From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Date: Sat, 5 Mar 2016 15:38:47 +0100 [thread overview]
Message-ID: <20160305153847.09ba84ee@gentp.lnet> (raw)
In-Reply-To: <56DACE7F.7090502@m4x.org>
On Sat, 5 Mar 2016 13:18:07 +0100
Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> On 03/04/2016 04:54 PM, Dominick Grift wrote:
> > On 03/04/2016 02:11 PM, Christopher J. PeBenito wrote:
> >> On 3/3/2016 9:05 PM, Luis Ressel wrote:
> >>> It's required for agetty on kernels with a recent grsecurity
> >>> patchset. (The denial itself has been showing up for quite some
> >>> time, but it hasn't had any obvious ill effects until recently.)
> >
> >> I'm reluctant to add this because it is a significant permission
> >> and grsecurity is not commonly used with SELinux, to my
> >> knowledge.
> >
> >
> > My getty requests this permission as well [1] and i am not using
> > grsecurity. Although, i am not sure if the permission is absolutely
> > needed. (then again I do not believe that it requests it for its
> > health alone)
>
> Hello, as I was wondering what was behind agetty requiring sys_admin
> capabilities and what would happen if the access is denied, I took a
> look to its source code. The TIOCSTI ioctl (the mechanism which
> allows injecting characters in a terminal input queue) seems to only
> been used in a function named wait_for_term_input [1]. This allows
> the user input to be seen as a "normal input" while
> wait_for_term_input temporarily configured the terminal with ICANON,
> ECHO... attributes disabled.
>
> If the ioctl(fd, TIOCSTI, buffer + i) call fails (for example because
> sys_admin is not granted by SELinux), this is silently ignored. As
> far as I understand the code, wait_for_term_input function is only
> used at the beginning of the login prompt (the characters are echoed
> to the terminal) and not the password prompt. Therefore the user may
> get the feeling that the first typed character has been dropped
> somewhere. Is that so? Are there other annoyances that I missed in
> my quick analysis?
>
Yes, the first character of the username is dropped. It isn't just
missing from the terminal output, though; it doesn't reach 'login'
either, so you really have to type it in twice.
--
Regards,
Luis Ressel
next prev parent reply other threads:[~2016-03-05 14:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-04 2:05 [refpolicy] [PATCH] Allow getty the sys_admin capability Luis Ressel
2016-03-04 13:11 ` Christopher J. PeBenito
2016-03-04 15:54 ` Dominick Grift
2016-03-05 12:18 ` Nicolas Iooss
2016-03-05 13:33 ` Jason Zaman
2016-03-05 13:33 ` Dominick Grift
2016-03-05 14:38 ` Luis Ressel [this message]
2016-03-07 15:02 ` Christopher J. PeBenito
2016-03-05 15:55 ` Luis Ressel
2016-03-05 16:15 ` Jason Zaman
2016-03-05 16:43 ` Luis Ressel
2016-03-05 17:11 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160305153847.09ba84ee@gentp.lnet \
--to=aranea@aixah.de \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.