diff options
| author | Jann Horn <jann@thejh.net> | 2015-10-04 13:29:12 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-10-04 14:20:30 -0400 |
| commit | 0c55627167870255158db1cde0d28366f91c8872 (patch) | |
| tree | ea04d97cb79cc262364468e0741cfa3dfb1afabd | |
| parent | 3c5a0357fdb3a9116a48dbdb0abb91fd23fbff80 (diff) | |
drivers/tty: require read access for controlling terminal
This is mostly a hardening fix, given that write-only access to other
users' ttys is usually only given through setgid tty executables.
Signed-off-by: Jann Horn <jann@thejh.net>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/tty/tty_io.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 17b027242734..2eefaa6e3e3a 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c | |||
| @@ -2128,8 +2128,24 @@ retry_open: | |||
| 2128 | if (!noctty && | 2128 | if (!noctty && |
| 2129 | current->signal->leader && | 2129 | current->signal->leader && |
| 2130 | !current->signal->tty && | 2130 | !current->signal->tty && |
| 2131 | tty->session == NULL) | 2131 | tty->session == NULL) { |
| 2132 | __proc_set_tty(tty); | 2132 | /* |
| 2133 | * Don't let a process that only has write access to the tty | ||
| 2134 | * obtain the privileges associated with having a tty as | ||
| 2135 | * controlling terminal (being able to reopen it with full | ||
| 2136 | * access through /dev/tty, being able to perform pushback). | ||
| 2137 | * Many distributions set the group of all ttys to "tty" and | ||
| 2138 | * grant write-only access to all terminals for setgid tty | ||
| 2139 | * binaries, which should not imply full privileges on all ttys. | ||
| 2140 | * | ||
| 2141 | * This could theoretically break old code that performs open() | ||
| 2142 | * on a write-only file descriptor. In that case, it might be | ||
| 2143 | * necessary to also permit this if | ||
| 2144 | * inode_permission(inode, MAY_READ) == 0. | ||
| 2145 | */ | ||
| 2146 | if (filp->f_mode & FMODE_READ) | ||
| 2147 | __proc_set_tty(tty); | ||
| 2148 | } | ||
| 2133 | spin_unlock_irq(¤t->sighand->siglock); | 2149 | spin_unlock_irq(¤t->sighand->siglock); |
| 2134 | read_unlock(&tasklist_lock); | 2150 | read_unlock(&tasklist_lock); |
| 2135 | tty_unlock(tty); | 2151 | tty_unlock(tty); |
| @@ -2418,7 +2434,7 @@ static int fionbio(struct file *file, int __user *p) | |||
| 2418 | * Takes ->siglock() when updating signal->tty | 2434 | * Takes ->siglock() when updating signal->tty |
| 2419 | */ | 2435 | */ |
| 2420 | 2436 | ||
| 2421 | static int tiocsctty(struct tty_struct *tty, int arg) | 2437 | static int tiocsctty(struct tty_struct *tty, struct file *file, int arg) |
| 2422 | { | 2438 | { |
| 2423 | int ret = 0; | 2439 | int ret = 0; |
| 2424 | 2440 | ||
| @@ -2452,6 +2468,13 @@ static int tiocsctty(struct tty_struct *tty, int arg) | |||
| 2452 | goto unlock; | 2468 | goto unlock; |
| 2453 | } | 2469 | } |
| 2454 | } | 2470 | } |
| 2471 | |||
| 2472 | /* See the comment in tty_open(). */ | ||
| 2473 | if ((file->f_mode & FMODE_READ) == 0 && !capable(CAP_SYS_ADMIN)) { | ||
| 2474 | ret = -EPERM; | ||
| 2475 | goto unlock; | ||
| 2476 | } | ||
| 2477 | |||
| 2455 | proc_set_tty(tty); | 2478 | proc_set_tty(tty); |
| 2456 | unlock: | 2479 | unlock: |
| 2457 | read_unlock(&tasklist_lock); | 2480 | read_unlock(&tasklist_lock); |
| @@ -2844,7 +2867,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | |||
| 2844 | no_tty(); | 2867 | no_tty(); |
| 2845 | return 0; | 2868 | return 0; |
| 2846 | case TIOCSCTTY: | 2869 | case TIOCSCTTY: |
| 2847 | return tiocsctty(tty, arg); | 2870 | return tiocsctty(tty, file, arg); |
| 2848 | case TIOCGPGRP: | 2871 | case TIOCGPGRP: |
| 2849 | return tiocgpgrp(tty, real_tty, p); | 2872 | return tiocgpgrp(tty, real_tty, p); |
| 2850 | case TIOCSPGRP: | 2873 | case TIOCSPGRP: |