Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6e713105-02db-12e1-68a9-f167fe11d0a9@gmail.com>
Date: Thu, 1 Jun 2017 09:12:07 +0200
From: lazytyped <lazytyped@...il.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: Re: [PATCH v7 2/2] security: tty: make TIOCSTI
 ioctl require CAP_SYS_ADMIN



On 6/1/17 4:35 AM, Kees Cook wrote:
> I still cannot wrap my head around why providing users with a
> protection is a bad thing. Yes, the other tty games are bad, but this
> fixes a specific and especially bad case that is easy to kill. It's
> got a Kconfig and a sysctl. It's not on by default. This protects the
> common case of privileged ttys that aren't attached to consoles, etc,
> so while the framebuffer thing is an issue, it's not always an issue,
> etc.
There are a couple of reasons for that:

First of all, a protection is extra cost, in terms of maintenance, 
knowledge (a new knob) and compatibility. That extra cost may sound 
minimal, but adds up pretty quickly. If the protection is "easily" 
bypassable (that is, today we use TIOCSTI, tomorrow we use something 
else in the same path), then that extra cost/complexity stays for no 
good reason. Feature creep is a real issue, in security, IMHO - it's not 
a 'number of features' game.

Second, stuff that is delivered off by default tends to rot. I don't 
work on Linux, but generally try really hard to not add something that 
is not ON by default at least for a small number of things. Stuff 
inevitably breaks, and it's extra cost.
To me, a protection that needs to be off by default, raises a red flag. 
I know Linux has a somewhat different philosophy (centered around the 
kernel config that each distribution pieces together and ships), so 
mileage probably varies there.

I don't have enough skills to comment about all the possible TTY attacks 
and quirks, but I think I understand where Alan comes from.

Good luck.


          -  Enrico

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.