[Secure-testing-team] Re: kernel allows loadkeys to be used by any user, allowing for local root compromise

Rudolf Polzer debian-ne at durchnull.de
Tue Oct 18 20:49:19 UTC 2005


Scripsis, quam aut quem »Krzysztof Halasa« appellare soleo:
> Rudolf Polzer <debian-ne at durchnull.de> writes:
> > That does not help against the loadkeys issue if the attacking user is still
> > logged in on another virtual console. Even when tty1 is active, a user owning
> > tty6 can use loadkeys.
> 
> Sure. The problem is that mappings are shared between VCs but anyway
> it's solved by disabling user changes.
> I don't think there is a solution here, easier than hardware reset.
> As for "server" machines (not simple terminals), physical locking is
> critical.

Of course it is.

However, pool computers like in this case are neither servers nor terminals.
If they were terminals, we would need about 30 servers to handle the load of
100 active students. So they are workstation installations that do most of the
work locally.

> > Well, sometimes you have problems that powercycling would "hide" so you can't
> > track them down if you powercycle the whole computer every time.
> 
> In security-sensitive instalation, you simply don't expose the computers
> to non-admins.

Well, in this case the issue is on pool computers for students. Students SHOULD
be able to access the computers, but not as root.

Currently our workaround is "only su(do) from a ssh session on a 'trusted'
computer".

> > For using foreign languages and keyboard mappings.
> 
> Hope they don't change the keys in the process.

They HAVE to do that, this is the very point of switching the keyboard layout
from German to US, to UK, to French or to whatever.

> Anyway, most people don't need that nor they need suid-wrapper.

Many people here need that, but it's ok for them if it works only in X11 (most
of these users don't even know that text consoles exist).

However, Xorg and XFree86 have about the same problem: you can remap
Ctrl-Alt-Backspace. So it would be good if the SAK also worked there which
would require it to set a "sane" video mode.




More information about the Secure-testing-team mailing list