[rsbac] Protecting secoff from malicious root

Amon Ott rsbac@rsbac.org
Mon Apr 8 12:31:01 2002

On Monday, 8. April 2002 13:14, Rafal Wojtczuk wrote:
> On Mon, Apr 08, 2002 at 10:46:51AM +0200, Amon Ott wrote:
> > > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> >
> > Just fixed it for -pre6, please check it yourself. The ioctl now requires
> > WRITE_OPEN on the terminal device.
> When -pre6 appears in http://www.rsbac.org/pre/ I'll have a look. Anyway,
> with this fix, is root able to open /dev/pts/number read-write ? This is
> needed for things like wall, write etc.

READ-WRITE-OPEN through standard open etc. has been fully controlled for a 
long time. It is just a request for the device. The new stuff is just the 

> I would disable TIOCSTI totally for rsbac.

Disabling might not work for some people. The current solution fits into the 
standard RSBAC scheme with device access control.