Received: with rfc822 via encapsulated-mail id 06141256209927; Wed, 14 Jun 1995 12:56:20 GMT From cus.cam.ac.uk!iwj10 Wed Jun 14 05:54:23 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0sLrxe-0007mTC; Wed, 14 Jun 95 05:54 PDT Received: from bootes.cus.cam.ac.uk by pixar.com with SMTP id AA25300 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 14 Jun 1995 05:52:52 -0700 Received: by bootes.cus.cam.ac.uk (Smail-3.1.29.0 #36) id m0sLrxB-000C01C; Wed, 14 Jun 95 13:53 BST Received: by chiark id (Debian /\oo/\ Smail3.1.29.1 #29.32); Wed, 14 Jun 95 13:37 BST Message-Id: Date: Wed, 14 Jun 95 13:37 BST From: iwj10@cus.cam.ac.uk (Ian Jackson) To: Debian bugs submission address Subject: `script' is insecure, and general tty insecurity Package: bsdutils Version: 1.2-1 chiark:~> tty /dev/ttyp3 chiark:~> script Script started, output file is typescript chiark:~> tty /dev/ttyp7 chiark:~> ls -al /dev/ttyp3 /dev/ttyp7 crw--w--w- 1 ian ian 4, 195 Jun 14 13:31 /dev/ttyp3 crw-rw-rw- 1 root root 4, 199 Jun 14 13:31 /dev/ttyp7 chiark:~> exit exit Script done, output file is typescript chiark:~> ls -al /dev/ttyp3 /dev/ttyp7 crw--w--w- 1 ian ian 4, 195 Jun 14 13:31 /dev/ttyp3 crw-rw-rw- 1 root root 4, 199 Jun 14 13:31 /dev/ttyp7 chiark:~> Clearly /dev/ttyp7 should, while script is running: * not be readable by everyone * be owned by the user (so that they can use mesg and biff) * have mesg off by default Fixing this will require the intervention of a setuid root program (either script will have to be setuid or another program will have to be made). There may be other security problems, notably races in the pty allocation. In general this is a very messy area, and the solutions to the problems here are likely to involve nontrivial amounts of thought, coding and/or introduction of additional software. This problem with programs like `script' is common on many unices, but we should arrange to find solutions at least for programs we supply. There are other problems related to having globally-writeable tty's. IMO tty's should be made group-writeable only by a special group (conventially called `tty'), to which all programs like `write' and `talk' will have to be setgid. This is probably a major undertaking, though, requiring changes to login, telnet, &c &c Ian.