Setuid helpers for pty allocation and utmp handling

Under Linux 2.0, pty allocation and utmp handling require special privilege, and programs that want to perform these tasks are usually made setuid. Consequently, lots of code is run with unnecessary privilege and is a potential source of security holes. A solution is separate out the code which needs privilege from the code that doesn't, and put it into a setuid helper program.

ptmx-fake: This package emulates the ptmx device, and supplies grantpt(), unlockpt() and ptsname() library calls. A program using these functions can do pty allocation without being setuid.
pututmp: This package contains a utmp updating program, and comes with a replacement for pututline().
xterm.patch: This patch enables xterm to use the ptmx and utmp helpers, so xterm no longer needs to be setuid.
script.patch: This patch enables script to use the ptmx helper. (Previously, it was insecure.)

PTMX-FAKE

/dev/ptmx cannot be correctly implemented on Linux 2.0, but it is possible to get close enough to be convincing.

Rather than having a real multiplexor device, the application actually opens a copy of /dev/null. When grantpt, unlockpt or ptsname are called, a check is done to see if the file descriptor is a pty master, and if it isn't, the fake device is closed, a real pty master device is opened, and dup2 is used to give the real pty device the same file descriptor as the fake multiplexor.

The effect is to delay opening the pty master until the grantpt is called. Applications which open the ptmx multiplexor, fork, then call grantpt(), will fail because the parent and child will be allocated different ptys.

Installation notes

Do not be tempted to rename the fake multiplexor device to /dev/ptmx or you'll have problems when you upgrade to Linux 2.1 and want a real /dev/ptmx. You should only install this program if you are running Linux 2.0. Some old systems will have /dev/[pt]ty* using the old pty compatability drivers (major 4, minor >=128). You should delete these devices and create new pty devices (majors 2 and 3) using MAKEDEV.

PUTUTMP

pututmp is a setuid helper that is used by the pututline() replacement. It checks to see if the arguments it is given are valid (right owner, right id, right pid, etc), and updates utmp appropriately. No checking is done on the hostname or IP address.

Installation notes

This program assumes a libc5-style utmp. Although the program does work with glibc2, I don't recommend using it. Don't use this program with programs that call utmpname() unless you are sure that they only call pututline to update the real utmp file.

XTERM

There are bugs which in the X libraries which can be exploited via xterm to get superuser priviledge. This patch against X11R6.3 allows you to safely remove the setuid bit from xterm. I haven't found a way to do wtmp logging in such a way that the integrity of the wtmp log can be assured, so I haven't supplied a setuid helper for wtmp. (utmp is not a log file so it is less important that the data is correct.)

Installation notes

You may find that your patched xterm is overwritten when you upgrade X using your Linux distribution management tools. It's worth keeping a backup copy of the patched xterm for when this happens.

SCRIPT

The BSD script program uses insecure pty allocation. This patch allows script to allocate ptys securely. The patch also fixes some sloppy stdio handling and avoids a race condition in which the program would terminate if the reader for the pty master happened to start before the slave was opened. The patch is against version script.c version 5.13. For later versions of script that use openpty (in libbsd.a), you should patch openpty instead.

Author

Peter Benie, Unix Support, Computing Service, University of Cambridge (UK)

Source

ptmx-fake.tar.gz

pututmp.tar.gz

patches.tar.gz

Peter Benie <pjb1008@cam.ac.uk>