Re: [PATCH] tty: change the privilege required for tty operarions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Tested how?  

First of all, this change is not about functionality, only about permissions. 
I wrote 3 testcases which calls ioctl() with TIOCSTI, TIOCCONS, TIOCVHANGUP 
respectively. Then execute them on the origin kernel and patched kernel. 
Running it on both sets of kernels gives the same result. However, through
the system error message, and the kernel log output I added, I confirmed 
that the relevant functionality under the origin kernel requires sys_admin, 
and under the patched kernel requires sys_tty_config.

Indeed, it doesn't have much to do with the distro either, I just tested it 
on Debian, and similar tests can be done on other distros.


> Why did you just change these 3 usages, and not all of them?  Why are
> these "safe" but the others not?

There are 5 capability checks in this file, all using sys_admin. The first 
one is in the tiocsti function, in commit 690c8b804ad2 ("TIOCSTI: always 
enable for CAP_SYS_ADMIN"), sys_admin was introduced for a special 
application BRLTTY, so I hesitated to change it. In fact, BRLTTY has both 
sys_admin and sys_tty_config, so modify the kernel's permission check, will 
not affect BRLTTY's function. The other permission check is located in a 
different function, not triggered by ioctl, so it's not written together.

> And most importantly of all, why make this change at all?  Who is using
> capabilities these days in a fine-grained way to warrent this type of
> modification?

I guess you are right, there's not a lot of people using capabilities. 
But the idea of a least privilege design is still tempting from a 
security point of view. The scarce use of capabilities is related to 
its problematic implementation, and we hope to promote its use by 
improving its implementation. sys_admin is a relatively large privilege, 
which may pose a risk to the system (check the cve list:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAP_SYS_ADMIN ), and by 
reducing the unnecessary use of sys_admin, we can avoid some of the risks. 
In particular, the linux capability has been designed with sys_tty_config, 
so it should take over the privileges originally managed by sys_admin 
related to TTY.

Best regards,
Jingzi
[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux PPP]     [Linux FS]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Linmodem]     [Device Mapper]     [Linux Kernel for ARM]

  Powered by Linux