[PATCH] Fix curses running as root on tty of other user

Stanislav Ochotnicky sochotnicky at redhat.com
Wed Feb 16 16:11:26 CET 2011 

On 02/15/2011 03:12 PM, Stanislav Ochotnicky wrote:
> After doing "su -", ownership of current tty stays with original
> user. If we drop all capabilities we will not be able to open current
> tty to setup curses screen.
> 
> So we keep ipc_lock together with dac_override capabilities until we
> open tty for R/W, then we drop dac_override capability.
> 
> This patch also fixes second cap_set_proc call in lock_pool that was
> originally "cap_ipc_lock+p", but should probably be
> "cap_ipc_lock-e". Original call had no effect because ipc_lock
> capability was already permitted. Instead it was supposed to drop
> effective capability enabled in first call.

One more thing to note here is that I don't really see why we should
keep cap_ipc_lock after calling mlock at all. It seems unnecessary since
memory is already locked, but I am probably missing some nuance of
capabilities and/or mlock-ing.

Attached patch is my attempt number two. Original had:
+  if (init)
+    cap_set_proc( cap_from_text("cap_dac_override+ep") );
+  else
+    cap_set_proc ( cap_from_text("cap_ipc_lock=p") );

This would drop the cap_ipc_lock from permitted and so we wouldn't be
able to set it when restoring capability.

Now it's:
+  if (init)
+    cap_set_proc( cap_from_text("cap_dac_override+ep cap_ipc_lock=p") );
+  else
+    cap_set_proc ( cap_from_text("cap_ipc_lock=p") );

However like I said in previous paragraph, even the original version
shouldn't cause any problems since no code path uses ipc_lock capability
after setting up secure memory AFAIK (well before tty initialisation).


> See https://bugzilla.redhat.com/show_bug.cgi?id=676034 for details and
> reproducer

If the patch needs work, let me know and I'll fix it up.


-- 
Stanislav Ochotnicky <sochotnicky at redhat.com>
Associate Software Engineer - Base Operating Systems Brno

PGP: 7B087241
Red Hat Inc.                               http://cz.redhat.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 0001-Fix-curses-running-as-root-on-tty-of-other-user.patch
URL: </pipermail/attachments/20110216/17d73e82/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110216/17d73e82/attachment.pgp>

More information about the Gpa-dev mailing list