On Fri, Jul 07, 2006 at 12:48:40PM -0700, Casey Schaufler wrote: > --- Klaus Weidner <[EMAIL PROTECTED]> wrote: > > - on the slave end, spawn newrole to switch to a high level, send > > your password through the pty. > > The newrole analog on one Unix MLS system, "su -M <maclabel>" closes > all open descriptors to prevent such a problem. > > The problem here is not with the pty, rather with newrole, which > oughtn't keep descriptors open if it is changing MLS label.
In this case, the descriptor is the standard input and output stream that newrole uses for interaction, including reading its password, and closing that will make it stop working since the system doesn't have a trusted input/output path (which is a separate problem). newrole can't tell the difference between a legitimate pty use from ssh or in an xterm versus the unauthorized use, and it would be a very significant restriction to permit only console access for newrole use. Would it work to have newrole relabel the pty (maybe in a PAM session module?), so that the controlling low process won't be able to read from it? -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
