Signed-off-by: Michael Tremer > On 14 Jan 2024, at 15:59, Peter Müller wrote: > > To quote from the kernel documentation: > >> Historically the kernel has allowed TIOCSTI, which will push >> characters into a controlling TTY. This continues to be used >> as a malicious privilege escalation mechanism, and provides no >> meaningful real-world utility any more. Its use is considered >> a dangerous legacy operation, and can be disabled on most >> systems. >> >> Say Y here only if you have confirmed that your system's >> userspace depends on this functionality to continue operating >> normally. >> >> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can >> use TIOCSTI even when this is set to N. >> >> This functionality can be changed at runtime with the >> dev.tty.legacy_tiocsti sysctl. This configuration option sets >> the default value of the sysctl. > > This patch therefore proposes to no longer allow legacy TIOCSTI usage > in IPFire, given its security implications and the apparent lack of > legitimate usage. > > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.aarch64-ipfire | 2 +- > config/kernel/kernel.config.riscv64-ipfire | 2 +- > config/kernel/kernel.config.x86_64-ipfire | 2 +- > config/rootfiles/common/aarch64/linux | 1 - > config/rootfiles/common/riscv64/linux | 1 - > config/rootfiles/common/x86_64/linux | 1 - > 6 files changed, 3 insertions(+), 6 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire > index 4770ed828..9b8bfa559 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -3575,7 +3575,7 @@ CONFIG_HW_CONSOLE=y > CONFIG_VT_HW_CONSOLE_BINDING=y > CONFIG_UNIX98_PTYS=y > # CONFIG_LEGACY_PTYS is not set > -CONFIG_LEGACY_TIOCSTI=y > +# CONFIG_LEGACY_TIOCSTI is not set > # CONFIG_LDISC_AUTOLOAD is not set > > # > diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire > index fb4ec14d5..44d89c99e 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -3249,7 +3249,7 @@ CONFIG_HW_CONSOLE=y > CONFIG_VT_HW_CONSOLE_BINDING=y > CONFIG_UNIX98_PTYS=y > # CONFIG_LEGACY_PTYS is not set > -CONFIG_LEGACY_TIOCSTI=y > +# CONFIG_LEGACY_TIOCSTI is not set > # CONFIG_LDISC_AUTOLOAD is not set > > # > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index 2a2748ea4..41d6f0635 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -3497,7 +3497,7 @@ CONFIG_HW_CONSOLE=y > CONFIG_VT_HW_CONSOLE_BINDING=y > CONFIG_UNIX98_PTYS=y > # CONFIG_LEGACY_PTYS is not set > -CONFIG_LEGACY_TIOCSTI=y > +# CONFIG_LEGACY_TIOCSTI is not set > # CONFIG_LDISC_AUTOLOAD is not set > > # > diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux > index 5d2d36a46..a32c3770e 100644 > --- a/config/rootfiles/common/aarch64/linux > +++ b/config/rootfiles/common/aarch64/linux > @@ -9185,7 +9185,6 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/LEDS_TRIGGER_TTY > #lib/modules/KVER-ipfire/build/include/config/LED_TRIGGER_PHY > #lib/modules/KVER-ipfire/build/include/config/LEGACY_DIRECT_IO > -#lib/modules/KVER-ipfire/build/include/config/LEGACY_TIOCSTI > #lib/modules/KVER-ipfire/build/include/config/LIB80211 > #lib/modules/KVER-ipfire/build/include/config/LIB80211_CRYPT_CCMP > #lib/modules/KVER-ipfire/build/include/config/LIB80211_CRYPT_TKIP > diff --git a/config/rootfiles/common/riscv64/linux b/config/rootfiles/common/riscv64/linux > index c2e0191af..5e1ac921c 100644 > --- a/config/rootfiles/common/riscv64/linux > +++ b/config/rootfiles/common/riscv64/linux > @@ -8345,7 +8345,6 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/LEDS_USER > #lib/modules/KVER-ipfire/build/include/config/LED_TRIGGER_PHY > #lib/modules/KVER-ipfire/build/include/config/LEGACY_DIRECT_IO > -#lib/modules/KVER-ipfire/build/include/config/LEGACY_TIOCSTI > #lib/modules/KVER-ipfire/build/include/config/LIB80211 > #lib/modules/KVER-ipfire/build/include/config/LIB80211_CRYPT_CCMP > #lib/modules/KVER-ipfire/build/include/config/LIB80211_CRYPT_TKIP > diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux > index a51f3487f..f3a8dea19 100644 > --- a/config/rootfiles/common/x86_64/linux > +++ b/config/rootfiles/common/x86_64/linux > @@ -8996,7 +8996,6 @@ etc/modprobe.d/ipv6.conf > #lib/modules/KVER-ipfire/build/include/config/LEDS_USER > #lib/modules/KVER-ipfire/build/include/config/LED_TRIGGER_PHY > #lib/modules/KVER-ipfire/build/include/config/LEGACY_DIRECT_IO > -#lib/modules/KVER-ipfire/build/include/config/LEGACY_TIOCSTI > #lib/modules/KVER-ipfire/build/include/config/LEGACY_VSYSCALL_NONE > #lib/modules/KVER-ipfire/build/include/config/LIB80211 > #lib/modules/KVER-ipfire/build/include/config/LIB80211_CRYPT_CCMP > -- > 2.35.3