Re: Securing non-root X input

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matthew Wilcox <matthew@wil.cx>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Dave Airlie <airlied@gmail.com>,
	peter.hutterer@who-t.net, linux-input@vger.kernel.org,
	xorg@freedesktop.org
Subject: Re: Securing non-root X input
Date: Sat, 30 Jan 2010 18:35:47 -0700	[thread overview]
Message-ID: <20100131013534.GA1331@parisc-linux.org> (raw)
In-Reply-To: <20100130074546.GB30378@core.coreip.homeip.net>

On Fri, Jan 29, 2010 at 11:45:46PM -0800, Dmitry Torokhov wrote:
> Hi Matthew,
> 
> On Fri, Jan 29, 2010 at 04:24:38PM -0700, Matthew Wilcox wrote:
> > This tiny patch allows the X server to ask how many times the device has
> > been opened.  If it's more than one, the X server can ask the user what
> > they want to do about it.  For bonus points, the X server can also run
> > programs like lsof or fuser to find out which other processes have the
> > device open, and tell the user that information too.  At that point,
> > the sysadmin can call in the ICBM strike on the offending user.
> > 
> > Does this approach work for everyone?
> 
> I do not think so. What about the cases when event devices are
> legitimately opened by several processes, like this:
> 
> [dtor@dtor-d630 work]$ ps aux | grep hald-addon-input
> root      1132  0.0  0.0  22200   824 ?        S    Jan22   0:29
> hald-addon-input: Listening on /dev/input/event7 /dev/input/event2 /dev/input/event1 /dev/input/event6 /dev/input/event0 /dev/input/event12 /dev/input/event4
> dtor     30424  0.0  0.0 102736   808 pts/3    S+   23:23   0:00 grep hald-addon-input
> [dtor@dtor-d630 work]$
> 
> It might not be hald but some other daemon monitoring key presses
> (sleep, hibernate, wifi keys and switches, etc).
> 
> If it was just about ensuring that only oneprocess accesses the device
> then we could just use EVIOCGRAB but as experience shows it is not a
> workable solution.

Yes, that's right.  I didn't quite go far enough in my explanation
above ...  the X server can look around the system to see what trusted
daemons (running as either root or the same user as the one running X)
currently have the device open, and notify the user if there's additional
openers that it isn't expecting.

Maybe we don't need a kernel patch to make this work after all, just
a suid helper for X that uses the code from lsof/fuser to list all the
current openers of /dev/input/eventN.

My only concern is if users are permitted to create other names for a
given device, lsof/fuser doesn't find that:

# ln -s /dev/input/event0 myev0
# sleep 60 < myev0 &
# lsof /dev/input/event0
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sleep     2223 root    0r   CHR  13,64      0t0 1667 /dev/input/event0
hald-addo 3363 root    6r   CHR  13,64      0t0 1667 /dev/input/event0
devkit-po 3588 root    9r   CHR  13,64      0t0 1667 /dev/input/event0
# rm myev0
# mknod myev0 c 13 64
# sleep 60 < myev0 &
# lsof /dev/input/event0
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
hald-addo 3363 root    6r   CHR  13,64      0t0 1667 /dev/input/event0
devkit-po 3588 root    9r   CHR  13,64      0t0 1667 /dev/input/event0

So if we need to catch that possibility, we need something like this
kernel patch ... if we're confident that /dev/input/ will be the only
name for a given event, we don't need a kernel patch to make this work.

-- 
Matthew Wilcox				Intel Open Source Technology Centre
"Bill, look, we understand that you're interested in selling us this
operating system, but compare it to ours.  We can't possibly take such
a retrograde step."

next prev parent reply	other threads:[~2010-01-31  1:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-01-29 23:24 Securing non-root X input Matthew Wilcox
2010-01-30  7:45 ` Dmitry Torokhov
2010-01-31  1:35   ` Matthew Wilcox [this message]
2010-01-31  7:13     ` Dmitry Torokhov
2010-01-31  8:38       ` Dave Airlie
2010-01-31  8:50         ` Dmitry Torokhov
2010-01-31 17:08       ` Matthew Wilcox
2010-02-01  2:03         ` Dmitry Torokhov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100131013534.GA1331@parisc-linux.org \
    --to=matthew@wil.cx \
    --cc=airlied@gmail.com \
    --cc=dmitry.torokhov@gmail.com \
    --cc=linux-input@vger.kernel.org \
    --cc=peter.hutterer@who-t.net \
    --cc=xorg@freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.