14 Nov
2024
14 Nov
'24
5:42 p.m.
On 2024-11-14 00:16+0000, Andy Smith via BitFolk Users wrote:
Looks like TIOCLINUX was disabled for non-root users
from kernel 6.7
onwards. Debian testing is on 6.11.5-1 at the moment and 6.10.11-1 is
available in stable-backports.
So, I think those are your choices for kernel protection.
Seems I am outdated. I could have sworn I saw it didn't work in 6.1 - I
could be hallucinating, but when I tested it on Sid a while back, it
didn't work then, looks like LEGACY_TIOCSTI is on by default now. *sigh*
that's bothered me as a while back when I tested in Sid it defaulted to
off.
The cases that bother me more are things like the web servers that start
with a root binding, then CGI execute as lower users. Asking all user
applications to put guards in place doesn't seem sane for reasons
mentioned earlier. Starting a task as a low priv user with full
password-less elevation rights, is another issue, if the subprocess can
then put 'sudo nasty' into the TTY, that's a problem too.
Putting a password restriction around what you're not happy with,
protects against a lot of paste mishaps too!
Thanks for researching the current state of it, I thought this was
closed as fixed in kernel defaults now, absolute bonkers.
Ed