Re: security / kbd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 3 Dec 2005, Andries Brouwer wrote:
> On Sat, Dec 03, 2005 at 01:21:51AM +0100, Bodo Eggert wrote:

> > > On the other hand, I am told that recent kernels restrict the use of
> > > loadkeys to root. If so, an unfortunate choice. People want to switch
> > > unicode support on/off, or go from/to a dvorak keymap.
> > 
> > It's global, and it can be done remotely. Therefore you can either have
> > remote logins or a secure console.
> 
> Let me repeat what I said and you snipped:
> If there is a security problem, then it should be solved in user space.

By killing and disabeling all remote logins when root logs in or by 
ptracing each user program during root sessions? You'd have to do this 
untill we find somebody to do the correct fix in the kernel.

> Some people actually use the console. They want to be able to reassign
> CapsLock, set their own function keys, set dvorak keymap etc.
> It is a bad idea to restrict that functionality to root.

You can allways chmod u+s `type -p keymap`, but you'll take the blame.

> There are a thousand things one can do to put the kernel keyboard/console
> in an interesting state. The solution is to have init/getty/login reset
> state to a useful initial state.

This is not enough, since it's a global setting. At least, it used to be 
when I last looked. loadkeys doesn't complain when run from an xterm, 
therefore I asume nobody changed this. I can't change to the console since 
ati sucks.

> Not to have the kernel forbid one
> to change the settings of the very keyboard one is typing on.

> > The correct fix would be binding the keymap to the current tty only,
> > resetting the console if it gets closed and not allowing init to reuse
> > it unless it's closed. If you do this, you'll want a default setting, too.
> 
> Yes.

Unfortunartely nobody dares to implement this.

> > YANI: Root should be able to set a coloured border indicating that it's
> > really the getty/login process asking for the user prompt/password.
> 
> Didnt I show a "bleeding edge" patch some April 1st or so?

It's a bad day for presenting a usefull patch. It's one thing where
windows was ahead security-wise and which unices usurally lacked.
Off cause the CTRL-ALT-DEL secure screen is about to be disabled, so we 
can measure up to[0] windows by waiting.-)



[0] The translations of "gleicgziehen" by dict.leo.org seem strange.
-- 
If at first you don't succeed, call it version 1.0 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux