[337] in linux-security and linux-alert archive
Re: problem with selection
daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Fri Sep 1 08:35:13 1995
From: Zygo Blaxell <zblaxell@miranda.uwaterloo.ca>
To: Andries.Brouwer@cwi.nl
Date: Tue, 29 Aug 1995 23:03:28 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu, tom@pandemonium.saar.de
In-Reply-To: <9508281045.AA24355=aeb@papegaai.cwi.nl> from "Andries.Brouwer@cwi.nl" at Aug 28, 95 10:45:06 am
Quoted from Andries.Brouwer@cwi.nl:
> Yes. But nobody who is security conscious should install it suid root.
> It does not need any privileges, except possibly for killing earlier
> invocations, left by another user. Thus, any uid will do.
Inserting arbitrary data into someone's input buffer _doesn't_ require
any privileges? I sincerely hope not.
Console security really sucks on Linux. The vt ioctl calls don't check
_anything_ so long as you have any console as a controlling TTY (remapping
of SAK excepted, in trivial cases). This means that if you have a
process on any controlling virtual console TTY, you can interfere
with other virtual console TTYs.
I prefer to have selection run _as_ root _by_ root, in the rc* scripts
after syslogd and before any network daemons. After all, it doesn't
really need to be invoked and revoked by individual users, does it?
An alternative to running as root would be to require that selection
have the same uid as the owner of the TTY that selection would paste
into. However, this means that two users can't log into different TTYs
and paste from one to the other, unless there was a permission
structure that could control this (like another set of devices similar to
/dev/vcs*, which allow you to write data to a TTY device input buffer).
(for the wish list: /dev/kbd*, which allow you to remap the keyboard
for a particular virtual console only. And /dev/vcpc*, which accept the
ioctl calls for process control signals (the ones SVGAlib and X use).
And /dev/kbdmode, which accepts the ioctl call for changing keyboard mode
to raw/mediumraw/cooked (necessary because of the way SAK works in cooked
mode and doesn't in other modes). And /dev/vcsig, which replaces the
keysym that can send any signal to a process with a keysym that reports
what keysym, which console, etc, and also reports when another process
steals the signal.)
--
Zygo Blaxell, former sysadmin and current software/hardware guru for the
University of Waterloo Computer Science Club; current sysadmin for miranda.
uwaterloo.ca and ezmail.com. 10th place team, ACM Intl Finals Programming
Contest 1994. Will administer Unix (esp. Linux, maybe Solaris) for food.
