[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230402191652.747b6acc.hanno@hboeck.de>
Date: Sun, 2 Apr 2023 19:16:52 +0200
From: Hanno Böck <hanno@...eck.de>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] Restrict access to TIOCLINUX
On Sun, 2 Apr 2023 16:55:01 +0200
Greg KH <gregkh@...uxfoundation.org> wrote:
> You just now broke any normal user programs that required this (or the
> other ioctls), and so you are going to have to force them to be run
> with CAP_SYS_ADMIN permissions?
Are you aware of such normal user programs?
It was my impression that this is a relatively obscure feature and gpm
is pretty much the only tool using it.
> And you didn't change anything for programs like gpm that already had
> root permission (and shouldn't that permission be dropped anyway?)
Well, you could restrict all that to a specific capability. However, it
is my understanding that the existing capability system is limited in
the number of capabilities and new ones should only be introduced in
rare cases. It does not seem a feature probably few people use anyway
deserves a new capability.
Do you have other proposals how to fix this issue? One could introduce
an option like for TIOCSTI that allows disabling selection features by
default.
--
Hanno Böck
https://hboeck.de/
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
