lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20101116225834.GA27594@tango.0pointer.de>
Date:	Tue, 16 Nov 2010 23:58:35 +0100
From:	Lennart Poettering <mzxreary@...inter.de>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
Cc:	Kay Sievers <kay.sievers@...y.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Greg KH <greg@...ah.com>, Werner Fink <werner@...e.de>,
	Jiri Slaby <jslaby@...e.cz>
Subject: Re: tty: add 'active' sysfs attribute to tty0 and console device

On Tue, 16.11.10 22:51, Alan Cox (alan@...rguk.ukuu.org.uk) wrote:

> 
> On Tue, 16 Nov 2010 22:42:50 +0100
> Lennart Poettering <mzxreary@...inter.de> wrote:
> 
> > On Tue, 16.11.10 20:49, Alan Cox (alan@...rguk.ukuu.org.uk) wrote:
> > 
> > > /dev/tty* and sysfs nodes don't track permissions, owner with each other,
> > > so you are providing interfaces that either expose information they
> > > shouldn't (which screen is valuable info in some environments), or don't
> > > expose info they should.
> > 
> > Well, I find the informatoin who is logged in much more valuable then
> > the information whether I am active or not. 
> 
> Well thats fine for your machine, what about the rest of us ?

I think most people (except maybe you) find it more security relevant if
it is leaked who's logged in and on which tty then it is to know whether
that's the active session or not.

And as long as we have no problem with letting everybody know who is
logged in, and on which tty we shouldn't waste brain cells on discussing
whether it is a problem if they also find out whether that login is
currently active or not.

Also, sysfs supports perms just fine. If you don't want people to see
it, then just chmod 600 the sysfs file, and nobody can see it
anymore. That's a trivial thing to do. It's a lot more difficult to hide
who's logged in, since the user who is logged in takes possession of the
tty file which everybody can see and stat(), even if not open().

This is really a pointless discussion. Security is not an issue
here. Which tty is currently active is completely boring information,
and the least we should think about. 

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ