Hi all!
Has anyone made any progress in solving the su/sudo/super TIOCSTI ioctl
vulnerability?
--
Jan
pgpAFoEO7DWgl.pgp
Description: PGP signature
msg.pgp
Description: PGP message
On Sun, Aug 01, 2004 at 08:24:29PM +0200, Jan Minar wrote:
On Wed, Jul 28, 2004 at 04:54:35AM -0400, Andrew Pimlott wrote:
I verified that if I su - andrew bash as root, then
andrew can write to root's terminal, even after bash exits (just hold
the fd open).
Did You use
Hi.
I've filed bugs against su (package `login') sudo. I've made a simple
proof-of-concept program (attached). Despite of what has been said
earlier, it can ioctl(0,TIOCSTI,c), even after fork(). It's important
to realize that the actual mechanism of making the ioctl()s happen is
not as
On Tue, 27 Jul 2004 07:48, Andrew Pimlott [EMAIL PROTECTED] wrote:
During the time between the daemon launch and it closing it's file
handles and calling setsid(2) (which some daemons don't do because they
are buggy) any other code running in the same UID could take over the
process via
On Wed, Jul 28, 2004 at 04:56:20PM +1000, Russell Coker wrote:
On Tue, 27 Jul 2004 07:48, Andrew Pimlott [EMAIL PROTECTED] wrote:
If this is a real problem (which it sounds like), it's not specific to
init scripts. Shouldn't it be fixed in su?
Ideally yes. But that involves proxying all
Russell Coker wrote:
On Tue, 27 Jul 2004 07:48, Andrew Pimlott [EMAIL PROTECTED] wrote:
Maybe your changes should happen in su by default, with a --leak-tty
option if you want to keep the terminal.
I can't imagine us changing the way su works by default. The only way to make
su user not have
On Mon, Jul 26, 2004 at 02:53:56PM +1000, Russell Coker wrote:
The start scripts for some daemons do su - user or use
start-stop-daemon -c to launch the daemon, postgresql is one example.
During the time between the daemon launch and it closing it's file handles and
calling setsid(2) (which
The start scripts for some daemons do su - user or use
start-stop-daemon -c to launch the daemon, postgresql is one example.
During the time between the daemon launch and it closing it's file handles and
calling setsid(2) (which some daemons don't do because they are buggy) any
other code
9 matches
Mail list logo
