Date: Wed, 17 May 2017 17:41:13 +0100 From: Alan Cox <gnomes@...rguk.ukuu.org.uk> To: Kees Cook <keescook@...omium.org> Cc: Matt Brown <matt@...tt.com>, Peter Dolding <oiaohm@...il.com>, "Serge E. Hallyn" <serge@...lyn.com>, Greg KH <gregkh@...uxfoundation.org>, Jiri Slaby <jslaby@...e.com>, Andrew Morton <akpm@...ux-foundation.org>, Jann Horn <jannh@...gle.com>, James Morris <jmorris@...ei.org>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, linux-security-module <linux-security-module@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v6 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN > If we're adjusting applications, they should be made to avoid TIOSCTI > completely. This looks to me a lot like the symlink restrictions: yes, > userspace should be fixed to the do the right thing, but why not > provide support to userspace to avoid the problem entirely? We do it's called pty/tty. There isn't any other way to do this correctly because TIOCSTI is just one hundreds of things the attacker can do to make your life miserable in the case you create a child process of lower security privilege and give it your tty file handle or worse (like some container crapware) your X11 socket fd. Does it really matter any more or less if I reprogram your enter key, use TIOCSTI, set the baud rate, change all your fonts ? The mainstream tools like sudo get this right (*). Blocking TIOCSTI fixes nothing and breaks apps. If it magically fixed the problem it might make sense but it doesn't. You actually have to get an adult to write the relevant code. Alan (*) Almost. There's an old world trick of sending "+++" "ATE1" "rm -rf *\r\n" to try and attack improperly configured remote modem sessions but the stuff that matters is handled.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.