| Message ID | 20170417060706.28674-2-matt@nmatt.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: > adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow > the user to restrict unprivileged command injection using TIOCSTI > tty ioctls "unpriviledged command injection"? That sounds a bit "odd", don't you think? > > Signed-off-by: Matt Brown <matt@nmatt.com> > --- > security/Kconfig | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/security/Kconfig b/security/Kconfig > index 3ff1bf9..d757bcb 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT > > If you are unsure how to answer this question, answer N. > > +config SECURITY_TIOCSTI_RESTRICT > + bool "Restrict unprivileged use of tiocsti command injection" > + default n > + help > + This enforces restrictions on unprivileged users injecting commands > + into other processes in the same tty session using the TIOCSTI ioctl Tabs and spaces? Since tty sessions are usually separated by different users, how would they have the same one and yet need something like this? Also, why not put this in the tty config section? And finally, this patch on its own doesn't do anything :( thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 04/17/2017 02:50 AM, Greg KH wrote: > On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote: >> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow >> the user to restrict unprivileged command injection using TIOCSTI >> tty ioctls > > "unpriviledged command injection"? That sounds a bit "odd", don't you > think? > >> >> Signed-off-by: Matt Brown <matt@nmatt.com> >> --- >> security/Kconfig | 12 ++++++++++++ >> 1 file changed, 12 insertions(+) >> >> diff --git a/security/Kconfig b/security/Kconfig >> index 3ff1bf9..d757bcb 100644 >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT >> >> If you are unsure how to answer this question, answer N. >> >> +config SECURITY_TIOCSTI_RESTRICT >> + bool "Restrict unprivileged use of tiocsti command injection" >> + default n >> + help >> + This enforces restrictions on unprivileged users injecting commands >> + into other processes in the same tty session using the TIOCSTI ioctl > > Tabs and spaces? > Sorry about that. Used the wrong vimrc for part of the Kconfig. Will fix in updated patch. > Since tty sessions are usually separated by different users, how would > they have the same one and yet need something like this? > > Also, why not put this in the tty config section? > > And finally, this patch on its own doesn't do anything :( > I will take your input, update my code, and resubmit as a single patch. > thanks, > > greg k-h > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> Since tty sessions are usually separated by different users, how would > they have the same one and yet need something like this? > > Also, why not put this in the tty config section? The normal attack use case people argue about is a rogue process on the users machine sitting there waiting until the user has logged in to a remote machine and is idle and then doing stuff. Attackers of course don't bother doing that because it's easier to get the user to run a different ssh client instead. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Apr 18, 2017 at 6:40 AM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote: >> Since tty sessions are usually separated by different users, how would >> they have the same one and yet need something like this? >> >> Also, why not put this in the tty config section? > > The normal attack use case people argue about is a rogue process on the > users machine sitting there waiting until the user has logged in to a > remote machine and is idle and then doing stuff. It's still a threat, though, and adding this with default n to allow the more paranoid builders a chance to mitigate it seems reasonable to me. > Attackers of course don't bother doing that because it's easier to get > the user to run a different ssh client instead. Attackers will always take the easiest route, so we have to keep killing the low hanging fruit. -Kees
diff --git a/security/Kconfig b/security/Kconfig index 3ff1bf9..d757bcb 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" + default n + help + This enforces restrictions on unprivileged users injecting commands + into other processes in the same tty session using the TIOCSTI ioctl + + If this option is not selected, no restrictions will be enforced + unless the tiocsti_restrict sysctl is explicitly set to (1). + + If you are unsure how to answer this question, answer N. + config SECURITY bool "Enable different security models" depends on SYSFS
adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow the user to restrict unprivileged command injection using TIOCSTI tty ioctls Signed-off-by: Matt Brown <matt@nmatt.com> --- security/Kconfig | 12 ++++++++++++ 1 file changed, 12 insertions(+)