From owner-freebsd-security Fri Sep 15 13:25:00 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id NAA02308 for security-outgoing; Fri, 15 Sep 1995 13:25:00 -0700 Received: from aslan.cdrom.com (aslan.cdrom.com [192.216.223.142]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id NAA02303 ; Fri, 15 Sep 1995 13:24:56 -0700 Received: from localhost.cdrom.com (localhost.cdrom.com [127.0.0.1]) by aslan.cdrom.com (8.6.12/8.6.9) with SMTP id NAA24367; Fri, 15 Sep 1995 13:24:35 -0700 Message-Id: <199509152024.NAA24367@aslan.cdrom.com> X-Authentication-Warning: aslan.cdrom.com: Host localhost.cdrom.com didn't use HELO protocol To: Nate Williams cc: security@Freebsd.org, core@Freebsd.org Subject: Re: forwarded message from Grant Haidinyak In-reply-to: Your message of "Fri, 15 Sep 1995 14:18:06 MDT." <199509152018.OAA17249@rocky.sri.MT.net> Date: Fri, 15 Sep 1995 13:24:35 -0700 From: "Justin T. Gibbs" Sender: owner-security@Freebsd.org Precedence: bulk I've complained about this behavior many times before, but no one even acknowledged it as a bug. :(. I've always seen it by acidently killing an xterm running a make world in an su'd shell. When I pop up another xterm as user gibbs, I see the output from the make world still... and get some kind of funky mixture of the new shell and old shell responding to my input. >------- start of forwarded message (RFC 934 encapsulation) ------- >[ Quick background. Grant has been experiencing a bug whereby folks are >re-connected to login which were abruptly dis-connected from a machine. >This is a *HUGE* security hole if it is indeed true. ] > >From: Grant Haidinyak >To: "Nate Williams" >Cc: grant@iwv.com >Subject: Re: PTY's reused to quickly >Date: Fri, 15 Sep 1995 11:32:43 -0700 > >Nate, > >Actually, this one of the early bugs with BSD 4.2. I didn't want to >post an article with a subject "HUGE Security Hole in FreeBSD, Watch >Out!!!!!!". This tends to attract to much attention. > >Anywho, here's my environment, and the symptoms I'm seeing. > >1) A box running FreeBSD 2.0.5 Release (off the cdrom). This box is > named "cow" > a 16 port Boca serial card/box. > 10 Development computers hooked up to the Boca board. > >2) People rlogin into cow, then tip into one of the development > systems, do their work, then when they finish, they type ~. to > exit from the tip session. Unfortunatly, these characters are > intercepted by the rlogin, which drops the login session before > the tip session is killed. Then when someone else rlogins, it > seems like the old pty is selected, instead of a new one, because > the output of the new session and the old session are > intermingled and the input seems to alternate between the two > sessions. > >My speculation is that when the rlogin session goes away, it doesn't >clean up the session correctly, which causes the pty to stay active, >then when a new pty needs to be picked for a new rlogin session, the >login task (rlogind) picks the next pty in the line, not knowing >that the session wasn't cleaned up completely. > >If you want anymore information, let me know. > > >grant >------- end ------- -- Justin T. Gibbs =========================================== Software Developer - Walnut Creek CDROM FreeBSD: Turning PCs into workstations ===========================================