Aduke.1876
net.followup
utcsrgv!utzoo!decvax!duke!bcw
Fri Mar 12 19:45:36 1982
Re: Terminal security
Subject: Terminal protocol handler

Several people have mailed some objections to the terminal protocol
handler mentioned in my last submission as a method for ensuring
terminal security.  It appears there may be some interest in this
subject for the network.

The major objection is that legitimate uses of sequences like "send
screen" or "Program function key" or the like are voided by this
scheme.  This is true on a simpleminded implementation of the handler
but there are workarounds:

   1)  It would of course be possible to simply ignore the problem
       because these functions are relatively infrequently used.

   2)  It is also possible to allow a mode (similar to raw mode for
       the current terminal driver) which allows such things to be
       transferred.  For normal writes, the offending sequences
       would be edited out as before;  moreover, only the user of
       the terminal would be able to set the terminal into this
       mode.  It is likely that for security reasons this should
       be implemented as an alternate version of write rather than
       as a true mode a la raw mode.

The second implementation would allow these things to be used as
desired, although with a slight amount of additional work on the
part of the programmer.  Note that there would still be possibilities
of subversion by running a program belonging to another user which,
since it is running in your context, would have full access to your
screen;  but this is really no worse than the security problems which
currently exist with running other people's programs.

It's true that this would be a certain amount of work (after all,
it's necessary in this scheme to be aware of what editing that this
handler applies to the output stream if you're trying to use these
features), but it looks to me as if it *does* ensure security, at
a very moderate cost in convenience.

                       Bruce C. Wright @ Duke University

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.