See the summary.
Giving the user lots of ownership of devices if he/she logs
on at the console is currently a BAD security issue. The
user can hold open fd's to the resource after they log out.
This may allow for snooping.
The problem will be fixed in the future when Linux gets a
revoke() system call
I think the console.perms is a great piece of work and makes
Redhat easy to use - but for security reasons it should
probably default to OFF.
Discussions welcome :-)
This issue has been forwarded to a developer for further action.
assigned to johnsonm. I still have to see an exploit coming out of
somebody snooping on my sound card, but nevertheless, one can never
have too much security.
It will remain enabled by default. Users with physical access to
the machine can do all sorts of other things to compromise the
system, and because some of the guards against that are completely
out of our control (for example, bios passwords, locked cases, etc.),
it makes sense not to defend heavily against subtle attacks by
users with physical access by default. We do explain, for those
who wish to secure their machines physically, how to turn this
service off. We do so in our manual, in the online documentation,
and in a white paper on our website; in short, every documentation
avenue we have open to us.
When we have revoke(), I'll gladly look at putting it into the
pam_console close_session, but defaulting to a hard-to-use system
for no improvement in security (either practically or theoretically)
is not an improvement at all.