[rsbac] Protecting secoff from malicious root

Amon Ott rsbac@rsbac.org
Mon Apr 8 10:32:02 2002


On Friday, 1. March 2002 18:06, Amon Ott wrote:
> > 3) How about stuffing keystrokes into tty queues ? Root can wait for
> > secoff to log in, then root can send characters to secoff's terminal with
> > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> > and thus invoke arbitrary commands as secoff.
>
> Let the secoff login script assign another RC type to the controlling tty,
> which root has no right to access. I'd have to check, whether the ioctl is
> controlled - if not, this hole should be fixed.

Just fixed it for -pre6, please check it yourself. The ioctl now requires 
WRITE_OPEN on the terminal device.

Amon.
--
http://www.rsbac.org