Hi all. Mac OS X 10.3.x and earlier doesn't provide any mechanism for non-setuid-root programs to change permissions on ptys. Hence xterms, screen sessions, and Terminal.app windows (with explicitly specified commands) are vulnerable to tty sniffing. Note that using Terminal.app's standard terminal with /usr/bin/login is safe since login is setuid root. An example: arctic:~> screen ... new screen session starts ... arctic:~> ls -l $TTY crw-rw-rw- 1 root wheel 4, 2 1 May 16:44 /dev/ttyp2 This problem is fixed in 10.4, the devfs appears to be setting permissions on openpty() or something (I haven't looked at the mechanism yet). Apple were notified of the problem on 20 July 2004. It's good to see that 10.4 has optional encrypted swap, resolving the separate issue of passwords being swapped to disk (fixing it for 3rd party apps as well). Matt
