Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Jun 2011 11:04:03 +0200
From: Ludwig Nussel <>
Cc: Russell Coker <>,
	"Steven M. Christey" <>
Subject: Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

Josh Bressers wrote:
> > I, for instance, use su -u to run commands as the www user, what are
> > the odds of that user being compromised without my knowledge? The last
> > thing I want is having a way for that compromised user to run
> > arbitrary commands as any other user.
> This is unsafe, I'm not even sure if it can be made safe honestly (without
> breaking lots of things that expect tty access). Things like su and sudo
> are designed to raise privileges, not lower them. If this isn't well
> documented, it should be.

Note that you already have the setsid() patch in Fedora since 2005
so it actually didn't break that much I guess :-) You also have the
runuser program with is basically su without authentication. runuser
is specifically intended for use by root to run programs as
unprivileged user.

FWIW I've found ikiwiki-mass-rebuild to be vulnerable to the tty
hijacking issue too. Upstream was rather quick to switch to using
su¹ now. ikiwiki-mass-rebuild is also intended to be called in
package post scripts. I wouldn't be surprised if there are other
packages that run su to perform some operation as unprivileged user
in %post.

So we would like to release a coreutils security update which adds
the setsid patch.



 (o_   Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ