[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl
Karel Zak
kzak at redhat.com
Mon Oct 3 14:22:47 UTC 2016
On Mon, Oct 03, 2016 at 04:11:41PM +0200, up201407890 at alunos.dcc.fc.up.pt wrote:
> Quoting "Simon Ruderich" <simon at ruderich.org>:
>
> Btw, at least in redhat based systems, su uses setsid() when the -c option
> is given, just like use_pty in sudo. Not sure if this is true in debian.
The problem is that we don't want to use setsid() in all situations,
because it will introduce regressions. From util-linux ReleaseNotes:
CVE-2016-2779
This security issue is NOT FIXED yet. It is possible to disable the
ioctl TIOCSTI by setsid() only. Unfortunately, setsid() has
well-defined use cases in su(1) and runuser(1) and any changes would
introduce regressions. It seems we need a better way -- ideally
another ioctl (or whatever is supported by the kernel) to disable
TIOCSTI without setsid().
and yes, blacklisting ioctl is hack.
Karel
--
Karel Zak <kzak at redhat.com>
http://karelzak.blogspot.com
More information about the Pkg-shadow-devel
mailing list