KDE2 uses a utility called "konsole_grantpty". This is an suid program. Its job
is to chown the master side (/dev/pty??) of the pty pair for konsole, which is
KDE's "xterm" sort of thing. By isolating this action in a child, konsole
itself does not require suid. konsole_grantpty does its job by performing the
actions called for on ttyname(3) (that is, it is passed a file descriptor
on fd 3 of the device it needs to fiddle).
The problem is that ttyname() fails on all /dev/pty?? devices. This is because
the first thing ttyname does is perform a tcgetattr() to see if it's really a
terminal or not. This fails.
So something has to give. Either konsole_grantpty has to find some other way
of turning a file descriptor into a /dev entry in a way that can't be exploited
by someone else redirecting stuff into it, or ttyname() has to be made a bit
more lax, or pty's have to look like tty's to ttyname().
Anyone have any ideas?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
