lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d120d5000707190817t62013ddcg966bd4e8c0ec116f@mail.gmail.com>
Date:	Thu, 19 Jul 2007 11:17:50 -0400
From:	"Dmitry Torokhov" <dmitry.torokhov@...il.com>
To:	"Daniel Mantione" <daniel.mantione@...epascal.org>
Cc:	linux-kernel@...r.kernel.org,
	"Andrew Morton" <akpm@...ux-foundation.org>
Subject: Re: Keyboard programming needs root

Hi Daniel,

On 7/14/07, Daniel Mantione <daniel.mantione@...epascal.org> wrote:
> Hello,
>
> A while back a patch was merged to make that only root can program the
> keyboard:
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0b360adbdb54d5b98b78d57ba0916bc4b8871968
>
> Is this patch discussable? I think this patch isn't proper because of the
> following reasons:
>
> * Users can play games in many ways. They can configure the terminal
>  settings, (remove the automatic line feed, disable the echo etc). They can
>  load console fonts. They can still put the keyboard in raw mode, etc.

Keyboard raw mode or disabling line echo may be annoying but you
really don't want someone leaving box after binding "rm -rf /" to a
backspace key...

> * All of these games can be prevented by making mingetty (or whatever getty
>  is used) or PAM can put the console into a known state after logout.
> * All of these games are annoyances, system security is not compromised.
> * I do not see a problem with for example a French user doing a "loadkeys
>  fr" if that allows hims to use the computer easier.
>
> Worst issue for me though, is that KDSBENT is needed to be able to catch
> keys like shift+tab, alt+fx, escape without delay. My application suddenly
> needs root permissions to work properly.

Yes, if your application mucks with the console it has to be trusted...

> The alternative, semi raw mode,
> has the disadvantage that you need to implement your own keymaps (like X).
> In short, this change breaks applications.
>

You may also try reading data directly from evdev devices... They are
normally privileged as well but usually user logged on console is
given access to them.

-- 
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ