[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] TTY handling when executing code in different lower-privileged context (su, virt
From: Jakub Wilk <jwilk () jwilk ! net>
Date: 2024-01-31 22:58:40
Message-ID: 20240131225840.w7bgmi32juh6wcpz () jwilk ! net
[Download RAW message or body]
I'm a few years late, but hey.
* halfdog <me@halfdog.net>, 2012-11-05 19:22:
>The basic idea is, that a program started from interactive shell can
>access the TTY and also inject input data using TIOCSTI ioctl.
[…]
>In both cases, paranoid administrators might decide to use /dev/null as
>stdin/stdout/stderr
Redirecting unneeded fds is a good idea, but alone it's not sufficient
to defeat the attack. The unprivileged process could open /dev/tty and
then issue TIOCSTI on that fd.
>[1] http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/
This insufficient work-around is also mentioned on the website:
"When no interactive shell is needed in lower-privileged context, su et
al. can be run with stdin, stdout, stderr redirection, not passing a
tty-fd to the other context"
--
Jakub Wilk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic