG*G9JL;U$:\%P\T4_=T5'*
M6;7T+U1C)%J%+B->:7WFQ;@=Y_+N5)(MC\O*$M1W(2S)0\1*W"*_E`1L(XXV
M>+&&[A"5\`7HEPN*+^!$F=K8G_9DIGY#'%WT#L^/7JB)*8ZBZ]$&P?C>7VN8
M<.3#LOCH!8X"9/W-/<N"=%LIXC('V\/6(0.LKK*R6W]T8Y\3IDVVA,B.`HK!
M@@<G/!@'(88N8^/TE^6M;L*WB.]*!+4%4J[D6&"0W+%DSN"P$E2Q5@@.BFKI
MU_]!6"E*-U.^JF765"+I2DKX@75G6"A$W`7(E._F(LZ2.<8%HT1BW;0<I[,,
M,J`=!<A0#K!H5H4_W#1UIV#$`X$X%`E>D34&^3]GFHNX(+DP$PVL*#:SR<`6
M255Q)M(">%AG+PC%&:=H^0*WMORM"CI=*J.]BH(--UBH"_:[V6J\HK,IR.-R
M0"ZK*1?E<9J)_$@P+H'$?Y$R09V'2G02@1>*"@GCN59AGBDBLJ=0B?:B.<PJ
MF8>WF(2E2`#KEZ#RXPCCKR>@(O5**RFXLN:>B6;=2F&IMXIS=J1P07FDT?!J
M"N]WC)*W9V@3K"%V[,!?F3T#)>I@;(/W`")\0/L9[G<D:!BJ_1"ML>"7!!7_
M/]?[E&OXD./?PQJ'@;[WZ]#?\*A0)$5]GD6]9]5@:>_V+638X%[%_ZQ'Y?\Y
MH7M'8RS)_^UV6SLF_[_3V:7XW^[.*OYW'P_OFD5*?T.%^*8F&\:6S]B-W"$J
M7SLOB'V^H4B@QD&"Y5-@CWLHL!CV`]`%.!57%\_B=#)O)%7X!SMO^O(2Y2%I
MP2AI/`$35;_Z;8"Q$/WK;,!G.^8S9@B&",-MX<WU=9-/<U0%4@D_K!AENX#=
M@4RG(-5FSUB"01GDZIA%W^T#,<!L"F3*P1JB%)O69*&`<1>I7!W69V!7K$@%
M!"*9!A[L4'.<PW[KF:8MVBKI0!T@R8(LS[0U$X&UJ$XA&#HW:!V%$U4<7"K]
MU]X%V$!94:.L5A']X&1G1N97?A6KVF%,<M+8H-"E3P$IJM>NB/QB=ND/)QOQ
M[30;NUX:9PO.9+!;!C32R5>JTD[QB`_GL]BV2Q&QF>H3/)U1K*NU9R:2_/-^
M[_#B]>')R_-70CP6<P\,^5I&0UP%`[/P.*L&HYAX]/FO%P>G;T_.#\_:"Z"<
M#@9HR0.43.)A(+&>K"\`T1%/EH!8;ZVK=5,FB+QVO1QKZ3,1QNCJ6JS61,GG
MB9+/$.7\S<7IT1'X%6)G'I%97$`GP.#KN<%HG^QL^(+#`3[HC).7H\\'L&1Z
M4X\DA"2\J;SN=Y*/<\#:X[QE#Z;EN>BDAT$TN49W/<,I]!Z1'H$-(0#/EE/C
M?'C`/IH#HX&7CVNBS=--_@[(3BZOKJ>_O?F?,YAR=>L.MVZU.UO;.]W=QT_<
MO@>TL4BDN:W73GM[]E/'?.H268Y!.Y$:-4>WU&!**)OB%^1BH<MTAO_2#2<R
M*YPBYIZ]Y#Z2'%=]ZGRDXP="SU/9HS1RF^/6%5\Z]$40VGC(99)8G=10JB%I
MMMP;%<<1+"1I(SD")PG-5[,0`^5/%+Q256>31%$D*]G0Y61ZPBER;Y36+.XV
M%A#&MI[):K8GG\!.:\&8#6LOR)Q4C=^I'K^S>/S.W/B=VXU?.O)2\$=+-6[P
M7IQ,E9E0:'FJ/N&SCY)T#W!.">U-]8.*!V,Y]I*I=1(I*<Z-@8L=#XH4OYJR
M43-&F:!(P8B$>)GQY7+#RD6@_!_%N^=[<P+X^^_6JBR^:RE<%`PV(,&M*L-8
MZ%%7R=]>2=48J"I95[TV2ITZII/.\,V=;;IE$6=Q3M`<6])E470P</;TDNT6
M`\3(&R?6P3T-MF'OE'4.T\U3QQZ4S23:AF1$5IPUD`8[2\:BGJ6J1<>TJ!Z[
M)TV$I4@FFLFKX1=RL!JG)1RL1O.9=7*0(ZX>G1BV6'&E]F@T'4$T120Q,ZI2
M0O:$%BM?,MC09`0-FZF`E9Z_#OR:Z(W-Y9*J710[FE4T![H(J-`K)>6ORM.B
MR;@/<QH&E^QM8,5P4X?'EI86EXO'4$O`_PK1,ZH;C-HXK7&73=AAGY5:=&9:
M?$\MS`J=GP@K2+5P-67(*\`#G[/$6Z"N%A$2^8@3*8\6CS&\7:8:'?+N<V"X
M/"CTMX3RARQ?-!BW;F;Y!4X=Y91(L(2]-]1S*XX8TO[XX[,Y[5FI<&=W.PR9
M&Q9J*$70CE>R/C).S#!KNL21+,>*2BY=0TJZ/B8(S)E28WO,G!&]@6]$@J_H
M_V/\QYP;NJ,`T)+XSU:K6YS_V&WC_1^=SE9W%?^YCX>]_V(%@%E(T0)5_D65
MPN@+T2EJ??G%-U3L;6H:[J;4VX#_#ROTSF+!MZ+@B6W83C$,DZ=QJ/W"%'.Z
M2%D-CI;+W52`5T1CF/<O$3%$'9.QA,!Z)FJ(6AUQ0](@S:C`6Q6#RVN,8S4H
ML:EHQ!]49AWZG&+$[2K(I&YDMY!S`PUA(`1SK'-V?)F*-:B.VN&Z"X-/>"$*
M,53=@U%'WB"$01K(R,_XNH<L@94$-.:;">A(/=^5H'"ZBM/09Q`4>#,G-'1<
MCQPKLK:^7HT\]`<^U.I+2^4[.M5462I?@$&$\*]Y`)TB%8S_K(KG_WCQ?+%H
M5J7S_^\?M/_X`.C=C;'L_H>MEF7_[6SA^=^M[JK^_UX>WDG5$>`-=`W'8*R4
M<W__-O7_58:$93.P*XQP!OX"<ZJA7'':H.G&';+8T'HBG4M9+O:AM2./\"@2
M@2I:F4^ZFL@$'VXZ57U3W('B5=H#'_A+W>_O>A?'O8-79\H/1XNO7AT6*/N\
M9%M<RC08!-+*F!BT91'B1U.&3"?V>3-\I:;-*9_!DJ"%BKL4D8)%$UIX:]5\
M$.%KB]&_[9,4]W\^OJLQENC_;KNS8^[_;.UTZ?Z?[57]Q[T\S?-7XN7A^9OS
M7\5CL=9IB?W)$+W.]I,GNVMB[87L!Z"O7YZ\W7R-.=`UI]E[)?"^&$=?N:E=
MY(9=#OUA0]^"6=R8B7=J\AV/!*3WZ\GIF]YQSVG^K._N:9X=B_<FBO[1:?93
M_&JNVFD>LW[1'ZS+<(I/`/K%8>_@[/C-^?'IB=-\\\;ADI!\A&641>'%E>08
MZ-);/YV;;OV\]96?3N65G^7[/BU:H%-HSWWQK9^WO_+367#EY]Q]GS5^0<D!
MQ/+#!D82?,>TJ"^\$I0(OD_A"*I:U9/F@',Y0.-FP+<SID/#N0Q<]G8DC(?B
M]F$#G)Q^L.!F3T-F[)VDP27LN4,)XY^_L<@(GI.ZKVYNKR?6:=JIHM(@+^XM
MY#).8@N\'KF9OFO0Y5ON@IP/'2VXAG&^,(A7C;DJ$2\>).2MFQ(Y%D25RE3D
M6*#.5RCBJB"GGS]H.T,[BMA0[<6U<@D.W[H*V(*ZBT#7^0[0+L'*XX)6<8*$
MA34T%3G?R!C)N6A74+[]S[7&I("+4\I[T;D[OM>PH6U("E;1B0A&2.(%JT)9
M')&\SIT2R"(>P\?YTCPK]Z,U9!5N-9WC@1X+5EEFE0@;SJLK(LG`Q)B+JAB'
M"1-?$46F,P;M)$4`E1.^C*["T)77H1'@+XL@SH</G2\*'\['#IWYV&$)OZH8
MXI<$$)WY`.*71@\5R2RU_HT2S<+P7TLV?;M*U>T:N+.][>V_/-1[F@[2X]F(
M":@$2Y2U<M1$RUB'%B=9^#).=5CV..<9N."PP5I`OCE$-5O'V-#3F.\4KEKX
M0H5"%=TQ/TPR-98NR"+&MIS2=B-@?^CWK2M<J:@+P43J@(JK+II5MXZKVL`\
MU4H1RT[@$Q!TA@*X!(TJ*NE+U*^EDG767;-3-,*O.UHSX7V4C`C82:FT$EIF
MO`$>VPN;BV=YVS-D-5N(F@W27S&R)):URHEHG*S%2YI(AX?Y2F*GO`YOLTFI
MFX.=URX=FRD0)`^1#9`9":"UBD0EZT=I5MR]=,4/FP5HEQWOOSPY[9T?'_06
MF0E8;8=4OR8.L=RT:*EA"1O>%Z[.<=-6V"Y]44=B9EG)CF)FP6PS&]6US3E;
M8SI>X493<P0:UK<SK]AA)D?'KP][6E_IO>?/?R:IG#<TFJ66N6EY<Q)FIAMM
M;@YK+:QZK-),@-E:[_!0[+_NG8*I_O,97_`L:IUZ0_T$953\I--<^-,QI]OF
M3H,UV=H&T/MOSU^=GCE+HSDK;WSUK)[5LWI6S^I9/:MG]:R>U;-Z5L_J63VK
09_6LGF_C^2=/D#]^`'@`````
`
end



<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org</code>:<br>
<code>Bug#988</code>; Package <code>general</code>.


debian-bugs-dist@lists.debian.orgdebian-devel@lists.debian.org

Subject: Bug#988: Pty allocation: additional info
Reply-To: dark@xs4all.nl (Richard Braakman), 988@bugs.debian.org
Resent-From: dark@xs4all.nl (Richard Braakman)
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org
Resent-Date: Thu, 21 Aug 1997 00:18:01 GMT
Resent-Message-ID: <handler.988.B988.87212260720652@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Message: report 988
X-Debian-PR-Package: general
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by 988-bugs@bugs.debian.org id=B988.87212260720652
          (code B ref 988); Thu, 21 Aug 1997 00:18:01 GMT
Message-Id: <m0x1KzI-001NJaC@night>
From: dark@xs4all.nl (Richard Braakman)
To: 988@bugs.debian.org
Date: Thu, 21 Aug 1997 02:20:31 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I forgot to explain the security aspects when seen from the other
side: that the three setuid-root binaries can't be exploited even when
the caller does not follow the recipe.

The worst getpty can do is set tty access to root-only.  If the caller
is persistent, it could do this to all free ptys.  Most programs that
allocate pty/tty pairs won't mind if this happens, since they run as
root anyway.  The ones that don't can use getpty ;-).  The caller
could do far more damage by simply opening all the free pty master
devices.

claimpty and releasepty both change the tty permissions for an in-use
pty.  This could be a problem, which is why they both require that the
caller pass an open file descriptor for that pty.  Since a pty can be
opened only once, this guarantees that the caller is the process in
charge of that pty/tty pair.

I'll include this information in the man page if/when I make a getpty
package.

Richard Braakman
<dark@xs4all.nl>



<strong>Acknowledgement sent</strong> to <code>dark@xs4all.nl (Richard Braakman)</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>debian-devel@lists.debian.org</code>.


-t

From: owner@bugs.debian.org (Ian Jackson)
To: dark@xs4all.nl (Richard Braakman)
Subject: Bug#988: Info received (was Pty allocation: additional info)
Message-ID: <handler.988.B988.87212260720652.ackinfo@bugs.debian.org>
In-Reply-To: <m0x1KzI-001NJaC@night>
References: <m0x1KzI-001NJaC@night>
X-Debian-PR-Message: ack-info-maintonly 988

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers' mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 debian-devel@lists.debian.org

If you wish to continue to submit further information on your problem,
please send it to 988@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(maintainer, Debian bug tracking system)



Received: (at 988) by bugs.debian.org; 21 Aug 1997 00:16:47 +0000
Received: (qmail 20649 invoked from network); 21 Aug 1997 00:16:46 -0000
Received: from smtp2.xs4all.nl (smtp2.xs4all.nl@194.109.6.52)
  by 205.229.104.5 with SMTP; 21 Aug 1997 00:16:46 -0000
Received: from harte.xs4all.nl (harte.xs4all.nl [194.109.63.66]) by smtp2.xs4all.nl (8.8.6/XS4ALL) with ESMTP id CAA27134 for <988@bugs.debian.org>; Thu, 21 Aug 1997 02:16:54 +0200 (CEST)
Received: from night (root@night.xs4all.nl [192.168.2.2])
	by harte.xs4all.nl (8.8.5/8.8.5) with ESMTP id CAA22477
	for <988@bugs.debian.org>; Thu, 21 Aug 1997 02:17:22 +0200
Received: by night
	id m0x1KzI-001NJaC
	(Debian Smail-3.2 1996-Jul-4 #2); Thu, 21 Aug 1997 02:20:32 +0200 (CEST)
Message-Id: <m0x1KzI-001NJaC@night>
From: dark@xs4all.nl (Richard Braakman)
Subject: Pty allocation: additional info
To: 988@bugs.debian.org
Date: Thu, 21 Aug 1997 02:20:31 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

I forgot to explain the security aspects when seen from the other
side: that the three setuid-root binaries can't be exploited even when
the caller does not follow the recipe.

The worst getpty can do is set tty access to root-only.  If the caller
is persistent, it could do this to all free ptys.  Most programs that
allocate pty/tty pairs won't mind if this happens, since they run as
root anyway.  The ones that don't can use getpty ;-).  The caller
could do far more damage by simply opening all the free pty master
devices.

claimpty and releasepty both change the tty permissions for an in-use
pty.  This could be a problem, which is why they both require that the
caller pass an open file descriptor for that pty.  Since a pty can be
opened only once, this guarantees that the caller is the process in
charge of that pty/tty pair.

I'll include this information in the man page if/when I make a getpty
package.

Richard Braakman
<dark@xs4all.nl>



<strong>Information forwarded</strong> to <code>debian-devel@lists.debian.org</code>:<br>
<code>Bug#988</code>; Package <code>general</code>.


debian-devel@lists.debian.org

Subject: Bug#988: Old bugs need to be looked at
Reply-To: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer), 988-maintonly@bugs.debian.org
Resent-From: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)
Resent-To: debian-devel@lists.debian.org
Resent-Date: Sun, 01 Feb 1998 11:09:02 GMT
Resent-Message-ID: <handler.988.M988.88633107530570@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Message: report 988
X-Debian-PR-Package: general
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by 988-maintonly@bugs.debian.org id=M988.88633107530570
          (code M ref 988); Sun, 01 Feb 1998 11:09:02 GMT
Message-Id: <m0xyx7w-0013utC@blaakmeer.student.utwente.nl>
Date: Sun, 1 Feb 1998 11:59:52 +0100 (CET)
From: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)
To: 988-maintonly@bugs.debian.org

This is an automated message sent to all bugs older than one year.

This bug is very old. Please take a look at it and see if you can fix it.
If it has already been fixed, please close it.

If you have problems fixing it or if you don't have the time to fix it,
please ask the people on debian-devel@lists.debian.org for help, so that
at least the oldest bugs can be solved before Debian 2.0 is released.

Remco Blaakmeer



<strong>Acknowledgement sent</strong> to <code>remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)</code>:<br>
Extra info received and forwarded to maintainer.  Copy sent to <code>debian-devel@lists.debian.org</code>.


-t

From: owner@bugs.debian.org (Ian Jackson)
To: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)
Subject: Bug#988: Info received for maintainer only
         (was Old bugs need to be looked at)
Message-ID: <handler.988.M988.88633107530570.ackinfomaint@bugs.debian.org>
In-Reply-To: <m0xyx7w-0013utC@blaakmeer.student.utwente.nl>
References: <m0xyx7w-0013utC@blaakmeer.student.utwente.nl>
X-Debian-PR-Message: ack-info 988

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) (but
not to the mailing list) to accompany the original report.

Your message has been sent to the package maintainer(s):
 debian-devel@lists.debian.org

If you wish to continue to submit further information on your problem,
please send it to 988-maintonly@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(administrator, Debian bugs database)



Received: (at 988-maintonly) by bugs.debian.org; 1 Feb 1998 11:04:35 +0000
Received: (qmail 30567 invoked by uid 71); 1 Feb 1998 11:04:34 -0000
Received: from cal011205.student.utwente.nl (HELO blaakmeer.student.utwente.nl) (root@130.89.222.95)
  by debian.novare.net with SMTP; 1 Feb 1998 11:04:34 -0000
Received: by blaakmeer.student.utwente.nl
	id m0xyx7w-0013utC
	(Debian Smail-3.2.0.100 1997-Dec-8 #2); Sun, 1 Feb 1998 11:59:52 +0100 (CET)
Message-Id: <m0xyx7w-0013utC@blaakmeer.student.utwente.nl>
Date: Sun, 1 Feb 1998 11:59:52 +0100 (CET)
From: remco@blaakmeer.student.utwente.nl (Remco Blaakmeer)
To: 988-maintonly@bugs.debian.org
Subject: Old bugs need to be looked at

This is an automated message sent to all bugs older than one year.

This bug is very old. Please take a look at it and see if you can fix it.
If it has already been fixed, please close it.

If you have problems fixing it or if you don't have the time to fix it,
please ask the people on debian-devel@lists.debian.org for help, so that
at least the oldest bugs can be solved before Debian 2.0 is released.

Remco Blaakmeer



<strong>Disconnected #7112 from all other report(s).</strong>
Request was from <code>Brian White &lt;bcwhite@verisim.com&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 19 Feb 1998 19:55:03 +0000
Received: (qmail 6099 invoked from network); 19 Feb 1998 19:54:48 -0000
Received: from unknown (HELO dragon.ott.verisim.com) (unknown)
  by unknown with SMTP; 19 Feb 1998 19:54:48 -0000
Received: from bcwhite by dragon.ott.verisim.com with local (Exim 1.62 #1)
	id 0y5c4N-00063Q-00 (Debian); Thu, 19 Feb 1998 14:55:43 -0500
To: control@bugs.debian.org
Subject: unmerge
Message-Id: <E0y5c4N-00063Q-00@dragon.ott.verisim.com>
From: Brian White <bcwhite@verisim.com>
Date: Thu, 19 Feb 1998 14:55:43 -0500

unmerge 7112



<strong>Information forwarded</strong> to <code>debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org</code>:<br>
<code>Bug#988</code>; Package <code>general</code>.


debian-bugs-dist@lists.debian.orgdebian-devel@lists.debian.org

Subject: Bug#988: bug reassignment
Reply-To: Brian White <bcwhite@verisim.com>, 988@bugs.debian.org
Resent-From: Brian White <bcwhite@verisim.com>
Orignal-Sender: bcwhite@verisim.com
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org
Resent-Date: Thu, 19 Feb 1998 20:35:52 GMT
Resent-Message-ID: <handler.988.B988.8879198131115@bugs.debian.org>
Resent-Sender: iwj@debian.org
X-Debian-PR-Message: report 988
X-Debian-PR-Package: general
X-Debian-PR-Keywords: 
X-Loop: owner@bugs.debian.org
Received: via spool by 988-bugs@bugs.debian.org id=B988.8879198131115
          (code B ref 988); Thu, 19 Feb 1998 20:35:52 GMT
Sender: bcwhite@verisim.com
Message-ID: <34EC8EEB.209149FB@verisim.com>
Date: Thu, 19 Feb 1998 14:58:35 -0500
From: Brian White <bcwhite@verisim.com>
Organization: Verisim, Inc.  http://www.verisim.com/
X-Mailer: Mozilla 3.04Gold (X11; I; Linux 2.0.32 i686)
MIME-Version: 1.0
To: 988@bugs.debian.org, bsdutils@packages.debian.org
CC: control@bugs.debian.org
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

reassign 988 bsdutils
-- 

This bug was assigned to "general" and hence was getting completely
forgotten about.  I'm reassigning it back to bsdutils, since that is
where the complaint lies.  If this has been solved, please close this
bug.  If there are other packages this bug also applies to, please
report bugs against those packages as well.

                                          Brian
                                 ( bcwhite@verisim.com )

-------------------------------------------------------------------------------
       Touch passion when it comes your way.  It's rare enough as it is;
       don't walk away when it calls you by name.  -- Marcus (Babylon 5)





<strong>Acknowledgement sent</strong> to <code>Brian White &lt;bcwhite@verisim.com&gt;</code>:<br>
Extra info received and forwarded to list.  Copy sent to <code>debian-devel@lists.debian.org</code>.


-t

From: owner@bugs.debian.org (Ian Jackson)
To: Brian White <bcwhite@verisim.com>
Subject: Bug#988: Info received (was bug reassignment)
Message-ID: <handler.988.B988.8879198131115.ackinfo@bugs.debian.org>
In-Reply-To: <34EC8EEB.209149FB@verisim.com>
References: <34EC8EEB.209149FB@verisim.com>
X-Debian-PR-Message: ack-info-maintonly 988

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers' mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 debian-devel@lists.debian.org

If you wish to continue to submit further information on your problem,
please send it to 988@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Ian Jackson
(administrator, Debian bugs database)



Received: (at 988) by bugs.debian.org; 19 Feb 1998 20:23:33 +0000
Received: (qmail 875 invoked from network); 19 Feb 1998 20:23:19 -0000
Received: from unknown (HELO titan.ott.verisim.com) (unknown)
  by unknown with SMTP; 19 Feb 1998 20:23:19 -0000
Received: from dragon [192.168.1.10] (bcwhite)
	by titan.ott.verisim.com with smtp (Exim 1.62 #1)
	id 0y5cVd-0003AM-00 (Debian); Thu, 19 Feb 1998 15:23:53 -0500
Sender: bcwhite@verisim.com
Message-ID: <34EC8EEB.209149FB@verisim.com>
Date: Thu, 19 Feb 1998 14:58:35 -0500
From: Brian White <bcwhite@verisim.com>
Organization: Verisim, Inc.  http://www.verisim.com/
X-Mailer: Mozilla 3.04Gold (X11; I; Linux 2.0.32 i686)
MIME-Version: 1.0
To: 988@bugs.debian.org, bsdutils@packages.debian.org
CC: control@bugs.debian.org
Subject: bug reassignment
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

reassign 988 bsdutils
-- 

This bug was assigned to "general" and hence was getting completely
forgotten about.  I'm reassigning it back to bsdutils, since that is
where the complaint lies.  If this has been solved, please close this
bug.  If there are other packages this bug also applies to, please
report bugs against those packages as well.

                                          Brian
                                 ( bcwhite@verisim.com )

-------------------------------------------------------------------------------
       Touch passion when it comes your way.  It's rare enough as it is;
       don't walk away when it calls you by name.  -- Marcus (Babylon 5)





<strong>Bug reassigned from package `general' to `bsdutils'.</strong>
Request was from <code>Brian White &lt;bcwhite@verisim.com&gt;</code>
to <code>control@bugs.debian.org</code>. 


Received: (at control) by bugs.debian.org; 19 Feb 1998 20:23:33 +0000
Received: (qmail 875 invoked from network); 19 Feb 1998 20:23:19 -0000
Received: from unknown (HELO titan.ott.verisim.com) (unknown)
  by unknown with SMTP; 19 Feb 1998 20:23:19 -0000
Received: from dragon [192.168.1.10] (bcwhite)
	by titan.ott.verisim.com with smtp (Exim 1.62 #1)
	id 0y5cVd-0003AM-00 (Debian); Thu, 19 Feb 1998 15:23:53 -0500
Sender: bcwhite@verisim.com
Message-ID: <34EC8EEB.209149FB@verisim.com>
Date: Thu, 19 Feb 1998 14:58:35 -0500
From: Brian White <bcwhite@verisim.com>
Organization: Verisim, Inc.  http://www.verisim.com/
X-Mailer: Mozilla 3.04Gold (X11; I; Linux 2.0.32 i686)
MIME-Version: 1.0
To: 988@bugs.debian.org, bsdutils@packages.debian.org
CC: control@bugs.debian.org
Subject: bug reassignment
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

reassign 988 bsdutils
-- 

This bug was assigned to "general" and hence was getting completely
forgotten about.  I'm reassigning it back to bsdutils, since that is
where the complaint lies.  If this has been solved, please close this
bug.  If there are other packages this bug also applies to, please
report bugs against those packages as well.

                                          Brian
                                 ( bcwhite@verisim.com )

-------------------------------------------------------------------------------
       Touch passion when it comes your way.  It's rare enough as it is;
       don't walk away when it calls you by name.  -- Marcus (Babylon 5)