On Mar 3, 2016 at 17:21 Stanislav Brabec wrote: > On Mar 3, 2016 at 01:37 up201407890@xxxxxxxxxxxxxxxxxxx wrote: > >> On another note, grsecurity recently released a new feature named >> GRKERNSEC_HARDEN_TTY that disallows the use of TIOCSTI to unprivileged >> users unless the caller has CAP_SYS_ADMIN. > > This will fix all util-linux issues, but not chroot. There root inside > the chroot escapes from chroot and calls commands outside. > We had a talk about this bug, and we found, that there is no quick and 100% safe fix. Here are possibilities: 1) Quick kernel fix disabling TIOCSTI ioctl() for non-root, if the PID of the terminal owner is not equal to PID of the calling process, eventually use capabilities for the same. Pros: + Fix in one place. + Fix all possible future abuses. Cons: - Many utilities are potentially affected and need testing. - Some custom code could be affected. (I can imagine for example bar code reader running with a dedicated UID, and pushing bar code to the terminal. Such code will break for sure.) 2) Per utility fix using setsid(). Pros: + Prevents the exploit without uncertain side effects. Cons: - Each affected utility needs fix. - Loss of job control will affect working style of many people. Conclusion: We need a different solution: 3) Introduce new terminal ioctl() or flag in the kernel. This flag will block TIOCSTI (and possibly other dangerous actions). It will allow to implement something like setsid(), but without side effects of job control loss. Pros: + No unwanted side effects at all. Cons: - Each affected utility needs fix. We think, that only 3 will be safe and have no side effects. Note: Fixing character stealing described in previous mails is not covered by any of these solutions. This could be possible safely only with a new syscall revoke(), which was not yet accepted to the kernel. -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxxx Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz/ PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76 -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
