Issue:
Malware could switch to another tty but can’t attempt to log in there or feed any data. Malware could pull the user from an emergency session tty back to the original graphical session where the malware runs.
How to reproduce:
- login into a tty3 - ideally as root
chvt 3 && sleep 3 && chvt 2
This also works which is a bit scary. So chvt can even boss around root.
This forced terminal change is something I’d like to fix.
Non-solutions:
- “Require sudo”: chvt does not require sudo/root.
- “Set chvt noSUID”: chvt is already non-suid.
- “Delete chvt”: chvt is a user-space utility. Malware could ship the same tool or malware could run the same syscall. Deleting chvt therefore does not accomplish very much.
/etc/security/access.conIs only PAM configuration file.
Real solution:
The only solution is a proper system configuration.
Related wiki chapters:
- virtual terminal or also known as Virtual Consoles)
- Console Login Attacks