[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

Simon Ruderich simon at ruderich.org
Mon Oct 3 13:34:49 UTC 2016


On Sun, Oct 02, 2016 at 10:54:06AM +0200, up201407890 at alunos.dcc.fc.up.pt wrote:
> Hello Simon,
>
> This has been recently patched by using seccomp to blacklist this ioctl.
>
> https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2

Hello,

This is an awful hack! Blacklisting this single ioctl will fix
only this specific issue, but the underlying problem, that the
unprivileged user has access to the original tty, is still
unfixed.

The (later) patches in this bug report go in a different
direction and fix the underlying problem by opening a new session
with a separate tty and "proxying" the output (SSH also uses this
approach - only over the network). This seems to me like a much
better option than blacklisting a single ioctl.

@Karel: Could you please have a look at the patches in this bug
report which use setsid() to create a new session and adapt your
commit with a patch based on this approach? Sudo's use_pty option
does the same to fix this issue (but not enabled by default).

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20161003/274031ad/attachment.sig>


More information about the Pkg-shadow-devel mailing list