Date: Sun, 20 Dec 2015 20:16:45 +0100
From: Jann Horn <jann@thejh.net>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/tty: add kernel.restrict_pushback sysctl
Message-ID: <20151220191645.GA17034@pc.thejh.net>
References: <1450626326-8073-1-git-send-email-jann@thejh.net>
 <20151220163643.6f939c6f@lxorguk.ukuu.org.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs"
Content-Disposition: inline
In-Reply-To: <20151220163643.6f939c6f@lxorguk.ukuu.org.uk>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 6914
Lines: 154


--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 20, 2015 at 04:36:43PM +0000, One Thousand Gnomes wrote:
> On Sun, 20 Dec 2015 16:45:26 +0100
> Jann Horn <jann@thejh.net> wrote:
>=20
> > This new sysctl can be set to 1 to require CAP_SYS_ADMIN for
> > the TIOCSTI ioctl (which lets the caller push input back into
> > the TTY and thereby fake input to other processes that read
> > from the same TTY).
>=20
> You can already do tbis with an LSM, you don't need to add random
> unstructured extra options nobody will know about. Your extra code also
> doesn't log anything so the user who does hit a usage case will have
> nightmares debugging it.

Pretty much nothing in the kernel, at least outside of LSMs, logs
anything when an access is denied. IIRC I included logging in another
security patch that might break stuff and was asked to remove the
logging.

True, it looks like you can already do this with SELinux or probably
also Tomoyo. I didn't realize that it gives you that granularity.

I don't really like the idea of putting a hardening measure like this
into an LSM that many distros don't turn on by default, but I get your
point about duplicating existing functionality inconsistently.


> Am LSM can also do the job properly because it can use labels to
> ascertain the action to perform dependant upon the tty and how it is
> currently being used. An LSM can also protect you far better as it can
> taint the input (for example it can arrange that any TIOCSTI input
> character from a non root user causes the receiving process to be
> untrusted - so you attach the su session and your input just makes the
> shell executing it untrusted so unable to run the command).

Eh. As far as I can tell, that doesn't take into account that the
shell might already have secrets in virtual memory or so, and it
would require the LSM to emulate the normal DAC checks for following
access checks with the creds of the tainting process, duplicating
quite a bit of security-relevant code.


> > This is a well-known problem that hasn't been handled
> > particularly well in userland, e.g. allowing a user to whose
> > account root switches using "su" (or using "sudo" in the
> > default config) to write input to root's shell, resulting
> > in a privilege escalation. Additionally, it has increased
>=20
> And the same attack works via X events and keyboard programming games. If
> you leak file handles you lose. Again an LSM can mitigate here in ways
> your sysctl can't.

I'm mostly concerned about servers where an admin logs in as root,
then changes to various users to configure different services,
because that's the typical multi-user environment - and you usually
don't have X there.

Can you elaborate on the "keyboard programming" bit?

> > Note that this does not make it completely safe to leak pty
> > FDs to unprivileged code: They could still be used to steal
> > passwords that the user enters in his terminal, to
> > selectively suppress keystrokes or to just fake program
> > output. An automatic kernel-side solution to this, if it is
> > even possible, would probably be complicated.
>=20
> This is precisely the problem I have with this - it's airport security,
> it sounds good but has no value at all. Remember that anyone wanting to
> attack you today is using scripts so a week after your sysctl appears the
> script will be updated and everyone's robots will have the new attack that
> bypasses it.
>=20
> So instead of attacking a leaked pty/tty handle the opponent uses the
> leaked X11 handle and posts X events, or if its a console fd they use the
> console interfaces to fake up keypresses.

The attack scenario I have in mind is "someone ssh'es into a server as
root, then changes to another user to run some commands". In this case,
the only potential leaks I see are the pty slave fd, the environment
and the cwd.

I'm aware that this is not as simple when X is involved.


> There are IMHO two things you need to make any attempt to solve this
> properly in the usual circumstances
>=20
> - You need a secure event channel between the keyboard and the root shell
>   you create
>=20
> - You need a way to switch reliably to that secure channel
>=20
> That all comes down to having usable SAK (secure attention keu) support.

I think SAK wouldn't be so great because I don't see an easy solution to
make it work nicely with nested shells: E.g. if you ssh into a server,
then su to a lower privilege level on the server, you might want to get
back either to the local shell or to the remote shell.

I think a nicer way would be to allow creation of sub-tty files that are
bound to a "parent" tty, but whose connection to the parent tty can be
revoked. Then, either the shell or programs like sudo could ensure that
only such a sub-tty is passed down and that it is revoked before the
shell prompt is shown the next time. To ensure that the shell prompt is
not faked, a simple approach might be to show a small secret word and/or
color as part of the shell prompt. This way, the user wouldn't have to
do anything additional (like pressing the SAK) apart from checking the
prompt correctness.

Of course, this breaks if there is a way to tell the TTY to copy some
old prompt to the bottom of the screen. Does anything like that exist?
I'm not familiar enough with TTYs to know the answer.


> With the current graphics DRM and with Wayland we are actually fairly
> close to that being feasible. Until then anyone who types su on an
> untrusted console is (and always has been) asking for trouble.

> As an aside - you also need to include documentation if adding sysctls.

--82I3+IH0IqGh5yIs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWdv6dAAoJED4KNFJOeCOoHGcP/3DmbbZ+WH+MkhJUE2IpZjvj
An7T/5GcHulMCjFugP7LcLo2t5esv9P9joFKJEvoo5wrlhqa/Z3vcV1w65zZX8kU
W8h400QKoPAd4PrnG9hi1AGN2rVvFdtOMJrPQRNi669zZJ5vTAb8ISaFpccbbswI
mVxzDNMc2YQeiKVmqHVM8xAzEwpkrAD5/NuTX+nTQAOdUby0K2SSYAgRiQKntII5
1cy4jzYSAJjNXqP2FOqZZgNQVs+fntWJcDttJFdRXja3tvlJAqGRzxSw6gk+/d4y
Xpyh285NmW1/VR3T6dWntf1SYN9aEX0KJeGsiomusW5EyzouJHtdoZ77Odbs6G5C
EtiqZyoNVk9/QTZNh5dJJUBBItKFaVZVgu8qSraHsOPuOMr/4eqqiisbqWZVybuz
uPu1V3twXjBKHQ66qWvrrtVDd3CNWANyYPrW5xBWXhHv+BZXiCXB6f08frvwx5M1
1rM63dN4JEAIQtu63lwu1rm50jm7nyatAdIKaCCH2mx7jk48kOJXjizGXfOhNGsa
U6TzdZhVSoExxy57iXf0pw3GCV/fZcXKNfCCTFtIaKgulVdrToZ2vHoeJqALPKht
pKi4SMBmOghB/dvyErUyM+Nsj8zA9jqcKrXeygzjZncAtJlOBxq5HQiUgtViqm0K
K7LMy1phMJtwHBBv0D3S
=NyFW
-----END PGP SIGNATURE-----

--82I3+IH0IqGh5yIs--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/