oss-sec mailing list archives

Re: Are `su user' and/or `sudo -u user sh' considered dangerous?

From: Jordan Glover <Golden_Miller83 () protonmail ch>
Date: Tue, 12 Jun 2018 11:25:45 -0400

On June 12, 2018 1:38 PM, Jakub Wilk <jwilk () jwilk net> wrote:

-   Georgi Guninski guninski () guninski com, 2018-06-12, 13:17:

https://j.ludost.net/blog/archives/2018/06/12/are_su_user_andor_sudo_-u_user_sh_considered_dangerous/index.html

Per vague memory I discussed half of this with some linux crowd and

they said "won't fix" long ago.

`su user' and`sudo -u user sh' give the user the fd of root's tty and

it is readable and writable. After closing the session, the user can

keep it and on root's tty potentially do:

1.  inject keypresses via ioctl()
    
    and/or
    
2.  read the output of root's tty, probably with some analogue of
    
    tee(1).
    

Is this really a concern?


This class of vulnerabilities has been known since at least 2005:

https://bugzilla.redhat.com/show_bug.cgi?id=173008 (CVE-2005-4890)

It was last discussed on oss-security in 2017:

http://seclists.org/oss-sec/2017/q2/412

Any workarounds?


For sudo, there's the "use_pty" flag. (It's not enabled by default.)


Why this isn't default? Where's the catch?

Jordan

Current thread:

Are `su user' and/or `sudo -u user sh' considered dangerous? Georgi Guninski (Jun 12)
- Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Jakub Wilk (Jun 12)
  - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Jordan Glover (Jun 12)
    - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Todd C. Miller (Jun 12)
  - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Georgi Guninski (Jun 13)
    - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Georgi Guninski (Jun 13)
    - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Jakub Wilk (Jun 14)
    - Re: Are `su user' and/or `sudo -u user sh' considered dangerous? Georgi Guninski (Jun 15)