[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Klaus Weidner
klaus at atsec.com
Fri Jan 5 01:07:07 UTC 2007
On Thu, Jan 04, 2007 at 06:19:13PM -0500, Linda Knippers wrote:
> > devices.txt in kernel documentation.
> > 2176 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2176> 136-143 char Unix98 PTY slaves
>
> Since that document has multiple devices with the same major, I wonder if its
> safer to fstatfs() the fd and make sure the f_type is the devpts fs magic
> number. It only seems to be defined in fs/devpts/inode.c though.
>
> > #define DEVPTS_SUPER_MAGIC 0x1cd1
>
> devpts is mounted on /dev/pts before single user mode so it seems to always
> be there unless someone unmounts it. If you try to ssh in without /dev/pts
> mounted the ssh hangs.
I think blacklists are usually a bad idea for security, for example this
breaks if people have a kernel that supports the old-style ptys that
don't use devpts. How about turning it around and only allowing use of
known good ttys, similar to /etc/securetty, or insisting on type
"tty_device_t" which includes the virtual console and serial terminals
but not the ptys?
-Klaus
More information about the redhat-lspp
mailing list