From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Date: Sat, 5 Mar 2016 17:43:26 +0100 [thread overview]
Message-ID: <20160305174326.476bbcea@gentp.lnet> (raw)
In-Reply-To: <20160305161537.GA30514@meriadoc.perfinion.com>
On Sun, 6 Mar 2016 00:15:37 +0800
Jason Zaman <jason@perfinion.com> wrote:
> We're all agreed that this perm sucks, but if it really is required on
> grsec that is justification enough for me to take the patch in gentoo
> even if it does not make it into refpolicy.
>
> If at all possible, I would obviously prefer to have agetty fixed. If
> only the first character is eaten that is rather strange so perhaps
> there is a real bug. If a fix is not possible then we just fall back
> to a distro_gentoo() block.
>
Have a look at agetty.c, grep for TIOCSTI. It's not a bug, but it looks
like bad engineering. They prematurely read a single char, then insert
it back into the input stream via TIOCSTI (instead of just remembering
it in a temporary buffer).
> I have not noticed this on my machine yet, what version of kernel and
> agetty causes this?
>
agetty since at least util-linux version 2.26, in combination with the
CONFIG_GRKERNSEC_HARDEN_TTY kernel config (which is a very new grsec
feature; it's in hardened-sources-4.4.3, perhaps also in 4.4.2, but not
in <=4.3.5).
In case you haven't noticed yet, I've opened a gentoo bug for
discussion: https://bugs.gentoo.org/show_bug.cgi?id=576522
--
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160305/367fb9a4/attachment-0001.bin
next prev parent reply other threads:[~2016-03-05 16:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-04 2:05 [refpolicy] [PATCH] Allow getty the sys_admin capability Luis Ressel
2016-03-04 13:11 ` Christopher J. PeBenito
2016-03-04 15:54 ` Dominick Grift
2016-03-05 12:18 ` Nicolas Iooss
2016-03-05 13:33 ` Jason Zaman
2016-03-05 13:33 ` Dominick Grift
2016-03-05 14:38 ` Luis Ressel
2016-03-07 15:02 ` Christopher J. PeBenito
2016-03-05 15:55 ` Luis Ressel
2016-03-05 16:15 ` Jason Zaman
2016-03-05 16:43 ` Luis Ressel [this message]
2016-03-05 17:11 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160305174326.476bbcea@gentp.lnet \
--to=aranea@aixah.de \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.