#677418 gpm shares its clipboard among different users

Package:
gpm
Source:
gpm
Description:
General Purpose Mouse interface
Submitter:
Christoph Anton Mitterer
Date:
2017-09-20 22:27:07 UTC
Severity:
normal
#677418#5
Date:
2012-06-13 20:41:12 UTC
From:
To:
Hi.

Not sure whether noone has noticed this so far, but it seems to be worth
a CVE, IMHO.

As one can easily test, gpm uses one clip-board space for all users (including
root).
So if any of them marks anything sensitive, a following user can gather
this information.


Cheers,
Chris.

#677418#10
Date:
2012-06-13 21:56:17 UTC
From:
To:
Likewise, if you log out, your Linux console screen is still readable
for the next user.  And even if you clear the screen before you log
out, the next user can still hit Shift-Prior (aka Shift-PageUp) and see
some of your work.

Who, in your opinion, should clear the scrollback buffer and the gpm
clipboard?  .bash_logout?  getty?

#677418#15
Date:
2012-06-14 23:52:27 UTC
From:
To:
Well but
a) that's something one would clearly see; it's not "hidden" from the
user
b) therefore we have now per default a .bash_logout which resets the
screen.
As you say, scrollback buffer is usually cleared by .bash_logout and gpm
should "simply" have a clipboard per authenticated user that is cleared
when a user logs out of his last session, since even if it was kept _per
user_ (which is not the case currently) it would be somehow unclean if
it was still there on new logins after the user had logged out all
sessions.
Your X server also doesn't bring back your clipboard, when you re-login
as the same user.


Cheers,
Chris.

#677418#20
Date:
2012-06-15 00:03:57 UTC
From:
To:
Hi.


First.... gpm has no bug tracker right? So could you please CC the
Debian bug, that we can record all this at some central palce? :)
I've updated some information there:
Mainly that I think that ideally, a clipboard should be kept per logged
in user (and obviously each user should only get access to "his"
clipboard).
This includes, that a user's clipboard is removed one he has logged out
from all his sessions.
It does not mean, that there should be a clipboard for each terminal of
a user.
Note that this is of course not only a security hole between root/user-A
but also between user-A/user-B situations.
I can't understand why you think this... especially on multi-user
systems it IS absolutely critical.
The system could be some terminal computer where people from many
different places can access a console.
I don't exactly understand what you did there... gpm shouldn't work
within X at all, should it?
See my comments above, that go even a bit further...
Obviously session tracking would complicate things a bit,... one could
e.g. use consolekit for this, but that may be an unwanted dependency.

From a "theoretical" security point of view, there should be no strict
need, to clear a user's clipboard when all his sessions are logged out.
Because an attacker that gains access to this (and could therefore read
the clipboard on subsequent re-logins) could probably also install
key-loggers or so.
But it may be helpful on systems where multiple persons share one
account (in theory each person should have it's own account, which is
why I wrote "theoretical" above)... an it's also the behaviour of X'
clipboard.


Cheers,
Chris.

#677418#25
Date:
2012-06-15 10:07:30 UTC
From:
To:
Hi Chris,

   thank you for your reply.

As noted, didn't file Red Hat Bugzilla bug yet, since I am not completely
sure this is a security issue (and first wanted to obtain feedback from
gpm developers / upstream).

I don't see that far into gpm code. Maybe the callback handling paste-clipboard
event should check for UID (if it's the same as was used in the copy-clipboard
callback handler).

Sure, just focused on root/unprivileged user scenario in my testing.

Right, valid concern.

Didn't know about this restriction. But noticed now in gpm's manual page.

Didn't completely mean separated clipboard for each of the users (like
there would be another instance for each of them). Was rather thinking
of checking UID when pasting, if it matches UID used for copying (but
not sure this would be implementable). Will let gpm developers to reply
here.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Nico, Nikola could you let us know your opinion on the above?
       (upstream view at the issue as a whole and possibilities how to
       fix it [if willingness]).

#677418#32
Date:
2012-06-20 23:42:53 UTC
From:
To:
Yeah that's okay,... but I think it's good to record other things in the
meantime at the debian bug, to have it at least somewhere =)
Okay... just wanted to point out again, that it's critical for both
scenarios.


Upstream folks,... have you had already time to think about all this?
I don't think that this issue is highly critical, but one should
probably fix it, request a CVE and so on.


Cheers,
Chris.

#677418#37
Date:
2012-06-21 12:34:08 UTC
From:
To:
Hello,

I'm not sure what's the news with this bug.
It should be clear to anyone using gpm that every local user
has access to its buffer.

I don't even believe this is a bug - but a feature: You can cat on one
console as $foouser and paste on another console as $other use.

You can open up a CVE or whatever for it, but it may not be appropriate.

GPM is not bound to however is logged in - you can even use it, if you
are *not* logged in at all - to for instance copy the bootmessages from tty1
to a logged in console on tty2.

That said - if you really want the behaviour of gpm working only if a
user is logged in, feel free to submit a patch against latest stable
source code using a new parameter like --per-user-clipboard
or --per-tty-clipboard (which would save you of another mapping table).

Cheers,

Nico

p.s.: changed e-mail address to the correct one

#677418#42
Date:
2012-06-25 23:22:38 UTC
From:
To:
Hey Nico, et al.
Well the thing is, that this IS a security problem.... be it new, or
not :)
No,... in all doing respect,... this simply can't be a feature...
It's a security issue,... one can argue how critical it is, but given
that you cannot know how the consoles of a system are used (maybe
thousands of remote users can log into them via some way) it should be
quite clear that this can become a big problem.

Don't think of laptop-only systems which are usually run by just one
user (or at least just one user at a given time).
So this is basically an implicit wish/request to someone with insight to
the code to change it ;-)
could get into troubles.
(Just consider someone selects rm -rf / <newline> that way,.. and
another user, thinking he has still the old content in the clipboard
pastes this in the shell.


Cheers,
Chris.

#677418#47
Date:
2012-07-03 18:21:11 UTC
From:
To:
Hello,

gpm does not implement the paste functionality, it's all handled in the
kernel. gpm only calls ioctl(TIOCLINUX) to set the selection (by only
giving the coordinates!), and make the kernel paste.

Not allowing cross-user copy/paste would be a big regression. I use it
quite often for instance.

Systematically clearing the selection on log-out could be unconvenient
too.

Clearing the selection when nobody is logged any more, however, should
be fine.  As long as a user is logged in, if somebody else comes over
the keyboard he'll be able to do other nasty things anyway.  I believe
that can be implemented in consolekit, it merely needs to do the ioctl
on last logout.  There is no need for gpm patch anyway, it's all in the
kernel.

Samuel

#677418#52
Date:
2012-07-09 20:28:55 UTC
From:
To:
Well... but in principle there must be some way for it to control
pasting, as pasting doesn't work when gpm is not running...
Ok,... I also use it,... but nevertheless it's a security hole.
You could argue the same way that all user share a common X.org
clipboard - just because it's handy.

A "solution" might be to add a configuration option, that allows
cross-user copy/pasting... but that should then be disabled per default,
IMHO.
As mentioned before several times:
don't think that limited, that console access always means begin
directly at the hardware with a keyboard... just think about serial
console via some network adapters...



Cheers,
Chris.

#677418#57
Date:
2012-07-09 21:50:35 UTC
From:
To:
Christoph Anton Mitterer, le Mon 09 Jul 2012 20:28:55 +0000, a écrit :
to make the kernel paste. But it doesn't even know what is being pasted.

I wonder who will ever notice and enable it.

I haven't seen that mentioned in this thread.
logged into the keyboard console, they don't have any access to the
keyboard console, and thus not to the copy/paste buffer either.

Samuel

#677418#62
Date:
2012-07-09 22:08:22 UTC
From:
To:
Ah,... I now I see... so one would need to implement in the kernel, that
every user has it's own clipboard space... and only then gpm could do
something like:
onclick()
{
	if(userFits())
		ioctl(...)
	else
		;//do nothing
}
Well I guess people who desperately miss that "feature" would probably
have a look at the documentation.
And especially we in Debian have debconf that could simply ask. :)
I doubt... we at the super computing centre have many nodes where we use
some sort of serial console access (differently implemented depending on
different hosts),... where I can log in from remote places (via ssh or
browser) and get a console on which I can use gpm.
And it's the same if you remotely log in on the consoles of VMs.


Cheers,
Chris.

#677418#67
Date:
2012-07-09 22:16:56 UTC
From:
To:
Christoph Anton Mitterer, le Tue 10 Jul 2012 00:08:22 +0200, a écrit :

That won't prevent any user from calling the ioctl. The ioctl is not
privileged. That should really be done in the kernel.

Such kinds of questions are quite frowned upon.

What does "use gpm" mean exactly?  What does the "tty" command return?
Is the content of the consoles exactly the same as what's physically
displayed on the machine?

I can "use gpm" in my xterms for instance, but copy/paste is entirely
done by X11.

Log how? Which tool?  There are a plethora of ways to access a machine
with very varying effects.

Samuel

#677418#72
Date:
2012-07-09 22:51:23 UTC
From:
To:
Uhm.. yeah well... but there are already quite a lot of them... and I
personally consider them to be quite ok, when the priority is reasonably
set...
Tried 3 different kinds of hosts here now,.. those had either
/dev/tty{N}
or
/dev/console
Cannot check here now, sorry, access to the building is highly
restricted.
Ah? Ok... I never saw the gpm typical pointer in X terminals... and
always thought they'd work completely independent..
On the nodes that I've tried now runs VMware (yes... sigh)... and there
it's some awkward proprietary browser plugin...
Well and that's the point I tried to emphasise before... one cannot now
by which way users use the systems,... but one can be sure that there
may be some that run into troubles.


Anyway...
Expecting you're right with the syscalls... (too busy now to look into
the code :-/ ) I'd agree that the issue cannot be solved in gpm itself.

But as long as a real solution is found (if ever accepted in the
kernel)... I'd say that gpm should warn it's users of this potential
security issue.
I can imagine amongst the following:
- a SECURITY file in /u/s/d/gpm that describes the issue (which should
probably distributed part of upstream)


specific to Debian:
- a shorter warning in the package description

- and maybe the same as in SECURITY via debconf
I know you probably don't like the later ;-) ... but I guess it's the
best chance to reach most (Debian) users.


Apart from what can be done (now) at a gpm level (i.e. warnings)... how
shall be proceeded?
Popping the issue up at lkml? Anyone with good connections?
If the ioctl is part of the tty subsystem chances are probably rather
bad to get things done... last time I read,... the subsystem was still
one of the don't-touch-miracles...


Cheers,
Chris.

#677418#77
Date:
2012-07-09 23:02:07 UTC
From:
To:
Christoph Anton Mitterer, le Tue 10 Jul 2012 00:51:23 +0200, a écrit :

Can somebody connect to the console too and see what you are doing, and
interfere with it?

The pointer doesn't show up in X terminals, but from the point of view
of applications, they get mouse events etc. from libgpm just as if they
were run on the linux console.

So I believe it's simply access to the hardware console.

And I'm on the contrary sure that all these ways fall into two
categories:

- access to the physical console (/dev/tty[1-9]), in which case you
already have access to it, type things, etc.
- access via network (ssh, telnet), or serial (/dev/ttyS0, etc.) in
which case you do not have access to the physical console.

It's only part of the VT subsystem.

Samuel

#677418#82
Date:
2012-08-31 15:54:02 UTC
From:
To:
severity 677418 normal
thanks

This is long-standing behaviour of GPM and changing it would break
valid use cases. There's certainly room for a new option with a
more tight handling, but this is not a RC security bug.

Cheers,
        Moritz