Date: Tue, 18 Apr 2017 08:49:10 -0700 From: Kees Cook <keescook@...omium.org> To: Alan Cox <gnomes@...rguk.ukuu.org.uk> Cc: Greg KH <gregkh@...uxfoundation.org>, Matt Brown <matt@...tt.com>, James Morris <jmorris@...ei.org>, Andrew Morton <akpm@...ux-foundation.org>, linux-security-module <linux-security-module@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com> Subject: Re: Re: [PATCH 1/4] added SECURITY_TIOCSTI_RESTRICT kernel config On Tue, Apr 18, 2017 at 6:40 AM, Alan Cox <gnomes@...rguk.ukuu.org.uk> wrote: >> Since tty sessions are usually separated by different users, how would >> they have the same one and yet need something like this? >> >> Also, why not put this in the tty config section? > > The normal attack use case people argue about is a rogue process on the > users machine sitting there waiting until the user has logged in to a > remote machine and is idle and then doing stuff. It's still a threat, though, and adding this with default n to allow the more paranoid builders a chance to mitigate it seems reasonable to me. > Attackers of course don't bother doing that because it's easier to get > the user to run a different ssh client instead. Attackers will always take the easiest route, so we have to keep killing the low hanging fruit. -Kees -- Kees Cook Pixel Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.