Back around 1989, Ken Stauffer and I found a kernel security hole in SunOS (the "open 3" bug) and used it along with TIOCSTI.
That bug was fixed at least twice: we reported it and it was fixed in SunOS, then when *BSD code became available I found it was still unfixed and fixed it myself, and I believe other systems have found it much later and fixed it themselves. However even after that bug was fixed, there's always been the risk that a program manages to retain tty association beyond it's intended lifetime, and then it can perform injections with TIOCSTI. So I've always wanted to get rid of TIOCSTI. I consider it the most dangerous tty ioctl. In base, the main consumers are csh file completion, and mail ~h header editing. Anton has fixed those, by writing a new tenex-style parser and causing those programs run in CBREAK mode instead. There are indications that a few ports use TIOCSTI. The list is pretty small, and I have not reviewed whether the use of TIOCSTI actually occurs during runtime on OpenBSD: x11vnc tcsh ucblogo brltty epic4 trn libsanitizer jvim2.0r+onew2.2.10-wnn4 emacs qemu ngspice I hope those programs get fixed quickly, because the following diff will be commited soon to disable TIOCSTI. This diff is in snapshots. The proposal is to return EIO at first, and later on see if we can remove the #define. Index: kern_pledge.c =================================================================== RCS file: /cvs/src/sys/kern/kern_pledge.c,v retrieving revision 1.215 diff -u -p -u -r1.215 kern_pledge.c --- kern_pledge.c 21 Jun 2017 17:13:20 -0000 1.215 +++ kern_pledge.c 21 Jun 2017 17:16:15 -0000 @@ -1273,11 +1273,6 @@ pledge_ioctl(struct proc *p, long com, s break; return (0); #endif /* NPTY > 0 */ - case TIOCSTI: /* ksh? csh? */ - if ((p->p_p->ps_pledge & PLEDGE_PROC) && - fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY)) - return (0); - break; case TIOCSPGRP: if ((p->p_p->ps_pledge & PLEDGE_PROC) == 0) break; Index: tty.c =================================================================== RCS file: /cvs/src/sys/kern/tty.c,v retrieving revision 1.133 diff -u -p -u -r1.133 tty.c --- tty.c 21 Jan 2017 05:42:03 -0000 1.133 +++ tty.c 19 Jun 2017 21:12:57 -0000 @@ -733,7 +733,6 @@ ttioctl(struct tty *tp, u_long cmd, cadd case TIOCSETAW: case TIOCSPGRP: case TIOCSTAT: - case TIOCSTI: case TIOCSWINSZ: while (isbackground(pr, tp) && (pr->ps_flags & PS_PPWAIT) == 0 && @@ -962,11 +961,7 @@ ttioctl(struct tty *tp, u_long cmd, cadd splx(s); break; case TIOCSTI: /* simulate terminal input */ - if (p->p_ucred->cr_uid && (flag & FREAD) == 0) - return (EPERM); - if (p->p_ucred->cr_uid && !isctty(pr, tp)) - return (EACCES); - (*linesw[tp->t_line].l_rint)(*(u_char *)data, tp); + return (EIO); break; case TIOCSTOP: /* stop output, like ^S */ s = spltty();