Unix v4 (1973) – Live Terminal

Posted by pjmlp 2 days ago

Unix v4 (1973) – Live Terminal(unixv4.dev)

173 points | 79 comments

dansquizsoft 2 days ago|

Hey! So I'm actually the builder of UNIXV4.dev (via my company Squiz Software Pty Ltd).

I went to bed last night with a couple of people poking around… woke up to a whole lot more. Appreciate the load test!!

I’ve fixed the rate-limit issues people were hitting. There’s still a global cap of 100 concurrent sessions + per-user limits to keep things stable during spikes.

I’ve also added an “Attributions & Acknowledgements” section.

The backstory is wild: UNIX v4 being recovered from a ~1973 tape at the University of Utah after being effectively “lost” for decades. Reading about the recovery and then poking around in it under SIMH on my PC is what pushed me to wrap it up as a public, browser-based terminal that other people could take a look at - and hopefully get as much out of it as I did.

Have fun exploring it all (especially all the primitive bits — remember: use "chdir" instead of "cd", and "#" is backspace).

- Daniel

mmastrac 2 days ago||

If whoever wrote this wants to add an authentic (and somewhat period correct) terminal front-end, I wrote a VT420 hardware emulator that works in the browser and we can wire them together!

https://mmastrac.github.io/blaze/

(the API is undocumented but stupidly simple: an async js_read() function and a sync js_write() function)

dboreham 2 days ago|

You'll want VT-52 for this era.

fl7305 2 days ago|||

More like the VT-05. The VT-52 came a few years later. But yeah, the VT-420 is way later.

Fun fact: The VT-52 didn't have a loudspeaker for the bell sound. Instead, it had a electromechanical relay which was set up to self-oscillate.

"Typing a character produced a noise by activating a relay. The relay was also used as a buzzer to sound the bell character, producing a sound that "has been compared to the sound of a '52 Chevy stripping its gears."

Telemakhos 2 days ago||

YouTube has the sound: https://www.youtube.com/watch?v=bAafRXddfxc

fl7305 2 days ago||

Thanks, I remember it being much louder when I used it in the 80's. Made me jump out of the chair the first time I heard it.

larsbrinkhoff 1 day ago|||

I wrote a VT52 hardware simulation: https://github.com/larsbrinkhoff/terminal-simulator

Deeg9rie9usi 2 days ago||

Reading the source unearths interesting things: https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/

mmooss 2 days ago||

> the knowledge that a buffer overflow could be exploited for arbitrary code execution had not yet come of age.

Meaning, people hadn't figured that out, or it wasn't a commonplace technique? They must have seen buffer overflows crash running software; it doesn't take much imagination to think about the next steps.

dboreham 2 days ago|||

Most computers did not exist in an adversarial environment at the time.

Perhaps the most "adversarial" context would be: undergraduate timeshare use. So the mainframes of the day, which would be the typical platform for undergrad programming (if timeshare was even offered to undergrads in 1973) might be expected to be somewhat hardened to attacks of various kinds since undergrads trying to hack their grade higher, get more CPU time, etc, was a known thing.

But Unix machines, and minicomputers in general, were not used for undergrad purposes. They were only available to be used by PhD candidates and other higher order beings. Those dudes had the root password anyway, so no need to harden the machine against their potential attacks. There was no networking to speak of, so no malicious traffic to worry about. The first worm didn't appear until the late 1980s.

So if you had talked to a Unix sysadmin in 1973 (all...1 of them) they probably would understand the general concept of someone running a program that crapped onto kernel memory with the result they could have root privileges, but there would have been no plausible adversary around with any reason to mount that attack. Plus every cycle and every byte counted, so there would have been many more fish to fry before worrying about buffer overflow problems.

II2II 2 days ago|||

> since undergrads trying to hack their grade higher

Would student records even be stored on an unix system at the time? I am under the impression that Unix was very much a research operating system in the 1970's (either the subject of or a tool for). Administrative functions were more likely to be conducted with an IBM mainframe. (At least that is how it was when I arrived at university a couple of decades later, which I always took to be a legacy thing.)

leoc 2 days ago||

Quite certainly not on v4 Unix, which apparently had few other sites and would not have been in the running for use as a serious university timesharing system. However Gates and Allen had already been among the secondary-school students who modified timesharing records to give themselves more time on a PDP-10 system https://web.archive.org/web/20191013171424/http://www.washin... .

pjmlp 1 day ago|||

One of the design scenarios of Multics was being resistant to attacks, and why it got an higher security assessment score than UNIX by the DoD.

Not in 1973, but still during the 1970's.

em500 2 days ago||||

This is Unix V4 from 1973. The total number of installations world wide was around 20, all inside Bell Labs. There was no networking support at all, so security was mostly physical, i.e., office building security (though you could dial in with a modem). Multi-user support was a bunch of serial-line terminals. Pretty much everyone knew everyone else who was on the system.

rst 1 day ago||

They were already mailing distribution tapes -- the software being run here was extracted off one of them (which had literally been lost in a store room for decades).

leoc 2 days ago||||

I'm not an expert, but a quick look at https://en.wikipedia.org/wiki/Buffer_overflow#History suggests that some people, at least, had figured it out by 1972 https://apps.dtic.mil/sti/citations/AD0772806 :

> By supplying addresses outside of the space allocated to the users program, it is often possible to get the monitor to obtain unauthorized data for that user, or at the very least, generate a set of conditions in the monitor that causes a system crash.

> In one contemporary operating system, one of the functions provided is to move limited amounts of information between system and user space. The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine.

(Volume 1 is at https://apps.dtic.mil/sti/citations/AD0758206 .) However general awareness of the security implications seems to have been very limited before the Morris worm, and then even for several years after that. Even in late 1996 an article which in its own words "attempt[ed] to explain what buffer overflows are, and how their exploits work" could still be published in Phrack magazine, and in fact even be quite a milestone https://en.wikipedia.org/wiki/Buffer_overflow#History . Some people had definitely been thinking about hardware bounds checking for a long time by then https://homes.cs.washington.edu/~levy/capabook/ but I don't know how much they'd specifically considered just this kind of security threat.

doublerabbit 2 days ago|||

My Educated guess, both.

Malicious attempts at exploiting would require physical access.

This was 1970's running on a PDP hardware. These were not normally connected to the internet so the attack vector of attacking would be have literal.

Any bugs would probably been of been fixed prior to and isn't this the first alpha of unix? So probably patched later in versions.

mananaysiempre 2 days ago||

I kept expecting an exploit :) Something to poke at on a slow evening, I guess, though with the buffer in static memory it might be difficult.

rst 1 day ago|||

Well-known vulns are all over this code. For example, mkdir had a TOCTTOU which persisted into v7 (and I believe 2BSD); it was implemented as a setuid binary which did a mknod followed by a chown to create the directory. Code which invoked mkdir could set up a race replacing the root-owned directory, before the chown, with a link to something else -- which would then get chowned to the user running mkdir. The target had to be on the same filesystem as some writable directory, but on many installations of the day, a mkdir in /tmp followed by this race was good enough to get you ownership of /etc/passwd.

This was finally cleaned up in 4.2bsd, when mkdir was made a single syscall which was guaranteed to alter only the particular inode it allocated.

Deeg9rie9usi 2 days ago|||

Exploiting this is close to trivial because the adjacent buffer contains the pw entry. So, you can control what the input is compared with. That way the password check can be bypassed without injecting code.

mananaysiempre 2 days ago||

Good point, thanks! The crypt() of the input, not the input itself, but guessing at the (PDP-11 assembly :/ ) code for crypt() a bit, it looks like it stops after 64 characters if it can’t find a null terminator before that, so

  0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345678901234567890123456789012345root:p3Y0ydAx:

should work as an exploit, and indeed it does. (Arbitrary 64-character password, then 36 bytes to pad to the end of the 100-byte buffer, then the part of root’s /etc/passwd entry for said password until at least the second colon.)

dveeden2 2 days ago||

Things that I noticed are not yet there in this version: /proc, uptime, uname

Things that are working: `cal 2026`, coredumps

Things that might be broken or aren't working as expected: ps (only returns "No mem")

And utmp is in /tmp?

And no /usr/sbin or /sbin? And nothing in /usr/local?

The messages from `write root` are only in uppercase.

gdgghhhhh 2 days ago|

/proc is a Linux thing.

dveeden2 2 days ago||

/proc is only copied (and extended) by Linux. It was introduced in UNIX V8. It is also in Solaris and FreeBSD.

anthk 2 days ago|||

Unix v8 it's basically pre-plan9.

gdgghhhhh 2 days ago|||

Oh. I was not aware of that

Aperocky 2 days ago||

I wonder how hard is it to do the entire thing in browser/js. It seems hugged to death right now due to backend connections.

PunchyHamster 2 days ago|

people ran linux and win 95 in browser, would be fine

publicdebates 2 days ago||

    Session Error
    Rate limit exceeded: 10 per 1 minute

hnthrowaway0315 2 days ago|

I managed to get in after a few tries. But then I got a timeout. I think I'm going to wait until the HN deathhug is over :D

dim13 2 days ago||

Glad to have played with it a bit before it got Slashdotted. ;)

nineteen999 2 days ago||

I spent about a week insulting Claude to get port it to x86_64. It's running nicely in QEMU. We're also trying to get the C compiler in there working as well.

xorvoid 2 days ago||

I'm amused at how circular this is. Unix v4 is first OS written in C, now running on top of an unbelievable amount of C (and C++). Classic circular computer science delight.

omoikane 2 days ago|

I am glad it already has `ed`, the standard text editor.

But it's lacking some features available in newer versions of ed, such as using 'n' to print line numbers.

More comments...