Re: [ 03/42] TTY: fix atime/mtime regression

From: Wolfram Gloger
Date: Tue Apr 30 2013 - 08:02:23 EST

Next message: Guennadi Liakhovetski: "Re: [PATCH 7/6] DMA: shdma: add DT binding documentation"
Previous message: Tomi Valkeinen: "Re: Kconfig "softdepends" idea"
In reply to: Greg Kroah-Hartman: "[ 03/42] TTY: fix atime/mtime regression"
Next in thread: Shuah Khan: "Re: [ 00/42] 3.8.11-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

>To revert to the old behaviour while still preventing attackers to
>guess the password length, we update the timestamps in one-minute
>intervals by this patch.

Sorry if I miss something, but isn't this an issue that should be very
obviously fixed in user space? Only user space knows whether the
atime/mtime updates on a device are security-sensitive or not.

The sshd process and/or the login process could easily perform randomly
timed, dummy utime() calls on the tty around and within the password
typing, making this attack unfeasible. I faintly remember sshd _already
does this_ for the network packets anyway by exchanging dummy packets.

Regards,
Wolfram.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Guennadi Liakhovetski: "Re: [PATCH 7/6] DMA: shdma: add DT binding documentation"
Previous message: Tomi Valkeinen: "Re: Kconfig "softdepends" idea"
In reply to: Greg Kroah-Hartman: "[ 03/42] TTY: fix atime/mtime regression"
Next in thread: Shuah Khan: "Re: [ 00/42] 3.8.11-stable review"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]