[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: coupe things RedHat does well and Debian should too

> > No, the way it works is it changes the ownership of the /dev/fd*
> > etc. to you. No extra groups are given you so you can't create a
> > setgid file. You can't really do anything except to read and write
> > from/to those devices.  It should be Ok. 
> This is even worse. See:
> http://securityportal.com/list-archive/bugtraq/2000/May/0026.html]
> "When accepting luser console login, pam_console called by /bin/login
> tries to be user-friendly, doing several chowns on devices like login
> tty and corresponding vcs[a] device, as well as other interesting
> devices: fd*, audio devices (dsp*, mixer*, audio*, midi*, sequencer),
> cdrom, streamer/zip drive devices, frame buffer devices, kbd*, js*,
> video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's
> designed to make console logins more comfortable, but has DEADLY
> effects on servers with console luser-login ability (and that's quite
> common).
> "On logout, these devices are chown'ed back to root, but unlike
> /dev/tty[0-9], these devices have no hangup mechanism, so user will
> have full control over them after logout by opening them and then
> keeping the file descriptor. The easiest attack is read-write snooping
> of consoles.  Log in on console once, open /dev/vcsX (where X
> corresponds to tty number), then logout. By continous lseek/read loop,
> your program will be able to snoop futher logins on this console -
> forever. Also, it's possible to write() on snooped console... Ugh.
> Other possibilities include reading any inserted cd, reading/writing
> any inserted floppy, messing with video/audio devices and so on, all
> in the same way."

 Find another reason, the daemon could do "fuser -k /dev/audio /dev/vcs...",
and kill all processes using those devices.

Reply to: