Panic!
I repeated my yesterday experiment, but with emacs
changed to telnet localhost, rlogin localhost etc.
(telnetd, rlogind, login.krb5 are from KRB5B5)
The result is the same!
Dazed & confused, I debugged kernel and found:
1. cat /dev/ttyp0 sleeps in slave open
2. telnetd,rlogind changes tty ownership/permissions and call vhangup
3. cat does not feel it just because it has not yet opened ttyp0.
4. when scheduler wakes up cat, it opens ttyp0 successfully,
despite of changed permissions, because all permission checks
were done at the start of sys_open.
Oops! Crackers, where are you? I am almost sure, that
all BSDs have similar hole.
: As a point in favor of your argument, Solaris does returns EPERM if you
: try opening the slave pty if the master is not open.
Well, Solaris2.3 does not return EPERM. It sleeps.
Every day I kill dozen of sleeping in pty open talkds and messageds.
(I cannot catch all the programs that break Solaris utmp(x).
Just found one more program breaking utmp(x): /usr/openwin/bin/xterm,
maybe, it will help.)
: Emacs *should* call vhangup; for example, the code which allocates a pty
I have emacs that calls it. I use the thing a sort of SYSV "pt_chmod"
for years. As you've seen it does not help.
: chown'ed back to being owned by root when the pty is released.
Would be great! It would solve all the problems.
The alternative:
Why not to kill all BSD pty stuff? It is broken uncurably,
and it is easier to recompile couple of programs, than continue
to support it.
SYSV scheme is really secure and almost all the programs
have compile time switch to change BSD<->SYSV style.
Alexey Kuznetsov.