lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20090310215818.GA3540@1wt.eu>
Date:	Tue, 10 Mar 2009 22:58:18 +0100
From:	Willy Tarreau <w@....eu>
To:	Jaswinder Singh Rajput <jaswinder@...nel.org>
Cc:	LKML <linux-kernel@...r.kernel.org>
Subject: Re: Keymap 0: Permission denied

Hi Jaswinder,

On Tue, Mar 10, 2009 at 07:06:06PM +0530, Jaswinder Singh Rajput wrote:
> On Sun, 2009-03-08 at 23:40, Willy Tarreau wrote:
> > Hi,
> > 
> > On Sun, Mar 08, 2009 at 11:03:46PM +0530, Jaswinder Singh Rajput wrote:
> > > Hello Willy,
> > > 
> > > On Red Hat 9 With latest 2.4-git kernel, when I log in as a regular user
> > > on a TTY, I get the following error:
> > > 
> > > Keymap 0: Permission denied
> > > Keymap 1: Permission denied
> > > Keymap 2: Permission denied
> > > KDSKBENT: Operation not permitted
> > > loadkeys: could not deallocate keymap 3
> > > 
> > > How to fix this error.
> > 
> > No idea yet. Could you please try "loadkey us" for instance, to ensure
> > it is the program which fails ? If so, please send me the output of
> > "strace loadkeys us".
> > 
> 
> I am attaching the strace for your reference.

Thanks, and indeed I agree with your analysis !

> This patch solves above problem, Is this a correct way ?

I'm not sure, as it approximately consists in reverting that patch in
a different way, which I've verified is similar in 2.6 :

commit f7d4ff67d9c7481f720885e5ec37111bb081921f
Author: Marcelo Tosatti <marcelo.tosatti@...lades.com>
Date:   Tue Nov 1 14:03:08 2005 -0200

    [PATCH] only disallow _setting_ of function key string
    
    Mikael Pettersson <mikpe@....uu.se> noted that the current 2.6-git (and
    2.4) patch to disallow KDSKBSENT for unpriviledged users should be less
    restrictive allowing reading of current function key string entry, but
    not writing.
    
    Signed-off-by: Marcelo Tosatti <marcelo.tosatti@...lades.com>
    Signed-off-by: Andrew Morton <akpm@...l.org>

diff --git a/drivers/char/vt.c b/drivers/char/vt.c
index 40ce683..8b8f95d 100644
--- a/drivers/char/vt.c
+++ b/drivers/char/vt.c
@@ -166,6 +166,9 @@ do_kdsk_ioctl(int cmd, struct kbentry *user_kbe, int perm, struct kbd_struct *kb
 	if (i >= NR_KEYS || s >= MAX_NR_KEYMAPS)
 		return -EINVAL;	
 
+	if (!capable(CAP_SYS_TTY_CONFIG))
+		perm = 0;
+
 	switch (cmd) {
 	case KDGKBENT:
 		key_map = key_maps[s];
@@ -277,7 +280,7 @@ do_kdgkb_ioctl(int cmd, struct kbsentry *user_kdgkb, int perm)
 	int i, j, k;
 
 	if (!capable(CAP_SYS_TTY_CONFIG))
-		return -EPERM;
+		perm = 0;
 
 	/* we mostly copy too much here (512bytes), but who cares ;) */
 	if (copy_from_user(&tmp, user_kdgkb, sizeof(struct kbsentry)))


I'm now thinking that RH9 might have relied on an expected feature to
provide per-user keymaps. I indeed have never encountered a case where
loadkeys was performed by a user, it was always some init script at
boot time. Granting the access to plain users causes a DoS issue where
a user might load a crappy map and log out, waiting for the next guy
to try to log in and have fun with the remapped chars.

After a bit of googling, I found the original discussion leading to
this patch (sorry I closed the window too fast). One of the suggestion
was to setuid loadkeys in environments where local users were trusted
enough to change the keymaps.

You could also add them to the sudoers file so that they do "sudo loadkeys".

Anyway, given the security implications around this patch, I don't want
to revert it, eventhough they are minor. This is the first reported breakage
in 3+ years and the workarounds are quite non-intrusive.

Best regards,
Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ