From owner-freebsd-hackers Wed Nov 8 15: 3:41 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 1262D37B479 for ; Wed, 8 Nov 2000 15:03:39 -0800 (PST) Received: from medusa.kfu.com (medusa.kfu.com [205.178.90.222]) by quack.kfu.com (8.11.0/8.11.1) with ESMTP id eA8N3cf21878 for ; Wed, 8 Nov 2000 15:03:38 -0800 (PST) (envelope-from nsayer@medusa.kfu.com) Received: (from nsayer@localhost) by medusa.kfu.com (8.11.0/8.11.0) id eA8N3c193540 for freebsd-hackers@freebsd.org; Wed, 8 Nov 2000 15:03:38 -0800 (PST) (envelope-from nsayer) Date: Wed, 8 Nov 2000 15:03:38 -0800 (PST) From: Nick Sayer Message-Id: <200011082303.eA8N3c193540@medusa.kfu.com> To: freebsd-hackers@freebsd.org Subject: KDE2, konsole_grantpty and FreeBSD Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG KDE2 uses a utility called "konsole_grantpty". This is an suid program. Its job is to chown the master side (/dev/pty??) of the pty pair for konsole, which is KDE's "xterm" sort of thing. By isolating this action in a child, konsole itself does not require suid. konsole_grantpty does its job by performing the actions called for on ttyname(3) (that is, it is passed a file descriptor on fd 3 of the device it needs to fiddle). The problem is that ttyname() fails on all /dev/pty?? devices. This is because the first thing ttyname does is perform a tcgetattr() to see if it's really a terminal or not. This fails. So something has to give. Either konsole_grantpty has to find some other way of turning a file descriptor into a /dev entry in a way that can't be exploited by someone else redirecting stuff into it, or ttyname() has to be made a bit more lax, or pty's have to look like tty's to ttyname(). Anyone have any ideas? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message