Re: security / kbd - Bodo Eggert

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Bodo Eggert <harvested.in.lkml@7eggert.dyndns.org>
To: Andries Brouwer <Andries.Brouwer@cwi.nl>, linux-kernel@vger.kernel.org
Subject: Re: security / kbd
Date: Sat, 03 Dec 2005 01:21:51 +0100	[thread overview]
Message-ID: <E1EiLA5-0001VE-64@be1.lrz> (raw)
In-Reply-To: 5f6Fp-1ZB-11@gated-at.bofh.it

Andries Brouwer <Andries.Brouwer@cwi.nl> wrote:

> Recently I muttered a little bit about the fact that everybody who
> can mount filesystems using an "auto" fstab filesystem type entry
> (or using e.g. an "ext2" entry) can crash the system.
> But nobody on lk seems impressed.
> Of course, one can always say that it is the distribution's fault,
> or the sysadmin's fault to have such fstab entries.
> Still, I think the situation can be improved.

Yes, by fixing the file systems or by implementing safe user mounts. It will
be something like fuse, maybe it will be fuse using a userspace version
of a kernel thread. Maybe not.

> On the other hand, I am told that recent kernels restrict the use of
> loadkeys to root. If so, an unfortunate choice. People want to switch
> unicode support on/off, or go from/to a dvorak keymap.
> What was the security problem?

It's global, and it can be done remotely. Therefore you can either have
remote logins or a secure console.

The correct fix would be binding the keymap to the current tty only,
resetting the console if it gets closed and not allowing init to reuse
it unless it's closed. If you do this, you'll want a default setting, too.

YANI: Root should be able to set a coloured border indicating that it's
really the getty/login process asking for the user prompt/password.
-- 
Ich danke GMX dafür, die Verwendung meiner Adressen mittels per SPF
verbreiteten Lügen zu sabotieren.

next      parent reply	other threads:[~2005-12-03  0:20 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <5f6Fp-1ZB-11@gated-at.bofh.it>
2005-12-03  0:21 ` Bodo Eggert [this message]
2005-12-03  1:34   ` security / kbd Andries Brouwer
2005-12-03  2:11     ` Bodo Eggert
2005-12-03  2:39       ` Andries Brouwer
2005-12-03  5:33         ` Bodo Eggert
2005-12-03 14:46           ` Andries Brouwer
2005-12-03 17:19             ` Bodo Eggert
2005-12-03 18:11               ` Andries Brouwer
2005-12-03 18:48                 ` Bodo Eggert
2005-12-03 21:43                   ` Andries Brouwer
2005-12-02  0:08 Andries Brouwer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1EiLA5-0001VE-64@be1.lrz \
    --to=harvested.in.lkml@7eggert.dyndns.org \
    --cc=7eggert@gmx.de \
    --cc=Andries.Brouwer@cwi.nl \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox