Re: TTY handling when executing code in different lower-privileged context (su, virt containers)

[Jakub Wilk <jwilk () jwilk net>]

I'm a few years late, but hey.

* halfdog <me () halfdog net>, 2012-11-05 19:22:
> The basic idea is, that a program started from interactive shell can 
> access the TTY and also inject input data using TIOCSTI ioctl.
[…]
> In both cases, paranoid administrators might decide to use /dev/null as 
> stdin/stdout/stderr

Redirecting unneeded fds is a good idea, but alone it's not sufficient 
to defeat the attack. The unprivileged process could open /dev/tty and 
then issue TIOCSTI on that fd.

> [1] http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/

This insufficient work-around is also mentioned on the website:

"When no interactive shell is needed in lower-privileged context, su et 
al. can be run with stdin, stdout, stderr redirection, not passing a 
tty-fd to the other context"

--
Jakub Wilk