lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d486802c-2431-0818-aef0-c6915d0c35b9@infradead.org>
Date:   Tue, 11 Oct 2022 14:12:21 -0700
From:   Randy Dunlap <rdunlap@...radead.org>
To:     Simon Brand <simon.brand@...tadigitale.de>,
        linux-kernel@...r.kernel.org
Subject: Re: Possibility to disable icotl TIOCSTI



On 10/6/22 11:48, Simon Brand wrote:
> Hello,
> 
> in the past there have been attempts to restrict the TIOCSTI ioctl. [0, 1]
> None of them are present in the current kernel.
> Since those tries there have been some security issues (sandbox
> escapes in flatpak (CVE-2019-10063) [2] and snap (CVE 2019-7303) [3],
> runuser [4], su [5]).
> 
> I ask to merge the patches from linux-hardening [6, 7] so users can
> opt out of this behavior. These patches provide the
> `SECURITY_TIOCSTI_RESTRICT` Kconfig (default no) and a
> `tiocsti_restrict` sysctl.

Please send to the hardening mailing list and/or hardening maintainer.

> Escapes can be reproduced easiliy (on archlinux) via a python script:
> ```
> import fcntl
> import termios
> with open("/dev/tty", "w") as fd:
>     for c in "id\n":
>         fcntl.ioctl(fd, termios.TIOCSTI, c)
> ```
> Now run as root:
> # su user
> $ python3 /path/to/script.py ; exit
> uid=0(root) ...
> 
> At least to me, this result was not expected.
> 
> I asked it before on kernelnewbies mailing list. [8]
> Please set me in CC, because I have not subscribed to this list.
> 
> Best and thank you,
> Simon
> 
> [0] https://lkml.kernel.org/lkml/CAG48ez1NBnrsPnHN6D9nbOJP6+Q6zEV9vfx9q7ME4Eti-vRmhQ@mail.gmail.com/T/
> [1] https://lkml.kernel.org/lkml/20170420174100.GA16822@mail.hallyn.com/T/
> [2] https://github.com/flatpak/flatpak/issues/2782
> [3] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapIoctlTIOCSTI
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815922
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843
> [6] https://github.com/anthraxx/linux-hardened/commit/d0e49deb1a39dc64e7c7db3340579
> [7] https://github.com/anthraxx/linux-hardened/commit/ea8f20602a993c90125bf08da3989
> [8] https://www.spinics.net/lists/newbies/msg64019.html

-- 
~Randy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ