G'day
The basis to this security vunerability is extremely simple.
As it stands, any user who owns a tty can remap the keyboard
for the entire system. I consider this to be a security risk.
Consider the following situation.
Nefarius person gains access to a tty (can't be telnet, must
be a bona fide tty) and type the following
theseus:~$ loadkeys
string F55 = "\nfoobar\n"
keycode 69 = F55
theseus:~$
Then, a legitimate user logs into the system, and when that
person goes to use the numlock (in this example, to type
a student number)
theseus:~$ finger s
finger: s: no such user.
theseus:~$
theseus:~$ foobar
not only can something as blatantly obvious as this be
achieved, but other, more carnivorous commands can be used
for example, replace foobar with
\necho keycode 101 = F1 F1 F1 F1 F1 F1 F1 F1 F1 |loadkeys\n Nrm -rf /\n
i.e. disable control break, then procede to erase the
entire system.
An.... unusal reason way for someone to use numlock to say the
least.
Attached is a diff that will cause the kernel to check for
superuser permissions before allowing someone to change
the scancode->keycode mappings, key strings or the
keymappings.
Steve.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:35 EST