14 Nov
2024
14 Nov
'24
12:16 a.m.
On Wed, Nov 13, 2024 at 11:17:36PM +0000, Andy Smith via BitFolk Users wrote:
- CONFIG_LEGACY_TIOCSTI option is available from
kernel 6.2.something
(i.e. not in Debian 12 (bookworm))
- Even then it defaults to 'y' which means that things can still do
TIOCSTI unless you take action to disable it.
I think this will involve setting sysctl dev.tty.legacy_tiocsti to 0
once running a new enough kernel. Unsure if the default sysctls for
Debian 13 will do that.
- Even then there is TIOCLINUX which can do the same
bad things as
TIOCSTI.
Looks like TIOCLINUX was disabled for non-root users from kernel 6.7
onwards. Debian testing is on 6.11.5-1 at the moment and 6.10.11-1 is
available in stable-backports.
So, I think those are your choices for kernel protection.
An alternative mitigation choice could be a seccomp wrapper like
antijack:
https://github.com/hartwork/antijack
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting