[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Casey Schaufler
casey at schaufler-ca.com
Thu Jan 4 22:13:00 UTC 2007
--- Daniel J Walsh <dwalsh at redhat.com> wrote:
> We still have a problem on MLS machines, in that
> newrole can be used to
> pass data via pseudo terminals.
>
> script
> newrole -l SystemHigh
> cat TopSecret.doc
> ^d
> ^d
> cat typescript
>
> I propose we add this patch to newrole to check if
> we are on a pseudo
> terminal and then fail if user is using -l.
>
> Basically this patch checks the major number of the
> stdin, stdout,
> stderr for a number in the pseudo number range, If
> yes the pseudo
> terminal, if not continue. Not pretty but it solves
> the problem. I
> could not figure out another way to check if you are
> on a pseudo terminal.
>
> Comments?
Are you 100% certain that this is only a pty
issue? Any chance you'll have a similar problem
with other devices, pipes, fifos, UDS or the like?
My pair of Lincolns says otherwise, but they've
been wrong before.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list