From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 5 Mar 2016 18:11:08 +0100 Subject: [refpolicy] [PATCH] Allow getty the sys_admin capability In-Reply-To: <20160305174326.476bbcea@gentp.lnet> References: <1457057118-4361-1-git-send-email-aranea@aixah.de> <56D98968.30104@tresys.com> <20160305165557.1935e8b9@gentp.lnet> <20160305161537.GA30514@meriadoc.perfinion.com> <20160305174326.476bbcea@gentp.lnet> Message-ID: <56DB132C.40607@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/05/2016 05:43 PM, Luis Ressel wrote: > On Sun, 6 Mar 2016 00:15:37 +0800 > Jason Zaman wrote: > >> We're all agreed that this perm sucks, but if it really is required on >> grsec that is justification enough for me to take the patch in gentoo >> even if it does not make it into refpolicy. >> >> If at all possible, I would obviously prefer to have agetty fixed. If >> only the first character is eaten that is rather strange so perhaps >> there is a real bug. If a fix is not possible then we just fall back >> to a distro_gentoo() block. >> > > Have a look at agetty.c, grep for TIOCSTI. It's not a bug, but it looks > like bad engineering. They prematurely read a single char, then insert > it back into the input stream via TIOCSTI (instead of just remembering > it in a temporary buffer). Between the read and the ioctl calls there is "tcsetattr(fd, TCSANOW, &orig);", which is very important: it restores the attributes of the tty. The characters which were read were not shown on the tty because wait_for_term_input begins by setting the tty in "noecho" mode. For printable characters, the use of TIOCSTI may be replaced with calls to putc and ungetc, and special characters (like Ctrl-ed keys) would need special care in this situation (I do not know which one: ignoring them or showing them anyway). In short I do not think there is an quick&easy work-around of the way it is currently implemented. Anyway disabling "agetty --reload" feature as suggested in Gentoo #576522 disables this part of the code. > >> I have not noticed this on my machine yet, what version of kernel and >> agetty causes this? >> > > agetty since at least util-linux version 2.26, in combination with the > CONFIG_GRKERNSEC_HARDEN_TTY kernel config (which is a very new grsec > feature; it's in hardened-sources-4.4.3, perhaps also in 4.4.2, but not > in <=4.3.5). and also with this feature enabled if you use sysctl, with /proc/sys/kernel/grsecurity/harden_tty (I forgot this on my machine when I first tried to reproduce the issue).