[Pkg-shadow-devel] TTY handling in su when executing code in lower-privileged context
Alexander Gattin
xrgtn at yandex.ru
Mon Nov 12 08:09:57 UTC 2012
Hello,
On Sat, Nov 10, 2012 at 05:09:36PM +0000, halfdog
wrote:
> Could you please check, if the upstream su -
> variant can be abused
Debian/stable:
> root at ux280p:~# ls -l `tty`
> crw--w---- 1 root tty 136, 11 Nov 12 10:00 /dev/pts/11
> root at ux280p:~# su -c "/home/xrgtn/apps/tiocsti id" - xrgtn
> id
> root at ux280p:~# id
> uid=0(root) gid=0(root) groups=0(root)
> root at ux280p:~# su -c "/home/xrgtn/apps/tiocsti whoami" - xrgtn
> whoami
> root at ux280p:~# whoami
> root
> root at ux280p:~#
As you can see, TIOCSTI works even when process
doesn't have "w" permission to its controlling
terminal (some UNIX tty design idiosyncrasy), and
then TIOCSTI-ed input is happily passed back to
root's shell.
> If yes, could you please add following to the
> man page "CAVEATS" section?
>
> "Using su to execute commands as an untrusted
> user from an interactive shell may allow the
> untrusted user to escalate privileges to the
> user running the shell."
Probably, this is the best idea at the moment.
We could try to implement ptm/pts approach, but I
doubt it would be terribly portable, given all the
problems Don Libes faced with Expect....
--
With best regards,
xrgtn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20121112/d1a01399/attachment.pgp>
More information about the Pkg-shadow-devel
mailing list