From: nicolas.iooss@m4x.org (Nicolas Iooss)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability
Date: Sat, 5 Mar 2016 18:11:08 +0100 [thread overview]
Message-ID: <56DB132C.40607@m4x.org> (raw)
In-Reply-To: <20160305174326.476bbcea@gentp.lnet>
On 03/05/2016 05:43 PM, Luis Ressel wrote:
> On Sun, 6 Mar 2016 00:15:37 +0800
> Jason Zaman <jason@perfinion.com> wrote:
>
>> We're all agreed that this perm sucks, but if it really is required on
>> grsec that is justification enough for me to take the patch in gentoo
>> even if it does not make it into refpolicy.
>>
>> If at all possible, I would obviously prefer to have agetty fixed. If
>> only the first character is eaten that is rather strange so perhaps
>> there is a real bug. If a fix is not possible then we just fall back
>> to a distro_gentoo() block.
>>
>
> Have a look at agetty.c, grep for TIOCSTI. It's not a bug, but it looks
> like bad engineering. They prematurely read a single char, then insert
> it back into the input stream via TIOCSTI (instead of just remembering
> it in a temporary buffer).
Between the read and the ioctl calls there is "tcsetattr(fd, TCSANOW,
&orig);", which is very important: it restores the attributes of the
tty. The characters which were read were not shown on the tty because
wait_for_term_input begins by setting the tty in "noecho" mode.
For printable characters, the use of TIOCSTI may be replaced with calls
to putc and ungetc, and special characters (like Ctrl-ed keys) would
need special care in this situation (I do not know which one: ignoring
them or showing them anyway).
In short I do not think there is an quick&easy work-around of the way it
is currently implemented. Anyway disabling "agetty --reload" feature as
suggested in Gentoo #576522 disables this part of the code.
>
>> I have not noticed this on my machine yet, what version of kernel and
>> agetty causes this?
>>
>
> agetty since at least util-linux version 2.26, in combination with the
> CONFIG_GRKERNSEC_HARDEN_TTY kernel config (which is a very new grsec
> feature; it's in hardened-sources-4.4.3, perhaps also in 4.4.2, but not
> in <=4.3.5).
and also with this feature enabled if you use sysctl, with
/proc/sys/kernel/grsecurity/harden_tty (I forgot this on my machine when
I first tried to reproduce the issue).
prev parent reply other threads:[~2016-03-05 17:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-04 2:05 [refpolicy] [PATCH] Allow getty the sys_admin capability Luis Ressel
2016-03-04 13:11 ` Christopher J. PeBenito
2016-03-04 15:54 ` Dominick Grift
2016-03-05 12:18 ` Nicolas Iooss
2016-03-05 13:33 ` Jason Zaman
2016-03-05 13:33 ` Dominick Grift
2016-03-05 14:38 ` Luis Ressel
2016-03-07 15:02 ` Christopher J. PeBenito
2016-03-05 15:55 ` Luis Ressel
2016-03-05 16:15 ` Jason Zaman
2016-03-05 16:43 ` Luis Ressel
2016-03-05 17:11 ` Nicolas Iooss [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56DB132C.40607@m4x.org \
--to=nicolas.iooss@m4x.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.