Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

A penny saved is a penny to squander. -- Ambrose Bierce

devel / comp.unix.programmer / Question re: TIOCSTI

SubjectAuthor
* Question re: TIOCSTIKenny McCormack
+- Question re: TIOCSTIScott Lurndal
+- Question re: TIOCSTIcandycanearter07
`- Question re: TIOCSTIKaz Kylheku

1
Question re: TIOCSTI

<uhtsic$2uflq$1@news.xmission.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=10745&group=comp.unix.programmer#10745

  copy link   Newsgroups: comp.unix.programmer
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!xmission!nnrp.xmission!.POSTED.shell.xmission.com!not-for-mail
From: gaze...@shell.xmission.com (Kenny McCormack)
Newsgroups: comp.unix.programmer
Subject: Question re: TIOCSTI
Date: Wed, 1 Nov 2023 15:58:04 -0000 (UTC)
Organization: The official candy of the new Millennium
Message-ID: <uhtsic$2uflq$1@news.xmission.com>
Injection-Date: Wed, 1 Nov 2023 15:58:04 -0000 (UTC)
Injection-Info: news.xmission.com; posting-host="shell.xmission.com:166.70.8.4";
logging-data="3096250"; mail-complaints-to="abuse@xmission.com"
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: gazelle@shell.xmission.com (Kenny McCormack)
 by: Kenny McCormack - Wed, 1 Nov 2023 15:58 UTC

Consider the following (C) code:

char c = 'A';
if (ioctl(0,TIOCSTI,&c)) perror("ioctl");

This works fine if the tty open on fd 0 is the current tty or if the
effective uid is 0.

However, if euid != 0 and I do something like:

$ ./program < /dev/pts/N

where N is not my current tty, then I get "Operation not permitted".

And (and this it the important part):
Even if I own /dev/pts/N and my processes are running on it.

I'm guessing this has something to do with process groups and not letting
you write into the other TTY (even if by the usual file security model, it
should be OK).

Is there any workaround (other than running as root, which isn't an option
on the actual system where I need to do this) ?

--
I shot a man on Fifth Aveneue, just to see him die.

Re: Question re: TIOCSTI

<WFu0N.352752$w4ec.525@fx14.iad>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=10746&group=comp.unix.programmer#10746

  copy link   Newsgroups: comp.unix.programmer
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx14.iad.POSTED!not-for-mail
X-newsreader: xrn 9.03-beta-14-64bit
Sender: scott@dragon.sl.home (Scott Lurndal)
From: sco...@slp53.sl.home (Scott Lurndal)
Reply-To: slp53@pacbell.net
Subject: Re: Question re: TIOCSTI
Newsgroups: comp.unix.programmer
References: <uhtsic$2uflq$1@news.xmission.com>
Lines: 26
Message-ID: <WFu0N.352752$w4ec.525@fx14.iad>
X-Complaints-To: abuse@usenetserver.com
NNTP-Posting-Date: Wed, 01 Nov 2023 16:04:06 UTC
Organization: UsenetServer - www.usenetserver.com
Date: Wed, 01 Nov 2023 16:04:06 GMT
X-Received-Bytes: 1319
 by: Scott Lurndal - Wed, 1 Nov 2023 16:04 UTC

gazelle@shell.xmission.com (Kenny McCormack) writes:
>Consider the following (C) code:
>
> char c = 'A';
> if (ioctl(0,TIOCSTI,&c)) perror("ioctl");
>
>This works fine if the tty open on fd 0 is the current tty or if the
>effective uid is 0.
>
>However, if euid != 0 and I do something like:
>
>$ ./program < /dev/pts/N
>
>where N is not my current tty, then I get "Operation not permitted".

That's a good thing.

It would be a crazy huge security hole to allow arbitrary character
injection into other terminals.

>
>And (and this it the important part):
> Even if I own /dev/pts/N and my processes are running on it.

Even then. Just because they have the same UID, doesn't mean
they are the same user (e.g. guest).

Re: Question re: TIOCSTI

<uhtv7i$1mg21$1@dont-email.me>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=10747&group=comp.unix.programmer#10747

  copy link   Newsgroups: comp.unix.programmer
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: no...@thanks.net (candycanearter07)
Newsgroups: comp.unix.programmer
Subject: Re: Question re: TIOCSTI
Date: Wed, 1 Nov 2023 11:43:28 -0500
Organization: A noiseless patient Spider
Lines: 31
Message-ID: <uhtv7i$1mg21$1@dont-email.me>
References: <uhtsic$2uflq$1@news.xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 1 Nov 2023 16:43:30 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="e9d67b4d30a5b7bc4e03ccaa5ce33177";
logging-data="1785921"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18YhwBUnHBCDuU5/km9thDFjkAwRZ7ndPnIxVsEDvqvgg=="
User-Agent: Betterbird (Linux)
Cancel-Lock: sha1:1P23eM/A6iSmgsrq9cDj8L7WVdw=
Content-Language: en-US
In-Reply-To: <uhtsic$2uflq$1@news.xmission.com>
 by: candycanearter07 - Wed, 1 Nov 2023 16:43 UTC

On 11/1/23 10:58, Kenny McCormack wrote:
> Consider the following (C) code:
>
> char c = 'A';
> if (ioctl(0,TIOCSTI,&c)) perror("ioctl");
>
> This works fine if the tty open on fd 0 is the current tty or if the
> effective uid is 0.
>
> However, if euid != 0 and I do something like:
>
> $ ./program < /dev/pts/N
>
> where N is not my current tty, then I get "Operation not permitted".
>
> And (and this it the important part):
> Even if I own /dev/pts/N and my processes are running on it.
>
> I'm guessing this has something to do with process groups and not letting
> you write into the other TTY (even if by the usual file security model, it
> should be OK).
>
> Is there any workaround (other than running as root, which isn't an option
> on the actual system where I need to do this) ?
>

Maybe you could create a named pipe? (mkfifo)
But, what are you trying to do here?
--
user <candycane> is generated from /dev/urandom

Re: Question re: TIOCSTI

<20231101103624.923@kylheku.com>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=10748&group=comp.unix.programmer#10748

  copy link   Newsgroups: comp.unix.programmer
Path: i2pn2.org!i2pn.org!newsfeed.endofthelinebbs.com!news.hispagatos.org!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: 864-117-...@kylheku.com (Kaz Kylheku)
Newsgroups: comp.unix.programmer
Subject: Re: Question re: TIOCSTI
Date: Wed, 1 Nov 2023 18:02:03 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <20231101103624.923@kylheku.com>
References: <uhtsic$2uflq$1@news.xmission.com>
Injection-Date: Wed, 1 Nov 2023 18:02:03 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="be80218a5423c940e36ffd696f5a5a5e";
logging-data="1825209"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+GHIy+gR+bxcyZyNlK2Epp4q72jV91G9g="
User-Agent: slrn/pre1.0.4-9 (Linux)
Cancel-Lock: sha1:DqtvfDBH8Swg6bt1p3kX/yyUqEE=
 by: Kaz Kylheku - Wed, 1 Nov 2023 18:02 UTC

On 2023-11-01, Kenny McCormack <gazelle@shell.xmission.com> wrote:
> Consider the following (C) code:
>
> char c = 'A';
> if (ioctl(0,TIOCSTI,&c)) perror("ioctl");
>
> This works fine if the tty open on fd 0 is the current tty or if the
> effective uid is 0.

Even under those conditions, it is a security hole.

Programs from different security domains share the same terminal.

For instance superuser can "su" to Mallory's account and run some
program as that user, then exit. What if that program pushes the
characters "rm -rf /bin\n" into the TTY.

--
TXR Programming Language: http://nongnu.org/txr
Cygnal: Cygwin Native Application Library: http://kylheku.com/cygnal
Mastodon: @Kazinator@mstdn.ca
NOTE: If you use Google Groups, I don't see you, unless you're whitelisted.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor