Re: [Patch] TIOCCONS security

From: Olaf Dabrunz
Date: Wed Aug 25 2004 - 11:22:44 EST

Next message: Bjorn Helgaas: "Re: ACPI + Floppy detection problem in 2.6.8.1-mm4"
Previous message: Randy.Dunlap: "Re: sys_sem* undefined"
In reply to: Christoph Hellwig: "Re: [Patch] TIOCCONS security"
Next in thread: Kees Cook: "Re: [Patch] TIOCCONS security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 25-Aug-04, Christoph Hellwig wrote:
> On Wed, Aug 25, 2004 at 04:15:04PM +0100, Christoph Hellwig wrote:
> > > Still, I believe that administrators and operators would not like any
> > > user to be able to hijack messages that were written to the console.
> > >
> > > The only user of TIOCCONS that I am aware of is bootlogd/blogd, which
> > > runs as root. Please comment if there are other users.
> >
> > Oh, common. Do your basic research - this has been rejected a few times
> > and there have been better proposals. Just use goggle a little bit.
>
> Umm, I'm smoking crack. Sorry, for some reason I took this for another
> TIOCGDEV submission without reading.

(Don't do this to me. ;))

BTW, I found that xterm -C is using this. xterm(1x) is misleading
though because it states that /dev/console must belong to the user of
xterm -C. I did not do a thorough check, but since the availability of
the "-C" option depends on TIOCCONS (or SRIOCSREDIR) being available,
this should work without /dev/console belonging to the user of TIOCCONS.

Anyway, there are other ways to read log messages from X. One is to use
xconsole on /dev/xconsole and have syslogd provide filtered messages to
/dev/xconsole.

Changing the ownership on /dev/console causes security problems (that
user can usually access the current virtual terminal anytime, and the
current one may not belong to him). This does not happen with
/dev/xconsole, so it is possible to change the ownership of
/dev/xconsole to the first local X user.

While /dev/xconsole may not be the same as /dev/console, e.g. boot
script messages do go to the console (that's why bootlogd uses
TIOCCONS), it seems to be the best bet so far. It may even be possible
to pipe boot messages to /dev/xconsole.

The bottom line is, that I do not see why normal users should be able to
use TIOCCONS. Hijacking console output is a security problem, which has
been found quite some time ago on SunOS as well
(http://www.cert.org/advisories/CA-1990-12.html).

--
Olaf Dabrunz (od/odabrunz), SUSE Linux AG, NÃrnberg

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bjorn Helgaas: "Re: ACPI + Floppy detection problem in 2.6.8.1-mm4"
Previous message: Randy.Dunlap: "Re: sys_sem* undefined"
In reply to: Christoph Hellwig: "Re: [Patch] TIOCCONS security"
Next in thread: Kees Cook: "Re: [Patch] TIOCCONS security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]