From 44716a78aa42f999ac618cec1dc04ddb0c2c42e0 Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Mon, 18 Nov 2013 18:29:22 +0100 Subject: use tty group MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- configurable-definitions | 5 +++++ src/cerberus.c | 17 +++++++++++++++-- src/cerberus.h | 3 +++ src/security.c | 8 ++++++-- src/security.h | 4 +++- 5 files changed, 32 insertions(+), 5 deletions(-) diff --git a/configurable-definitions b/configurable-definitions index a26a551..751e192 100644 --- a/configurable-definitions +++ b/configurable-definitions @@ -3,6 +3,11 @@ TTY_PERM (default: 0600, type: int) Mode for TTY devices +USE_TTY_GROUP (default: undefinied, type: #ifdef) + + Use the group tty for group ownership of TTY devices + + FAILURE_SLEEP (default: 5, type: float) Number of seconds to sleep on login failure. diff --git a/src/cerberus.c b/src/cerberus.c index 2199d7b..e3f3f95 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -19,6 +19,11 @@ #include "cerberus.h" +#ifndef USE_TTY_GROUP +#define tty_group 0 +#endif + + /** * Mane method * @@ -33,6 +38,10 @@ int main(int argc, char** argv) char* passphrase = NULL; char preserve_env = 0; char skip_auth = 0; + #ifdef USE_TTY_GROUP + gid_t tty_group = 0; + struct group* group; + #endif struct passwd* entry; @@ -117,7 +126,11 @@ int main(int argc, char** argv) /* Make sure nopony is spying */ - secure_tty(); + #ifdef USE_TTY_GROUP + if ((group = getgrnam("tty"))) + tty_group = group->gr_gid; + #endif + secure_tty(tty_group); /* Set up clean quiting and time out */ @@ -170,7 +183,7 @@ int main(int argc, char** argv) /* Reset terminal ownership and mode */ - chown_tty(0, -1, 0); + chown_tty(0, tty_group, 0); return 0; } diff --git a/src/cerberus.h b/src/cerberus.h index 1dbd029..4f7b7b9 100644 --- a/src/cerberus.h +++ b/src/cerberus.h @@ -21,6 +21,9 @@ #include #include #include +#ifdef USE_TTY_GROUP +#include +#endif #include "passphrase.h" #include "quit.h" diff --git a/src/security.c b/src/security.c index af7df30..1e1dd9e 100644 --- a/src/security.c +++ b/src/security.c @@ -29,8 +29,10 @@ static inline void fail(char* str) /** * Secure the TTY from spying + * + * @param group The group, -1 for unchanged */ -void secure_tty(void) +void secure_tty(gid_t group) { struct termios tty; struct termios saved_tty; @@ -38,7 +40,7 @@ void secure_tty(void) int fd, i; /* Set ownership of this TTY to root:root */ - chown_tty(0, -1, 1); + chown_tty(0, group, 1); /* Get TTY name for last part of this functions */ tty_device = ttyname(STDIN_FILENO); @@ -80,7 +82,9 @@ void secure_tty(void) */ void chown_tty(uid_t owner, gid_t group, int with_fail) { + #if defined(OWN_VCSA) || defined(OWN_VCS) struct vt_stat vtstat; + #endif /* Set ownership of this TTY */ if (fchown(STDIN_FILENO, owner, group) && with_fail) diff --git a/src/security.h b/src/security.h index b16ef1b..5e291ff 100644 --- a/src/security.h +++ b/src/security.h @@ -38,8 +38,10 @@ /** * Secure the TTY from spying + * + * @param group The group, -1 for unchanged */ -void secure_tty(void); +void secure_tty(gid_t group); /** * Set ownership and mode of the TTY -- cgit v1.2.3-70-g09d2