Re: security / kbd - Andries Brouwer

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Andries Brouwer <Andries.Brouwer@cwi.nl>
To: Bodo Eggert <7eggert@gmx.de>
Cc: Andries Brouwer <Andries.Brouwer@cwi.nl>,
	linux-kernel@vger.kernel.org, akpm@osdl.org, horms@verge.net.au
Subject: Re: security / kbd
Date: Sat, 3 Dec 2005 15:46:59 +0100	[thread overview]
Message-ID: <20051203144659.GA2091@apps.cwi.nl> (raw)
In-Reply-To: <Pine.LNX.4.58.0512030616230.6684@be1.lrz>

On Sat, Dec 03, 2005 at 06:33:51AM +0100, Bodo Eggert wrote:

> > Please describe the perceived security problem.
> > You log in remotely to my machine. Want to do something evil.
> > What precisely do you do?
> 
> echo -e 'keycode 28 F70
>          string  F70 ";rm -rf /\x0a"' | loadkeys > /proc/0815/fd/1
> 
> where process 0815 is a "sleep 2147483647&"

I already told you the result:

  loadkeys: Couldnt get a file descriptor referring to the console

> I had stale permissions on /dev/tty0. With correct permission settings, 
> you'll need a session belonging to the malicious user.

Aha. So it seems you withdraw the "remote" part, and say that
a local user can leave a process with an open filedescriptor
on a console, and that process can be used to access the console
later. True.

But there are many ways of using such a file descriptor.
This patch cripples the keymap changing but does not solve anything.
The basic problem is that some things are common for all virtual
consoles, while on the other hand vhangup() on one VC does not
influence the other VCs.

Probably those common parts should be split and made per-VC.

Andries

next prev parent reply	other threads:[~2005-12-03 14:47 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <5f6Fp-1ZB-11@gated-at.bofh.it>
2005-12-03  0:21 ` security / kbd Bodo Eggert
2005-12-03  1:34   ` Andries Brouwer
2005-12-03  2:11     ` Bodo Eggert
2005-12-03  2:39       ` Andries Brouwer
2005-12-03  5:33         ` Bodo Eggert
2005-12-03 14:46           ` Andries Brouwer [this message]
2005-12-03 17:19             ` Bodo Eggert
2005-12-03 18:11               ` Andries Brouwer
2005-12-03 18:48                 ` Bodo Eggert
2005-12-03 21:43                   ` Andries Brouwer
2005-12-02  0:08 Andries Brouwer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051203144659.GA2091@apps.cwi.nl \
    --to=andries.brouwer@cwi.nl \
    --cc=7eggert@gmx.de \
    --cc=akpm@osdl.org \
    --cc=horms@verge.net.au \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox