Bug 24254

Summary: Security hole in use of kbdcontrol
Product: Base System Reporter: arc_of_avalon <arc_of_avalon>
Component: miscAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description arc_of_avalon 2001-01-11 15:10:01 UTC 
By default kbdcontrol is world executable and allows any local user to change the keyboards of all the vty's, including any that root is logged in to.  This could allow a user to virtually disable the console (non-X11) which, when used to activate an unusable keymap, would require a reboot to correct.  Note that kbdcontrol does not affect the keymap in X11.
This bug seems to exist in all BSDs.

Fix: 

This could be fixed by changing the permissions on kbdcontrol or only allowing root to change the keymap on all vty's (non-root only being able to change their own vty, which resets on logout).
How-To-Repeat: As non-root, type kbdcontrol -l us.dvorak (or any non-qwerty keyboard, including one edited by the user in his home directory with all the keys set to "?" or similar).
This will change the keyboard on all vty's and, if X11 is not running, would make it hard if not impossible (as would be the case with a keyboard full of ?'s) to change back.
Comment 1 dwmalone 2001-01-11 15:37:09 UTC 
On Thu, Jan 11, 2001 at 07:02:24AM -0800, arc_of_avalon@yahoo.com wrote:

> By default kbdcontrol is world executable and allows any local
> user to change the keyboards of all the vty's, including any that
> root is logged in to.  This could allow a user to virtually disable
> the console (non-X11) which, when used to activate an unusable
> keymap, would require a reboot to correct.  Note that kbdcontrol
> does not affect the keymap in X11.

A kernel option KBD_DISABLE_KEYMAP_LOAD currently exists, which
stops people changing the keymap. I guess it would be possible to
add a sysctl which stops people other than root changing the keymap
setup.

	David.
Comment 2 dd freebsd_committer freebsd_triage 2001-06-01 03:47:24 UTC 
State Changed
From-To: open->closed

Originator was informed of the kernel option.