Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Jun 2018 11:25:45 -0400
From: Jordan Glover <Golden_Miller83@...tonmail.ch>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Are `su user' and/or `sudo -u user sh' considered dangerous?

On June 12, 2018 1:38 PM, Jakub Wilk <jwilk@...lk.net> wrote:

> -   Georgi Guninski guninski@...inski.com, 2018-06-12, 13:17:
> 
> > https://j.ludost.net/blog/archives/2018/06/12/are_su_user_andor_sudo_-u_user_sh_considered_dangerous/index.html
> > 
> > Per vague memory I discussed half of this with some linux crowd and
> > 
> > they said "won't fix" long ago.
> > 
> > `su user' and`sudo -u user sh' give the user the fd of root's tty and
> > 
> > it is readable and writable. After closing the session, the user can
> > 
> > keep it and on root's tty potentially do:
> > 
> > 1.  inject keypresses via ioctl()
> >     
> >     and/or
> >     
> > 2.  read the output of root's tty, probably with some analogue of
> >     
> >     tee(1).
> >     
> > 
> > Is this really a concern?
> 
> This class of vulnerabilities has been known since at least 2005:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=173008 (CVE-2005-4890)
> 
> It was last discussed on oss-security in 2017:
> 
> http://seclists.org/oss-sec/2017/q2/412
> 
> > Any workarounds?
> 
> For sudo, there's the "use_pty" flag. (It's not enabled by default.)

Why this isn't default? Where's the catch?

​Jordan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ