On 2016-10-02 18:14, Chris Bennett wrote:
On Sun, Oct 02, 2016 at 01:03:28AM -0700, Philip Guenther wrote:
On Sun, Oct 2, 2016 at 12:35 AM, Otto Moerbeek <[email protected]> wrote:
> On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote:
>
>> On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote:
>> > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to
>> > remain the same.
>> >
>> > De-escalation using these "sudo" or "doas" like tools on a tty is
>> > somewhat unsafe - it has always been unsafe - because tty's have
>> > capabilities.
>> >
>> > If you wish to be safer, do these operations without retaining access
>> > to a tty.
>> >
>> > Escalation on the other hand (user -> root) is different, because then
>> > it is clear you want to do more / everything. But de-escalation is a
>> > joke.
>> >
>> > This is just one mechanism on tty, there are others. On other
>> > descriptors there are other abilities.
>> >
>>
>> Would you mind explaining this a little bit. I don't really mean the
>> sudo/doas part.
>>
>> How to do operations without retaining access to a tty?
>>
>> What other descriptors?
>
> Well, a lot of things are possible using descriptors. Descriptors can
> refer to files, devices, sockets to name a few. So if you have an open
> descriptor to any of them...
...and it's not just actual file descriptors that provide privileged
access: even if a process closes all fds for its controlling tty, it
remains the process's controlling tty and can still be reopened via
/dev/tty. Similarly, simply being in the same session gives a process
additional rights that it wouldn't have otherwise, such as being able
to use tcsetpgrp() and see your login name via getlogin()...
So fork, as used in daemon does mitigate this, as long as used
correctly?
Or does the same/other problems continue?
Chris Bennett
Doing "su" or "chroot" (symmetric with respect to this risk) is
sometimes very convenient, as it can be done without external
configuration as would be needed for ssh.
Would it be possible to cut the risk (file descriptors) while still
outputting to the same terminal, ssh without ssh?
