[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

up201407890 at alunos.dcc.fc.up.pt up201407890 at alunos.dcc.fc.up.pt
Mon Oct 3 14:11:41 UTC 2016


Quoting "Simon Ruderich" <simon at ruderich.org>:

Btw, at least in redhat based systems, su uses setsid() when the -c  
option is given, just like use_pty in sudo. Not sure if this is true  
in debian.

> On Sun, Oct 02, 2016 at 10:54:06AM +0200,  
> up201407890 at alunos.dcc.fc.up.pt wrote:
>> Hello Simon,
>>
>> This has been recently patched by using seccomp to blacklist this ioctl.
>>
>> https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2
>
> Hello,
>
> This is an awful hack! Blacklisting this single ioctl will fix
> only this specific issue, but the underlying problem, that the
> unprivileged user has access to the original tty, is still
> unfixed.
>
> The (later) patches in this bug report go in a different
> direction and fix the underlying problem by opening a new session
> with a separate tty and "proxying" the output (SSH also uses this
> approach - only over the network). This seems to me like a much
> better option than blacklisting a single ioctl.
>
> @Karel: Could you please have a look at the patches in this bug
> report which use setsid() to create a new session and adapt your
> commit with a patch based on this approach? Sudo's use_pty option
> does the same to fix this issue (but not enabled by default).
>
> Regards
> Simon
> --
> + privacy is necessary
> + using gnupg http://gnupg.org
> + public key id: 0x92FEFDB7E44C32F9
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the Pkg-shadow-devel mailing list