Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2023040207-pretender-legislate-2e8b@gregkh>
Date: Sun, 2 Apr 2023 19:23:44 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Hanno Böck <hanno@...eck.de>
Cc: kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] Restrict access to TIOCLINUX

On Sun, Apr 02, 2023 at 07:16:52PM +0200, Hanno Böck wrote:
> On Sun, 2 Apr 2023 16:55:01 +0200
> Greg KH <gregkh@...uxfoundation.org> wrote:
> 
> > You just now broke any normal user programs that required this (or the
> > other ioctls), and so you are going to have to force them to be run
> > with CAP_SYS_ADMIN permissions? 
> 
> Are you aware of such normal user programs?
> It was my impression that this is a relatively obscure feature and gpm
> is pretty much the only tool using it.

"Pretty much" does not mean "none" :(

> > And you didn't change anything for programs like gpm that already had
> > root permission (and shouldn't that permission be dropped anyway?)
> 
> Well, you could restrict all that to a specific capability. However, it
> is my understanding that the existing capability system is limited in
> the number of capabilities and new ones should only be introduced in
> rare cases. It does not seem a feature probably few people use anyway
> deserves a new capability.

I did not suggest that a new capability be created for this, that would
be an abust of the capability levels for sure.

> Do you have other proposals how to fix this issue? One could introduce
> an option like for TIOCSTI that allows disabling selection features by
> default.

What exact issue are you trying to fix here?

thanks,

greg k-h

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.