Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-05-03 Thread Kees Cook
On Mon, Apr 24, 2017 at 9:15 PM, Matt Brown wrote: > This patchset introduces the tiocsti_restrict sysctl, whose default is > controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this > control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. > > This

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-27 Thread One Thousand Gnomes
> > Which is the sudo case and why sudo uses a separate pty/tty pair as it's > > not just TIOCSTI that's an issue but there are a load of ioctls that do > > things like cause signals to the process or are just annoying - > > vhangup(), changing the speed etc > > > > (And for console changing the

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-26 Thread One Thousand Gnomes
> open() what? As far as I know, for System-V PTYs, there is no path you can > open() that will give you the PTY master. Am I missing something? Sorry brain fade - no. > > >> > If I want to do the equvalent of the TIOCSTI attack then I fork a process > >> > and exit the parent. The child can now

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread Jann Horn
On Tue, Apr 25, 2017 at 11:21 PM, One Thousand Gnomes wrote: >> Really? By "pty", are you referring to the master? If so, as far as I know, >> to go from the slave to the master, you need one of: >> >> - ptrace access to a process that already has an FD to the master,

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread One Thousand Gnomes
> Really? By "pty", are you referring to the master? If so, as far as I know, > to go from the slave to the master, you need one of: > > - ptrace access to a process that already has an FD to the master, via >ptrace() or so (/proc/$pid/fd/$fd won't work) > - for a BSD PTY (which AFAIK isn't

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread Jann Horn
On Tue, Apr 25, 2017 at 9:30 PM, One Thousand Gnomes wrote: > On Tue, 25 Apr 2017 15:56:32 +0200 > Jann Horn wrote: > >> On Tue, Apr 25, 2017 at 3:47 PM, Alan Cox wrote: >> >> There could be a few user programs that would

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread One Thousand Gnomes
On Tue, 25 Apr 2017 15:56:32 +0200 Jann Horn wrote: > On Tue, Apr 25, 2017 at 3:47 PM, Alan Cox wrote: > >> There could be a few user programs that would be effected by this > >> change. > >> See:

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread Alan Cox
> There could be a few user programs that would be effected by this > change. > See: > notable programs are: agetty, csh, xemacs and tcsh > > However, I still believe that this change is worth it given that the > Kconfig defaults to n.

Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-25 Thread Jann Horn
On Tue, Apr 25, 2017 at 3:47 PM, Alan Cox wrote: >> There could be a few user programs that would be effected by this >> change. >> See: >> notable programs are: agetty, csh, xemacs and tcsh >> >> However, I

[PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN

2017-04-24 Thread Matt Brown
This patchset introduces the tiocsti_restrict sysctl, whose default is controlled via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. This patch was inspired from GRKERNSEC_HARDEN_TTY. This patch would have prevented