SUMMARY: /devices/pseudo permissions

From: Michael Hawk (mike@gi.net)
Date: Thu Jan 02 1997 - 12:31:11 CST


Hi,
    casper@holland.Sun.COM summed it up really well...

Thanks.

-mike

ORIGINAL SUBMISSION:
   I was looking through the /devices/pseudo directory on a 2.4 Sparc 10, and
was a little confused about the permissions on the pts* nodes.
   Many have permissions like this, which looks like the default:

crw--w---- 1 root tty 24,114 Mar 12 1996 pts@0:114

   Many are owned by users with 666 permissions...including pts that are
no longer in use. Other than a user redirecting output to someone elses
xterm, what kind of security risk is this?
   What should permissions/ownership for used pts be?

REPLY:
The default permission on system installation are:

crw-r--r-- 1 root sys 24, 47 Apr 3 1995 /dev/pts/47

(this device was created on the day I started working for Sun and it
was never used.)

The permissions really don't matter as the pty allocation mechanism is
safe.

Even if you are the owner, it is not possible to open a tty device until
special steps are taken.

E.g., try (as root for the best effect):

        truss -t open /dev/pts/<not in use>

E.g.,:

        # truss -t open /dev/pts/47
        .....
        open("/dev/pts/47", O_RDONLY) Err#13 EACCES

So even root can't open pty device that aren't in use.

The mechanism to open ptys is safe and works like this (from pts(7d))

First you open the master, a clone device, trhis will give you a guaranteed
"clean" pty master.
          fdm = open("/dev/ptmx", O_RDWR); /* open master */

Using grantpt() on this fd (which cannot be obtained by anyone else, it
is unique for each open call to /dev/ptmx. Grantpt() calls the set-uid
program /usr/lib/pt_chmod and chowns the pty *slave* to the invoker.
(and well; mode 620, group tty, owner caller)
          grantpt(fdm); /* change permission ofslave */

This next step instructs the kernel to allow access to the slave
side; it is not until this step is completed that open() by anyone of
the slave side will work
          unlockpt(fdm); /* unlock slave */

          slavename = ptsname(fdm); /* get name of slave */

So as long as the code does grantpt() and unlockpt() in that order the
permissions do not matter. I've only seen some versions of screen, a pd
program, reverse that order.

Casper

-----------------------------------------------------------------------------
Michael Hawk
mike@gi.net



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:42 CDT