Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise

To: Krzysztof Halasa <khc@pm.waw.pl>
Cc: Horms <horms@verge.net.au>, linux-kernel@vger.kernel.org, 334113@bugs.debian.org, Alastair McKinstry <mckinstry@debian.org>, security@kernel.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
From: Rudolf Polzer <debian-ne@durchnull.de>
Date: Thu, 20 Oct 2005 01:12:58 +0200
Message-id: <[🔎] 20051019231258.GA5035%atfield-dt@durchnull.de>
Reply-to: Rudolf Polzer <debian-ne@durchnull.de>, 334113@bugs.debian.org
In-reply-to: <[🔎] m3zmp52jyz.fsf@defiant.localdomain>
References: <[🔎] 20051018044146.GF23462@verge.net.au> <[🔎] m37jcakhsm.fsf@defiant.localdomain> <[🔎] 20051018171645.GA59028%atfield-dt@durchnull.de> <[🔎] m3fyqyhdm8.fsf@defiant.localdomain> <[🔎] 20051018204919.GA21286%atfield-dt@durchnull.de> <[🔎] m3oe5l21rr.fsf@defiant.localdomain> <[🔎] 20051019132326.GA31526%atfield-dt@durchnull.de> <[🔎] m3y84pjo9m.fsf@defiant.localdomain> <[🔎] 20051019202458.GA51688%atfield-dt@durchnull.de> <[🔎] m3zmp52jyz.fsf@defiant.localdomain>

Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo:
> Rudolf Polzer <debian-ne@durchnull.de> writes:
> > That's the only thing that might actually work - an inductive device wrapped
> > around the keyboard cable. But I've never seen those available ready to buy.
> 
> There are simpler designs - it's just a serial line, right? A simple
> "dongle" can send data from the keyboard to a notebook. With luck two
> wires would do (using parallel port for sampling data).

We use a PS/2 port, so without a reboot, this would not work. IIRC 2.6 kernels
with keyboard support compiled into the kernel cannot be forced to re-detect
the keyboard when the line was interrupted (which is a big problem with old KVM
switches). Of course, with USB keyboards this approach would work.

And if it weren't for the typical nvidia driver problems, we wouldn't allow
students to reboot the computers using the power button and let it restart the
X server instead.

Reply to:

Follow-Ups:
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>

References:
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Horms <horms@verge.net.au>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Rudolf Polzer <debian-ne@durchnull.de>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Rudolf Polzer <debian-ne@durchnull.de>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Rudolf Polzer <debian-ne@durchnull.de>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Rudolf Polzer <debian-ne@durchnull.de>
- Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
  - From: Krzysztof Halasa <khc@pm.waw.pl>

Prev by Date: Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Next by Date: Re: Bug#333522: possible problem cause: wait4(-1)
Previous by thread: Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Next by thread: Bug#334113: kernel allows loadkeys to be used by any user, allowing for local root compromise
Index(es):
- Date
- Thread