diff mbox

[1/4] added SECURITY_TIOCSTI_RESTRICT kernel config

Message ID 20170417060706.28674-2-matt@nmatt.com (mailing list archive)
State New, archived
Headers show

Commit Message

Matt Brown April 17, 2017, 6:07 a.m. UTC
adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
the user to restrict unprivileged command injection using TIOCSTI
tty ioctls

Signed-off-by: Matt Brown <matt@nmatt.com>
---
 security/Kconfig | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Greg Kroah-Hartman April 17, 2017, 6:50 a.m. UTC | #1
On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote:
> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
> the user to restrict unprivileged command injection using TIOCSTI
> tty ioctls

"unpriviledged command injection"?  That sounds a bit "odd", don't you
think?

> 
> Signed-off-by: Matt Brown <matt@nmatt.com>
> ---
>  security/Kconfig | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/security/Kconfig b/security/Kconfig
> index 3ff1bf9..d757bcb 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT
>  
>  	  If you are unsure how to answer this question, answer N.
>  
> +config SECURITY_TIOCSTI_RESTRICT
> +        bool "Restrict unprivileged use of tiocsti command injection"
> +        default n
> +        help
> +	  This enforces restrictions on unprivileged users injecting commands
> +	  into other processes in the same tty session using the TIOCSTI ioctl

Tabs and spaces?

Since tty sessions are usually separated by different users, how would
they have the same one and yet need something like this?

Also, why not put this in the tty config section?

And finally, this patch on its own doesn't do anything :(

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Matt Brown April 18, 2017, 4:29 a.m. UTC | #2
On 04/17/2017 02:50 AM, Greg KH wrote:
> On Mon, Apr 17, 2017 at 02:07:03AM -0400, Matt Brown wrote:
>> adding the kernel config SECURITY_TIOCSTI_RESTRICT in order to allow
>> the user to restrict unprivileged command injection using TIOCSTI
>> tty ioctls
>
> "unpriviledged command injection"?  That sounds a bit "odd", don't you
> think?
>
>>
>> Signed-off-by: Matt Brown <matt@nmatt.com>
>> ---
>>  security/Kconfig | 12 ++++++++++++
>>  1 file changed, 12 insertions(+)
>>
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 3ff1bf9..d757bcb 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -18,6 +18,18 @@ config SECURITY_DMESG_RESTRICT
>>
>>  	  If you are unsure how to answer this question, answer N.
>>
>> +config SECURITY_TIOCSTI_RESTRICT
>> +        bool "Restrict unprivileged use of tiocsti command injection"
>> +        default n
>> +        help
>> +	  This enforces restrictions on unprivileged users injecting commands
>> +	  into other processes in the same tty session using the TIOCSTI ioctl
>
> Tabs and spaces?
>

Sorry about that. Used the wrong vimrc for part of the Kconfig. Will
fix in updated patch.

> Since tty sessions are usually separated by different users, how would
> they have the same one and yet need something like this?
>
> Also, why not put this in the tty config section?
>
> And finally, this patch on its own doesn't do anything :(
>

I will take your input, update my code, and resubmit as a single
patch.

> thanks,
>
> greg k-h
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Alan Cox April 18, 2017, 1:40 p.m. UTC | #3
> Since tty sessions are usually separated by different users, how would
> they have the same one and yet need something like this?
> 
> Also, why not put this in the tty config section?

The normal attack use case people argue about is a rogue process on the
users machine sitting there waiting until the user has logged in to a
remote machine and is idle and then doing stuff.

Attackers of course don't bother doing that because it's easier to get
the user to run a different ssh client instead.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Kees Cook April 18, 2017, 3:49 p.m. UTC | #4
On Tue, Apr 18, 2017 at 6:40 AM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
>> Since tty sessions are usually separated by different users, how would
>> they have the same one and yet need something like this?
>>
>> Also, why not put this in the tty config section?
>
> The normal attack use case people argue about is a rogue process on the
> users machine sitting there waiting until the user has logged in to a
> remote machine and is idle and then doing stuff.

It's still a threat, though, and adding this with default n to allow
the more paranoid builders a chance to mitigate it seems reasonable to
me.

> Attackers of course don't bother doing that because it's easier to get
> the user to run a different ssh client instead.

Attackers will always take the easiest route, so we have to keep
killing the low hanging fruit.

-Kees
diff mbox

Patch

diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..d757bcb 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -18,6 +18,18 @@  config SECURITY_DMESG_RESTRICT
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_TIOCSTI_RESTRICT
+        bool "Restrict unprivileged use of tiocsti command injection"
+        default n
+        help
+	  This enforces restrictions on unprivileged users injecting commands
+	  into other processes in the same tty session using the TIOCSTI ioctl
+
+	  If this option is not selected, no restrictions will be enforced
+	  unless the tiocsti_restrict sysctl is explicitly set to (1).
+
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY
 	bool "Enable different security models"
 	depends on SYSFS