This is a multi-part message in MIME format. --------------FFAD92FFB8CD829A4B22D7AE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------FFAD92FFB8CD829A4B22D7AE Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-ID: <3693724C.2F48597B@on-line.de> Date: Wed, 06 Jan 1999 15:25:16 +0100 From: Lars Doelle X-Mailer: Mozilla 4.06 [en] (X11; I; Linux 2.2.0-pre4 i586) MIME-Version: 1.0 To: Waldo Bastian Subject: Re: Konsole - a security vs. portability problem References: <369320AE.51821A77@ens.ascom.ch> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Waldo Bastian wrote: > uwe@uwix.alt.na wrote: > > > > On Wed, 6 Jan 1999, Lars Doelle wrote: > > > > > In the moment, konsole offers a security hole that allows local users to > > > hijack/monitor the (root) sessions. The regular method to protect > > > against this, is to do a chmod/chown on one of the devices within the > > > emulation. Doing so would require konsole to be run root/suid, which > > > raises more severe problems then it solves. Because i strongly dislike > > > root/suid programs for many reasons, I've digged out an ioctl for Linux > > > which does as desired, basically for the price of the solution not being > > > portable to other UNIXes, eventually. > > > > > > Comments, anyone? > > > > If it isn't protable it isn't a solution. :-( > > > > There is a solution: > > > > Let konsole run suid root. > > > > In main() before you do anything else you pick a pty, chown you.users > > it, chmod go-rw it. Immediately thereafter you give up root privileges > > _completely and forever_! > > > > You might think you have a problem this way on exit because you can't > > chown root.root the pty. But that is not necessary!!!! All you must do > > is chmod go+wr on exit. And that you _can_ do without root privileges! > > > > This way you can do all the root stuff before you even touch KDE, Qt, > > and X. Should be fairly safe. > > > > Uwe > > May I suggest a combination of both? ./configure can detect if we can > use > Lars his solution. If we can't it will have to be suid. If it doesn't > run > on a system with the said IOCTL it should check if it has root priv's if > it hasn't it should print a warning that the terminal can be > eavesdropped This will be done anyway. > > and that making it suid root can change that. > My concern is (since i cannot really drop the root priviledge) that the security is eventually more compromised. But your' right. Perhaps doing a hybrid may be the best way to go. On a system without this feature and konsole being root/suid, the ability to create sessions could be deactivated. The remainder could do anything, but gets warned. There was another proposal to isolate the root stuff in a separate process. I've even coded such a thingy, but after seeing how confusing the outcome is on a process list, i gave up this approach. > > Something like > > #ifdef HAVE_TIOCSPTLCK > if !ioctl(TIOCSPTLCK) > #endif > { > if root > { > chown pty > } > else > { > print "WARNING: Unable to claim ownership of pty, " > "it is possible to eavesdrop this session." > "Make konsole suid to overcome this." > } > } > > Cheers, > Waldo Bastian > bastian@kde.org --------------FFAD92FFB8CD829A4B22D7AE--