Disabling VT switching as non-root in 2.4.25

From: Rokob Tibor Andras
Date: Wed Mar 31 2004 - 17:33:59 EST


Trying the 'vlock' software (virtual console locking tool,
http://freshmeat.net/projects/vlock), and looking at
drivers/char/vt.c in kernel 2.4.25 I found the following:

There are two ioctls (VT_LOCKSWITCH,VT_UNLOCKSWITCH) which
are intended to lock and unlock the changing of virtual
consoles. According to the kernel code they are available to the
super-user only. However, by doing a VT_SETMODE ioctl to VT_PROCESS,
and denying to release the VT by giving 0 to VT_RELDISP, it is possible
to disable VT switching as non-root ('vlock' is a working example
which is able to do this).

I mean this is not only an inconsistency among the permissions needed by
different system calls, but a small 'security hole' (a user who has
access to the console may completely lock it, and it can only be
unlocked by logging in as root from the network (if there is any) and
killing the user's process).

The problem affects the 2.4.x kernel series including the last
released 2.4.25 and according to its ChangeLog also 2.4.26-rc1.
(It seems to me by a quick look that drivers/char/vt_ioctl.c in 2.6.3
behaves the same; I didn't check against 2.2.x and 2.0.x series).

Andras Rokob

My PGP public key is available from bolyai.elte.hu.

Attachment: signature.asc
Description: Digital signature