>Number:         2891
>Category:       lib
>Synopsis:       openpty behaves badly when used more than once in a program
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people (Library Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 24 12:05:01 1996
>Last-Modified:
>Originator:     Jarle F. Greipsland
>Organization:
	
>Release:        <NetBSD-current source date>NetBSD-current October 23.
>Environment:
	
System: NetBSD dvask.pvv.ntnu.no 1.1B NetBSD 1.1B (DVSK) #1: Sun May 5 20:41:15 MET DST 1996 arnej@dvask.pvv.unit.no:/usr/src/sys/arch/vax/compile/DVSK vax


>Description:
In libutil, the function openpty() tries to find the first available 
master pty, and then open the corresponding slave tty.  The first time through
this function this works OK.  However, the second time it's
called from within a program, the static char[] variable holding the 
tty name string still holds a name corresponding to a slave tty, and openpty
then searches through the slave ttys until it finds one that it is allowed
to open.  This may be a free one, *or* it may be a slave tty already open by the
same uid.  It then tries to chown, chmod and *revoke* the rights on this tty
which may have prove disasterous for the program using this tty (xterms 
shutting down etc.)  Even if the slave tty happened to be free, this will
still not work, as no master pty has been opened.
	
>How-To-Repeat:
	
#include <util.h>

int main()
{
	int a,b;
	openpty(&a,&b,0,0,0);
	openpty(&a,&b,0,0,0);
}
This program will/may revoke the rights on a pseudo tty that your uid has
already opened.
>Fix:
	
*** /usr/src/lib/libutil/pty.c	Thu May 16 19:31:35 1996
--- pty.c	Thu Oct 24 20:25:54 1996
***************
*** 76,80 ****
  	else
  		ttygid = -1;
! 
  	for (cp1 = TTY_LETTERS; *cp1; cp1++) {
  		line[8] = *cp1;
--- 76,80 ----
  	else
  		ttygid = -1;
! 	line[5] = 'p';
  	for (cp1 = TTY_LETTERS; *cp1; cp1++) {
  		line[8] = *cp1;
>Audit-Trail:
>Unformatted: