[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Konsole - a security vs. portability problem
From:       Lars Doelle <lars.doelle () on-line ! de>
Date:       1999-01-06 15:18:00
[Download RAW message or body]


Message-ID: <3693724C.2F48597B@on-line.de>
Date: Wed, 06 Jan 1999 15:25:16 +0100
From: Lars Doelle <lars.doelle@on-line.de>
X-Mailer: Mozilla 4.06 [en] (X11; I; Linux 2.2.0-pre4 i586)
MIME-Version: 1.0
To: Waldo Bastian <bastian@ens.ascom.ch>
Subject: Re: Konsole - a security vs. portability problem
References: <Pine.LNX.3.96.990106085039.1376B-100000@uwix.alt.na> <369320AE.51821A77@ens.ascom.ch>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Waldo Bastian wrote:

> uwe@uwix.alt.na wrote:
> >
> > On Wed, 6 Jan 1999, Lars Doelle wrote:
> >
> > > In the moment, konsole offers a security hole that allows local users to
> > > hijack/monitor the (root) sessions. The regular method to protect
> > > against this, is to do a chmod/chown on one of the devices within the
> > > emulation. Doing so would require konsole to be run root/suid, which
> > > raises more severe problems then it solves. Because i strongly dislike
> > > root/suid programs for many reasons, I've digged out an ioctl for Linux
> > > which does as desired, basically for the price of the solution not being
> > > portable to other UNIXes, eventually.
> > >
> > > Comments, anyone?
> >
> > If it isn't protable it isn't a solution. :-(
> >
> > There is a solution:
> >
> > Let konsole run suid root.
> >
> > In main() before you do anything else you pick a pty, chown you.users
> > it, chmod go-rw it. Immediately thereafter you give up root privileges
> > _completely and forever_!
> >
> > You might think you have a problem this way on exit because you can't
> > chown root.root the pty. But that is not necessary!!!! All you must do
> > is chmod go+wr on exit. And that you _can_ do without root privileges!
> >
> > This way you can do all the root stuff before you even touch KDE, Qt,
> > and X. Should be fairly safe.
> >
> > Uwe
>
> May I suggest a combination of both? ./configure can detect if we can
> use
> Lars his solution. If we can't it will have to be suid. If it doesn't
> run
> on a system with the said IOCTL it should check if it has root priv's if
> it hasn't it should print a warning that the terminal can be
> eavesdropped

This will be done anyway.

>
> and that making it suid root can change that.
>

My concern is (since i cannot really drop the root priviledge) that the
security is eventually more compromised. But your' right. Perhaps doing a
hybrid may be the best way to go. On a system without this feature and konsole
being root/suid, the ability to create sessions could be deactivated. The
remainder could do anything, but gets warned. There was another proposal to
isolate the root stuff in a separate process. I've even coded such a thingy,
but after seeing how confusing the outcome is on a process list, i gave up this
approach.

>
> Something like
>
> #ifdef HAVE_TIOCSPTLCK
>    if !ioctl(TIOCSPTLCK)
> #endif
>    {
>       if root
>       {
>           chown pty
>       }
>       else
>       {
>           print "WARNING: Unable to claim ownership of pty, "
>                 "it is possible to eavesdrop this session."
>                 "Make konsole suid to overcome this."
>       }
>    }
>
> Cheers,
> Waldo Bastian
> bastian@kde.org



[prev in list] [next in list] [prev in thread] [next in thread]