On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote: > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to > remain the same. > > De-escalation using these "sudo" or "doas" like tools on a tty is > somewhat unsafe - it has always been unsafe - because tty's have > capabilities. > > If you wish to be safer, do these operations without retaining access > to a tty. > > Escalation on the other hand (user -> root) is different, because then > it is clear you want to do more / everything. But de-escalation is a > joke. > > This is just one mechanism on tty, there are others. On other > descriptors there are other abilities. >
Would you mind explaining this a little bit. I don't really mean the sudo/doas part. How to do operations without retaining access to a tty? What other descriptors? And, I would especially appreciate any areas in src that could more fully give me an understanding of this. Studying code has to be essential to get this. Thank you very much, Chris Bennett
