Date: Thu, 9 Jun 2011 11:04:03 +0200 From: Ludwig Nussel <ludwig.nussel@...e.de> To: oss-security@...ts.openwall.com Cc: Russell Coker <rcoker@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl Josh Bressers wrote: > > I, for instance, use su -u to run commands as the www user, what are > > the odds of that user being compromised without my knowledge? The last > > thing I want is having a way for that compromised user to run > > arbitrary commands as any other user. > > This is unsafe, I'm not even sure if it can be made safe honestly (without > breaking lots of things that expect tty access). Things like su and sudo > are designed to raise privileges, not lower them. If this isn't well > documented, it should be. Note that you already have the setsid() patch in Fedora since 2005 so it actually didn't break that much I guess :-) You also have the runuser program with is basically su without authentication. runuser is specifically intended for use by root to run programs as unprivileged user. FWIW I've found ikiwiki-mass-rebuild to be vulnerable to the tty hijacking issue too. Upstream was rather quick to switch to using su¹ now. ikiwiki-mass-rebuild is also intended to be called in package post scripts. I wouldn't be surprised if there are other packages that run su to perform some operation as unprivileged user in %post. So we would like to release a coreutils security update which adds the setsid patch. cu Ludwig  http://ikiwiki.info/news/version_3.20110608/ -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ