LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   VT (Virtual Terminal) security (http://www.linuxquestions.org/questions/slackware-14/vt-virtual-terminal-security-4175453141/)

philanc 03-07-2013 12:38 PM

VT (Virtual Terminal) security
 
Assuming user Joe logged in in VT1, then started a X session (startx) which runs in VT7. Now the physical user switches to VT2 (Ctrl-Alt-F2) and logs in as root.

Can a malicious program running in X / VT7 with uid=Joe access anything in VT2?

More precisely, can the malicious program spy or spoof keystrokes? can it grab some VT2 content (e.g. get a screenshot)?

(I am running Slackware 14 with the regular kernel, if this makes any difference)

TIA

Phil

unSpawn 03-07-2013 02:02 PM

Root is all-powerful, is your answer.

eSelix 03-07-2013 02:24 PM

He asked if Joe from VT1 can spy a root on VT2. I think that if everything is properly configured (for example CTRL+ALT+F* in X server are not disabled by administrator) then not. But I am not a hacker.

For example to access other X session (screen, keys activity) you need to know Magic Cookie stored on user who started session home directory. Which is protected.

philanc 03-07-2013 02:27 PM

Quote:

Originally Posted by unSpawn (Post 4906923)
Root is all-powerful, is your answer.

Of course, I understand that. My question is: can a program running as a _regular, non-root_ user can access another VT?

(assuming that this program cannot su or sudo to become root)

unSpawn 03-07-2013 03:47 PM

Quote:

Originally Posted by philanc (Post 4906934)
Of course, I understand that. My question is: can a program running as a _regular, non-root_ user can access another VT?
(assuming that this program cannot su or sudo to become root)

Ah, OK. Simple answer: no due to separation of privileges (UID) and X11 authorization protocol (see xauth). That said X11 server is way ancient and abuses system resources like ioctls in mysterious ways.

philanc 03-07-2013 09:03 PM

Quote:

Originally Posted by unSpawn (Post 4906980)
That said X11 server is way ancient and abuses system resources like ioctls in mysterious ways.

Precisely. As the X server runs as root (SUID 0), in theory, it could access any VT.

So, is there any known way for a malicious (unpriviledged) program to abuse X APIs, and get access to another VT content or input stream?

I tried to google about this but to no avail. Does an X expert here know better?

Thanks for your help

Phil

guanx 03-08-2013 03:47 PM

Quote:

Originally Posted by philanc (Post 4907120)
Precisely. As the X server runs as root (SUID 0), in theory, it could access any VT.

So, is there any known way for a malicious (unpriviledged) program to abuse X APIs, and get access to another VT content or input stream?

I tried to google about this but to no avail. Does an X expert here know better?

Thanks for your help

Phil

I bet there is no standard-conforming way to do this.

wildwizard 03-09-2013 04:30 PM

Attempting to access another processes address space even when the users are the same will not work for a start.

Can X see input devices while it is not the controlling terminal? I couldn't say.

unSpawn 03-09-2013 04:53 PM

Quote:

Originally Posted by philanc (Post 4907120)
is there any known way for a malicious (unpriviledged) program to abuse X APIs, and get access to another VT content or input stream?

X.Org's X Server not only contains device drivers, fonts other modules and rendering code but also network code, etc, etc and http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=X11 should give you an idea of the different vectors.

philanc 03-09-2013 07:14 PM

Quote:

Originally Posted by unSpawn (Post 4908183)
X.Org's X Server not only contains device drivers, fonts other modules and rendering code but also network code, etc, etc and http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=X11 should give you an idea of the different vectors.

Thanks for the link. Yes the X Server is a big and very complex engine that runs as root (SUID) which is not good.

I have read (https://wiki.ubuntu.com/X/Rootless) that X can be run as a non-root user (=> not more need to suid X) which would be good... but the recipe includes giving rw access to /dev/input/* to at least the user, which seems to introduce a bigger risk (maybe a user program could then spy on _any_ input?!?).

Has anyone run X as a non-root user?

I wonder if it is not more systematically setup that way because (a) it doesn't work with non-KMS drivers, (b) it is more complex to setup for a small perceived benefit, or (c) because it is simply less secure than running X as suid root?

What do you think?

Phil

unSpawn 03-09-2013 08:39 PM

Quote:

Originally Posted by philanc (Post 4908244)
What do you think?

I think I don't understand the X protocol nor X Server implementations like X.Org's X11 or Wayland well enough :-]

philanc 03-10-2013 02:08 PM

Quote:

Originally Posted by unSpawn (Post 4908275)
I think I don't understand the X protocol nor X Server implementations like X.Org's X11 or Wayland well enough :-]

Same here! :) Anyway, thanks for your help. I'll leave the thread "non-solved" for a while, just in case somebody has run X rootless and wants to comment.

Phil


All times are GMT -5. The time now is 05:26 PM.