On Sun, Oct 2, 2016 at 12:35 AM, Otto Moerbeek <[email protected]> wrote: > On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote: > >> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote: >> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to >> > remain the same. >> > >> > De-escalation using these "sudo" or "doas" like tools on a tty is >> > somewhat unsafe - it has always been unsafe - because tty's have >> > capabilities. >> > >> > If you wish to be safer, do these operations without retaining access >> > to a tty. >> > >> > Escalation on the other hand (user -> root) is different, because then >> > it is clear you want to do more / everything. But de-escalation is a >> > joke. >> > >> > This is just one mechanism on tty, there are others. On other >> > descriptors there are other abilities. >> > >> >> Would you mind explaining this a little bit. I don't really mean the >> sudo/doas part. >> >> How to do operations without retaining access to a tty? >> >> What other descriptors? > > Well, a lot of things are possible using descriptors. Descriptors can > refer to files, devices, sockets to name a few. So if you have an open > descriptor to any of them...
...and it's not just actual file descriptors that provide privileged access: even if a process closes all fds for its controlling tty, it remains the process's controlling tty and can still be reopened via /dev/tty. Similarly, simply being in the same session gives a process additional rights that it wouldn't have otherwise, such as being able to use tcsetpgrp() and see your login name via getlogin()... Philip Guenther
