Bug 173008 - Need to call setsid() when starting daemons to prevent TIOCSTI attacks
Need to call setsid() when starting daemons to prevent TIOCSTI attacks
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: Security
Depends On:
Blocks: CVE-2005-4890
  Show dependency treegraph
 
Reported: 2005-11-12 01:40 EST by Russell Coker
Modified: 2012-11-02 11:33 EDT (History)
2 users (show)

See Also:
Fixed In Version: 5.93-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-14 05:57:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for su.c (1.16 KB, patch)
2005-11-12 01:45 EST, Russell Coker
no flags Details | Diff

  None (edit)
Description Russell Coker 2005-11-12 01:40:48 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.92 (like Gecko)

Description of problem:
When starting a program via "su - user -c program" the user session can escape 
to the parent session by using the TIOCSTI ioctl to push characters into the 
input buffer.  This allows for example a non-root session to push 
"chmod 666 /etc/shadow" or similarly bad commands into the input buffer such 
that after the end of the session they are executed. 
 
Note that merely flushing the input buffer at the end of a su session will not 
do any good because the hostile program may still be running in the background 
and pushing in characters. 
 
The runuser program (based on su.c) launches programs that do not need a 
controlling tty.  I believe that when a "su -c" session is launched it also 
has no need for a controlling tty. 
 
I will attach a patch to this bug report that for the case of "su -c" (which 
also covers all uses of "runuser") will call setsid() and thus prevent the 
child session from using TIOCSTI attacks.  For the case of a child session 
that does not terminate as soon as the administrator desires I have made the 
patch handle SIGINT and SIGQUIT and kill the session to return control to the 
parent. 
 
Note that this change does not handle all possible bad things that a hostile 
user may do if "su - baduser -c whatever" is executed, they will still have 
read/write access to the terminal just not to /dev/tty. 
 
Also note that "su - baduser" still has significant potential for abuse.  I 
will not attempt to fix this at the moment as I am trying to solve the case 
for daemon startup first. 
 

Version-Release number of selected component (if applicable):
all

How reproducible:
Always

Steps to Reproduce:
Ask me via private email.   

Additional info:
Comment 1 Russell Coker 2005-11-12 01:45:38 EST
Created attachment 120976 [details]
patch for su.c
Comment 2 Tim Waugh 2005-11-14 05:57:39 EST
Thanks.  Fixed in 5.93-2.

Note You need to log in before you can comment on or make changes to this bug.