From: "Theodore Ts'o" <tytso@mit.edu>
To: Abhinav Saxena <xandfury@gmail.com>
Cc: Shuah Khan <shuah@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <nick.desaulniers+lkml@gmail.com>,
Bill Wendling <morbo@google.com>,
Justin Stitt <justinstitt@google.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
llvm@lists.linux.dev, selinux@vger.kernel.org, kees@kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 0/2] Possible TTY privilege escalation in TIOCSTI ioctl
Date: Fri, 27 Jun 2025 21:52:03 -0400 [thread overview]
Message-ID: <20250628015203.GA4253@mit.edu> (raw)
In-Reply-To: <87y0tcu23d.fsf@gmail.com>
On Fri, Jun 27, 2025 at 06:38:42PM -0600, Abhinav Saxena wrote:
> >
> > As noted in previous discussion, while CONFIG_LEGACY_TIOCSTI can restrict
> > TIOCSTI usage, it is enabled by default in most distributions. Even when
> > CONFIG_LEGACY_TIOCSTI=n, processes with CAP_SYS_ADMIN can still use TIOCSTI
> > according to the Kconfig documentation.
> >
> > Additionally, CONFIG_LEGACY_TIOCSTI controls the default value for the
> > dev.tty.legacy_tiocsti sysctl, which remains runtime-configurable. This
> > means the described attack vector could work on systems even with
> > CONFIG_LEGACY_TIOCSTI=n, particularly on Ubuntu 24.04 where it’s “restricted”
> > but still functional.
What is the threat scenario that you are concerned about? The concern
with TIOSTI is that it is a privilege escalation mechanism. But you
need to have root (well, CAP_SYS_ADMIN) to either enable the
dev.tty.legacy_tiocsti sysctl, or to use TIOCSTI. So what's the
privilege escalation that you're concerned about?
I could imagine some fairly esoteric ways that this might be a
problem, but if it's not a common case concern, maybe using some kind
of LSM to more forcibly disable TIOCSTI is sufficient?
Yes, we could imagine ways in which it could be permanently disabled
(perhaps via a boot command line option) such that it can't be
re-enabled without rebooting. But is the extra complexity worth it,
especially when there is always the LSM solution for the
super-paranoid sysadmins?
- Ted
prev parent reply other threads:[~2025-06-28 1:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-23 1:41 [PATCH 0/2] Possible TTY privilege escalation in TIOCSTI ioctl Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 1:41 ` [PATCH 1/2] selftests/tty: add TIOCSTI test suite Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 12:42 ` Stephen Smalley
2025-06-23 1:41 ` [PATCH 2/2] selinux: add capability checks for TIOCSTI ioctl Abhinav Saxena
2025-06-23 1:41 ` Abhinav Saxena via B4 Relay
2025-06-23 5:13 ` Greg KH
2025-06-23 12:38 ` Stephen Smalley
2025-06-23 15:15 ` Paul Moore
2025-06-24 20:58 ` Günther Noack
2025-06-23 12:35 ` [PATCH 0/2] Possible TTY privilege escalation in " Stephen Smalley
2025-06-28 0:38 ` Abhinav Saxena
2025-06-28 1:52 ` Theodore Ts'o [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250628015203.GA4253@mit.edu \
--to=tytso@mit.edu \
--cc=justinstitt@google.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=nick.desaulniers+lkml@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=xandfury@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.