Date: Tue, 12 Jun 2018 11:25:45 -0400 From: Jordan Glover <Golden_Miller83@...tonmail.ch> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Re: Are `su user' and/or `sudo -u user sh' considered dangerous? On June 12, 2018 1:38 PM, Jakub Wilk <jwilk@...lk.net> wrote: > - Georgi Guninski guninski@...inski.com, 2018-06-12, 13:17: > > > https://j.ludost.net/blog/archives/2018/06/12/are_su_user_andor_sudo_-u_user_sh_considered_dangerous/index.html > > > > Per vague memory I discussed half of this with some linux crowd and > > > > they said "won't fix" long ago. > > > > `su user' and`sudo -u user sh' give the user the fd of root's tty and > > > > it is readable and writable. After closing the session, the user can > > > > keep it and on root's tty potentially do: > > > > 1. inject keypresses via ioctl() > > > > and/or > > > > 2. read the output of root's tty, probably with some analogue of > > > > tee(1). > > > > > > Is this really a concern? > > This class of vulnerabilities has been known since at least 2005: > > https://bugzilla.redhat.com/show_bug.cgi?id=173008 (CVE-2005-4890) > > It was last discussed on oss-security in 2017: > > http://seclists.org/oss-sec/2017/q2/412 > > > Any workarounds? > > For sudo, there's the "use_pty" flag. (It's not enabled by default.) Why this isn't default? Where's the catch? Jordan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ