Re: Unexpected behavior in su/doas

Sun, 02 Oct 2016 00:22:18 -0700 

On Sun, Oct 02, 2016 at 07:10:12AM +0200, Sebastien Marie wrote:

> On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
> > On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
> > > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
> > > remain the same.
> > > 
> > > De-escalation using these "sudo" or "doas" like tools on a tty is
> > > somewhat unsafe - it has always been unsafe - because tty's have
> > > capabilities.
> > > 
> > > If you wish to be safer, do these operations without retaining access
> > > to a tty.
> > > 
> > > Escalation on the other hand (user -> root) is different, because then
> > > it is clear you want to do more / everything.  But de-escalation is a
> > > joke.
> > > 
> > > This is just one mechanism on tty, there are others.  On other
> > > descriptors there are other abilities.
> > > 
> > 
> > Would you mind explaining this a little bit. I don't really mean the
> > sudo/doas part.
> > 
> > How to do operations without retaining access to a tty?
> > What other descriptors?
> > 
> > And, I would especially appreciate any areas in src that could more
> > fully give me an understanding of this. Studying code has to be
> > essential to get this.
> > 
> 
> there is a recent thread on oss-security about the specific problem of
> sharing tty:
> http://openwall.com/lists/oss-security/2016/09/25/1
> 
> or a more ancien stuff (same problem): 
> http://www.openwall.com/lists/oss-security/2011/12/20/2
> 
> when using doas/sudo you share a tty.
> 
> # tty
> /dev/ttypa
> # doas -u user -s
> $ tty
> /dev/ttypa
> 
> so at a moment, user has access to the tty device that root will use
> later.
> 
> for example, user is able to push chars in tty buffer, logout, and let
> the root process eats the controlled input.
> 
> alternative way (and more secure in this context) is to use ssh(1). But
> note it needs additionnal configuration. ssh(1) will allocate a new
> pty(4) device for the user.
> 
> # tty
> /dev/ttypa
> # ssh user@localhost
> Last login: ...
> OpenBSD 6.0-current ...
> ...
> 
> $ tty
> /dev/ttypb
> 
> Regards.
> -- 
> Sebastien Marie

Alternatively, you can run a command as a specific use without tty
using batch(1) or at(1).

# echo su otto -c "id; tty" | batch

The command will be executed without controlling tty. OUtput will be
reported by mail.

        -Otto

Reply via email to