[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] TTY handling when executing code in different lower-privileged context (su, virt 
From:       Jakub Wilk <jwilk () jwilk ! net>
Date:       2024-01-31 22:58:40
Message-ID: 20240131225840.w7bgmi32juh6wcpz () jwilk ! net
[Download RAW message or body]

I'm a few years late, but hey.

* halfdog <me@halfdog.net>, 2012-11-05 19:22:
>The basic idea is, that a program started from interactive shell can 
>access the TTY and also inject input data using TIOCSTI ioctl.
[…]
>In both cases, paranoid administrators might decide to use /dev/null as 
>stdin/stdout/stderr

Redirecting unneeded fds is a good idea, but alone it's not sufficient 
to defeat the attack. The unprivileged process could open /dev/tty and 
then issue TIOCSTI on that fd.

>[1] http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/

This insufficient work-around is also mentioned on the website:

"When no interactive shell is needed in lower-privileged context, su et 
al. can be run with stdin, stdout, stderr redirection, not passing a 
tty-fd to the other context"

-- 
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]