From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.92 (like Gecko) Description of problem: When starting a program via "su - user -c program" the user session can escape to the parent session by using the TIOCSTI ioctl to push characters into the input buffer. This allows for example a non-root session to push "chmod 666 /etc/shadow" or similarly bad commands into the input buffer such that after the end of the session they are executed. Note that merely flushing the input buffer at the end of a su session will not do any good because the hostile program may still be running in the background and pushing in characters. The runuser program (based on su.c) launches programs that do not need a controlling tty. I believe that when a "su -c" session is launched it also has no need for a controlling tty. I will attach a patch to this bug report that for the case of "su -c" (which also covers all uses of "runuser") will call setsid() and thus prevent the child session from using TIOCSTI attacks. For the case of a child session that does not terminate as soon as the administrator desires I have made the patch handle SIGINT and SIGQUIT and kill the session to return control to the parent. Note that this change does not handle all possible bad things that a hostile user may do if "su - baduser -c whatever" is executed, they will still have read/write access to the terminal just not to /dev/tty. Also note that "su - baduser" still has significant potential for abuse. I will not attempt to fix this at the moment as I am trying to solve the case for daemon startup first. Version-Release number of selected component (if applicable): all How reproducible: Always Steps to Reproduce: Ask me via private email. Additional info:
Created attachment 120976 [details] patch for su.c
Thanks. Fixed in 5.93-2.