Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 May 2017 06:45:14 +0200
From: Nicolas Belouin <>
To:, Matt Brown <>
CC:,,,,,,,,, Alan Cox <>
Subject: Re: [PATCH v6 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

I haven't read your patch, but from its description, are you sure CAP_SYS_ADMIN is the right choice for such behavior ?
CAP_SYS_ADMIN is, from my point of view, a too broadly used capability.
I think CAP_SYS_TTY_CONFIG is a more appropriate capability for that particular purpose.

On May 13, 2017 9:52:58 PM GMT+02:00, Matt Brown <> wrote:
>On 05/10/2017 04:29 PM, Alan Cox wrote:
>> On Fri,  5 May 2017 19:20:16 -0400
>> Matt Brown <> wrote:
>>> This patchset introduces the tiocsti_restrict sysctl, whose default
>>> controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated,
>>> control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN
>>> This patch was inspired from GRKERNSEC_HARDEN_TTY.
>>> This patch would have prevented
>>> under the
>>> conditions:
>>> * non-privileged container
>>> * container run inside new user namespace
>>> Possible effects on userland:
>>> There could be a few user programs that would be effected by this
>>> change.
>>> See: <*TIOCSTI>
>>> notable programs are: agetty, csh, xemacs and tcsh
>>> However, I still believe that this change is worth it given that the
>>> Kconfig defaults to n.
>> And it still doesn't deal with the fact that there are hundreds of
>> ways to annoy the owner of a tty if it's passed to a lower privilege
>> child from framebuffer reprogramming through keyboard remaps.
>> The proper way to handle those cases is to create a pty/tty pair and
>> that. Your patch is pure snake oil and if anything implies safety
>> doesn't exist.
>I'm not implying that my patch is supposed to provide safety for
>"hundreds of other" issues. I'm looking to provide a way to lock down a
>single TTY ioctl that has caused real security issues to arise. For
>this reason, it's completely incorrect to say that this feature is
>snake oil. My patch does exactly what it claims to do. No more no less.
>> In addition your change to allow it to be used by root in the guest
>> completely invalidates any protection you have because I can push
>> "rm -rf /\n"
>> as root in my namespace and exit
>> The tty buffers are not flushed across the context change so the
>> you return to gets the input and oh dear....
>This is precisely what my patch prevents! With my protection enabled, a
>container will only be able to use the TIOCSTI ioctl on a tty if that
>container has CAP_SYS_ADMIN in the user namespace in which the tty was
>> Alan

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.