Re: CVE request -- coreutils -- tty hijacking possible in "su" via TIOCSTI ioctl

[Ludwig Nussel <ludwig.nussel () suse de>]

Josh Bressers wrote:
> > I, for instance, use su -u to run commands as the www user, what are
> > the odds of that user being compromised without my knowledge? The last
> > thing I want is having a way for that compromised user to run
> > arbitrary commands as any other user.
>
> This is unsafe, I'm not even sure if it can be made safe honestly (without
> breaking lots of things that expect tty access). Things like su and sudo
> are designed to raise privileges, not lower them. If this isn't well
> documented, it should be.

Note that you already have the setsid() patch in Fedora since 2005
so it actually didn't break that much I guess :-) You also have the
runuser program with is basically su without authentication. runuser
is specifically intended for use by root to run programs as
unprivileged user.

FWIW I've found ikiwiki-mass-rebuild to be vulnerable to the tty
hijacking issue too. Upstream was rather quick to switch to using
su¹ now. ikiwiki-mass-rebuild is also intended to be called in
package post scripts. I wouldn't be surprised if there are other
packages that run su to perform some operation as unprivileged user
in %post.

So we would like to release a coreutils security update which adds
the setsid patch.

cu
Ludwig

[1] http://ikiwiki.info/news/version_3.20110608/

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)