lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 7 Jun 2012 13:14:44 +0300
From:	Boaz Harrosh <bharrosh@...asas.com>
To:	Richard Weinberger <richard@....at>
CC:	<user-mode-linux-devel@...ts.sourceforge.net>,
	<gregkh@...uxfoundation.org>, <linux-kernel@...r.kernel.org>,
	<viro@...iv.linux.org.uk>, <jslaby@...e.cz>, <alan@...ux.intel.com>
Subject: Re: [uml-devel] um: TTY fixes (?)

On 06/07/2012 12:22 PM, Alan Cox wrote:
> On 06/07/2012 11:45 AM, Richard Weinberger wrote:

>> 
>> We cannot push this patch to Linus or -stable.
>> The problem is that will break other things.
>> E.g. login on non-tty0 terminals will break if the distro uses
>> util-linux's login.
>> 


I don't understand. Current code does not work at all even for
tty0. as well as ttyX. Since 3-4 Kernels ago. I've been running with
your patch for a long time.

I really don't get it. You have not broken anything new. Only
not fixed all of the problems. Current code does not work for "non-tty0
terminals" as well right?

<>
>> Breaking existing applications is a no-go, sorry.

> Being insecure should also be a no-no.

> 
> Not sure what Jiri thinks but for the moment I think we need to push it
> with a module option as to whether hangup on console is enabled or not.
> 
> I don't want to just break the existing user space, but leaving other
> vendors systems insecure just to cover Fedora's backside is also not
> entirely fair either.

I don't see Alan's comment at all. This is not a regression it was always
like that. Ever since Fedora was working on UML, But these fixes are real
live regression crashes.

And I don't see the all "leaving other vendors systems insecure". It just
a freaking UML tty. You need to be root 5 times before you have access
to all these, and it's only the UML that's compromised not the "all system"
And surely the current plain tty0 crash is much less secure then this thing.

> Thanks,
> //richard
> 


Please let us work, I don't see the point of leaving something terminally
broken, ever.

Thanks
Boaz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ