[401] in linux-security and linux-alert archive
Re: console security (was Re: problem with selection)h
daemon@ATHENA.MIT.EDU (Ian Jackson)
Sat Sep 30 01:09:28 1995
Date: Sat, 30 Sep 95 02:36 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: linux-security@tarsier.cv.nrao.edu
> [mod: Linux has had the secure attention key for a very long time; it can
> be enabled using setserial. Is there any indication that it doesn't
> work? --okir]
Yes. In April last I sent the attached message to linux-serial. The
problem is still be present in 1.2.13, except that SAK (line break)
now reliably does nothing once a user is logged in.
In May I wrote to Ted Ts'o and said "have you seen my bug report", and
he said "no". I sent it to him again. I have not had any reply
since.
This is not a critical issue for me (unlike the massive and numerous
holes in /proc, currently being discussed on linux-kernel), so I
haven't investigated deeply.
I have to say I'm not particularly impressed with the responsiveness
to bug reports about the serial driver. From kernel version 1.1.13 to
1.1.40 or so hardware flow control was broken. I kept reporting this,
and was told things like "well, most people mailing me say it works
for them", and it took several months before the problem was
acknowledged and then fixed. In the meantime of course I'd been
unable to test the recent 1.1.x series kernels and a data-corrupting
bug had been introduced in the floppy driver.
Andries Brouwer writes ("Re: console security"):
> It does not work in several other senses, as Zygo mentioned:
> It does not assure a default key mapping.
> [How could it? Read it from a file? That is not something
> that belongs in the kernel, it is something that login might do.
> Reset to a universal default? But that probably makes the
> keyboard very difficult to use.
> A german keyboard interchanges y and z.
> A french keyboard interchanges a and q, and w and z.
> All national keyboards permute the nonletters nondigits in a random way.]
> It does not assure a default font.
> [How could it? Go back to the font in the character ROM?
> A possibility, but again a decision that is better taken outside the kernel.]
> It does not assure a default character set to font mapping.
> It does not assure that the console is in a useable mode.
I was going to say that only root may load new keymaps, change video
mode, &c, however this appears to be false, for keymaps at least.
Under the circumstances the correct solution, IMO, is to have a
version of getty which reset all of this stuff.
> Since one is not sure of the key mapping, one doesn't know for sure
> that the key one presses is really the SAK.
The SAK should clearly not be remappable (except by root).
> Then there is the matter of aliasing. A file descriptor to /dev/tty2
> allows access to the keyboard, so killing everybody on /dev/tty1 is not
> enough.
Can a process on tty2 really access keystrokes on the whole console ?
If so, WHY ???!!!
Who the hell thought that this would be a really nifty "feature" to
add. I've just had to do surgery to make the procfs secure on my
system, and it has broken strace and gdb, and now I discover that this
"really neat feature" mindset is all-pervasive. GRRRR !
Ian.
