[Pkg-shadow-devel] TTY handling in su when executing code in lower-privileged context
Alexander Gattin
xrgtn at yandex.ru
Mon Nov 12 10:02:44 UTC 2012
On Mon, Nov 12, 2012 at 10:09:57AM +0200,
Alexander Gattin wrote:
> Debian/stable:
> > root at ux280p:~# su -c "/home/xrgtn/apps/tiocsti id" - xrgtn
> > id
> > root at ux280p:~# id
> > uid=0(root) gid=0(root) groups=0(root)
Sorry, I checked the /stable version, it doesn't
come with any sort of TIOCSTI fix yet.
Here are results for Debian/testing:
> root at ux280p:~# su.testing -c "/home/xrgtn/apps/tiocsti whoami" - xrgtn
> open /dev/tty: No such device or address
> root at ux280p:~#
So far it's OK, testing with interactive su:
> root at ux280p:~# su - xrgtn
> xrgtn at ux280p:~$ (sleep 2; ~/apps/tiocsti id)&
> [1] 25283
> xrgtn at ux280p:~$ logout
> root at ux280p:~# id
> uid=0(root) gid=0(root) groups=0(root)
> root at ux280p:~#
As you can see, interactive su is vulnerable
(delayed/backgrounded TIOCSTI is required to
exploit it).
--
With best regards,
xrgtn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20121112/c7f5c3d6/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list