From: Horms <horms@debian.org>
To: Andrew Morton <akpm@osdl.org>
Cc: linux-kernel@vger.kernel.org, security@kernel.org,
secure-testing-team@lists.alioth.debian.org,
334113@bugs.debian.org, debian-ne@durchnull.de,
mckinstry@debian.org, team@security.debian.org
Subject: Re: [Security] kernel allows loadkeys to be used by any user, allowing for local root compromise
Date: Tue, 18 Oct 2005 17:59:10 +0900 [thread overview]
Message-ID: <20051018085909.GJ8830@verge.net.au> (raw)
In-Reply-To: <20051017235211.161e8604.akpm@osdl.org>
On Mon, Oct 17, 2005 at 11:52:11PM -0700, Andrew Morton wrote:
> Horms <horms@verge.net.au> wrote:
> >
> > drivers/char/vt_ioctl.c: vt_ioctl(): line 377
> >
> > /*
> > * To have permissions to do most of the vt ioctls, we either
> > * have
> > * to be the owner of the tty, or have CAP_SYS_TTY_CONFIG.
> > */
> > perm = 0;
> > if (current->signal->tty == tty || capable(CAP_SYS_TTY_CONFIG))
> > perm = 1;
> >
> >
> > A simple fix for this might be just checking for capable(CAP_SYS_TTY_CONFIG)
> > in do_kdgkb_ioctl(), which effects KDSKBSENT. This more restrictive
> > approach is probably appropriate for many of the other ioctls that set
> > VT parameters.
>
> I briefly discussed this with Alan and he agreed that that's a reasonable
> approach.
Thanks, thats pretty much what I had in mind. Though I would expect
some minor breakage, at least for people who expect nonsetuid loadkeys
to work. But then again, that is the whole point.
> I'll stick the below in -mm, see what breaks.
>
> --- devel/drivers/char/vt_ioctl.c~setkeys-needs-root 2005-10-17 23:50:37.000000000 -0700
> +++ devel-akpm/drivers/char/vt_ioctl.c 2005-10-17 23:51:43.000000000 -0700
> @@ -192,6 +192,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
> int i, j, k;
> int ret;
>
> + if (!capable(CAP_SYS_TTY_CONFIG))
> + return -EPERM;
> +
> kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
> if (!kbs) {
> ret = -ENOMEM;
> _
--
Horms
next prev parent reply other threads:[~2005-10-18 9:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <E1EQofT-0001WP-00@master.debian.org>
2005-10-18 4:41 ` kernel allows loadkeys to be used by any user, allowing for local root compromise Horms
2005-10-18 6:52 ` [Security] " Andrew Morton
2005-10-18 8:59 ` Horms [this message]
2005-10-18 14:42 ` Krzysztof Halasa
2005-10-18 17:16 ` Rudolf Polzer
2005-10-18 18:41 ` Krzysztof Halasa
2005-10-18 20:49 ` Rudolf Polzer
2005-10-19 11:18 ` Krzysztof Halasa
2005-10-19 13:23 ` Rudolf Polzer
2005-10-19 19:32 ` Krzysztof Halasa
2005-10-19 20:24 ` Rudolf Polzer
2005-10-19 22:57 ` Krzysztof Halasa
2005-10-19 23:12 ` Rudolf Polzer
2005-10-20 15:05 ` Krzysztof Halasa
2005-10-19 4:14 ` [Secure-testing-team] " Anthony DeRobertis
2005-10-19 11:00 ` Krzysztof Halasa
2005-10-20 2:42 ` Paul Jakma
2005-10-20 23:22 ` Bill Davidsen
2005-10-18 21:19 ` [Secure-testing-team] " Moritz Muehlenhoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051018085909.GJ8830@verge.net.au \
--to=horms@debian.org \
--cc=334113@bugs.debian.org \
--cc=akpm@osdl.org \
--cc=debian-ne@durchnull.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mckinstry@debian.org \
--cc=secure-testing-team@lists.alioth.debian.org \
--cc=security@kernel.org \
--cc=team@security.debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.