[Pkg-shadow-devel] TTY handling in su when executing code in lower-privileged context
halfdog
me at halfdog.net
Mon Nov 12 20:48:44 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Alexander Gattin wrote:
> Hello,
>
> On Sat, Nov 10, 2012 at 05:09:36PM +0000, halfdog wrote:
>> Could you please check, if the upstream su - variant can be
>> abused
>
> Debian/stable:
>> root at ux280p:~# ls -l `tty` crw--w---- 1 root tty 136, 11 Nov 12
>> 10:00 /dev/pts/11 root at ux280p:~# su -c "/home/xrgtn/apps/tiocsti
>> id" - xrgtn id root at ux280p:~# id uid=0(root) gid=0(root)
>> groups=0(root) root at ux280p:~# su -c "/home/xrgtn/apps/tiocsti
>> whoami" - xrgtn whoami root at ux280p:~# whoami root root at ux280p:~#
>>
>
> As you can see, TIOCSTI works even when process doesn't have "w"
> permission to its controlling terminal (some UNIX tty design
> idiosyncrasy), and then TIOCSTI-ed input is happily passed back to
> root's shell.
Thanks for testing. So it seems that it's not just one
distributor using the wrong compile switch.
>> If yes, could you please add following to the man page "CAVEATS"
>> section?
>>
>> "Using su to execute commands as an untrusted user from an
>> interactive shell may allow the untrusted user to escalate
>> privileges to the user running the shell."
>
> Probably, this is the best idea at the moment.
Fine. So let's hope, that someone reads it. What do you think of
changing setuid(2) page also (CAVEAT: do not keep ttys or other FDs
open, supplementary groups) to increase security awareness of
programmers in particular and knowledge of folks interested in
understanding syscalls/linux in general?
> We could try to implement ptm/pts approach, but I doubt it would be
> terribly portable, given all the problems Don Libes faced with
> Expect....
I've head that SuSE has some kind of patch, see the discussion on
oss-security.
Also the "screen" utility seems to work quite well, perhaps some code
could be reused or shared (lib-subpty?).
hd
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlChYIwACgkQxFmThv7tq+4mhACfUqhqDKY+fYn7/sicgusacsqI
2jgAn0rGXOjgiAkLkpqFVfmnWqNUOmQF
=oE15
-----END PGP SIGNATURE-----
More information about the Pkg-shadow-devel
mailing list