Re: security / kbd

[Andries Brouwer]

On Sat, Dec 03, 2005 at 06:33:51AM +0100, Bodo Eggert wrote:

> > Please describe the perceived security problem.
> > You log in remotely to my machine. Want to do something evil.
> > What precisely do you do?
> 
> echo -e 'keycode 28 F70
>          string  F70 ";rm -rf /\x0a"' | loadkeys > /proc/0815/fd/1
> 
> where process 0815 is a "sleep 2147483647&"

I already told you the result:

  loadkeys: Couldnt get a file descriptor referring to the console

> I had stale permissions on /dev/tty0. With correct permission settings, 
> you'll need a session belonging to the malicious user.

Aha. So it seems you withdraw the "remote" part, and say that
a local user can leave a process with an open filedescriptor
on a console, and that process can be used to access the console
later. True.

But there are many ways of using such a file descriptor.
This patch cripples the keymap changing but does not solve anything.
The basic problem is that some things are common for all virtual
consoles, while on the other hand vhangup() on one VC does not
influence the other VCs.

Probably those common parts should be split and made per-VC.

Andries


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/