Quoting "Phil Susi" <[email protected]>:
On 2/27/2016 4:23 AM, [email protected] wrote:
And yes, there would be no job control if you started a shell from
there. This is why in "su" setsid() is called only with "-c", partially
fixing the issue. If one would to "su - user" it would still be vulnerable.
That isn't good. Shouldn't only the foreground process group be allowed
to use this ioctl, thus preventing any background forked processes from
exploiting this?
I believe that is up to kernel developers.
grsecurity released a new feature named GRKERNSEC_HARDEN_TTY on Feb 18
that disallows the use of TIOCSTI to unprivileged users, unless they
have the CAP_SYS_ADMIN capability, mitigating these issues.
He said looking into it, he didn't find any legitimate uses of such ioctl.
Check out gr_handle_tiocsti()
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.