tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Proposal: Add option to add dates to write(1)

On Sat, 19 May 2012 20:39:14 +0200
Julian Djamil Fagir <> wrote:

> > But this thread made me wonder if there are people who think that
> > there's a need for an eventual write(1) replacement that would be more
> > secure, and could handle this particular need gracefully.  The first
> > question being: is this worth it? :)
> what are the security issues of write(1)? You want to have `mesg no` for all
> terminals, such that nobody could use write anymore except for root?
> (I didn't look at the guts of tty, only at write(1) sourcecode)

The two issues that were mentioned were needing a setgid binary and
that it's possible for the messages to be spoofed (claiming to orginate
from another user, with forged timestamps).  Of course, that might not
matter depending on your usage of the facility (and it never was a
problem for me either, not using it much)...

> I would not consider a special daemon a solution for this issue. One of the
> great advantages of write(1) is its simplicity. You need nothing running,
> even with a totally broken system you should be able to write(1) other users.
> An administrator deactivating that daemon would be more common than an
> administrator really caring for deactivating things to make write unusable.

You are right that it then wouldn't work without the daemon running,
unless it was designed to fallback to direct tty writing if the daemon
was missing, and write(1) remained setgid.

Home | Main Index | Thread Index | Old Index