Re: VT_PROCESS, VT_LOCKSWITCH capabilities

[Frank Benkstein]

Andrew Morton wrote:
> On Wed, 01 Aug 2007 00:22:38 +0200 Frank Benkstein <frank-lkml@xxxxxxxxxxxxx> wrote:
> 
>> I wonder why there are different permissions needed for VT_PROCESS
>> (access to the current virtual console) and VT_LOCKSWITCH
>> (CAP_SYS_TTY_CONFIG).
>>
> Perhaps the issue with VT_LOCKSWITCH is that its effects will persist after
> the user has logged out?  So user A is effectively altering user B's
> console, hence suitable capabilities are needed?
> 
> Is the current code actually causing any observable problem?

Both controls can be used to deny service to other users.  For example:
user B locks his X session or current console and walks off to lunch.
User A walks up to user B's machine, switches to another console, logs
in and execs program_that_does_vt_process.  User B will not be able to
continue work unless he/she can get user A or someone with CAP_KILL to
kill the program.  If remote logins aren't allowed, the only way I see
to use the machine again is to reboot.

I think VT_PROCESS (or VT_SETMODE respectively) should be protected with
the same level of security as VT_LOCKSWITCH, i.e. CAP_SYS_TTY_CONFIG.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/