Avoid falling prey to tiocsti#1660
Open
hallyn wants to merge 1 commit into
Open
Conversation
We've long known (see https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/ and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html) that su should be used to gain but not drop privilege. Much more recently, linux added the ability to prevent TIOCSTI through a configurable /proc/sys/dev/tty/legacy_tiocsti setting. If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected from the callee injecting commands on caller's tty through TIOCSTI. If it's 1, or doesn't exist, then we are not. That can be dangerous if caller is root. We currently give up the controlling terminal for non-interactive uses of su (-c). Let's do that for interactive calls as well, only in the dangerous case.
Comment on lines
+1000
to
+1006
| /* | ||
| * See the following kernel commit: | ||
| * commit 83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d | ||
| * Author: Kees Cook <kees@kernel.org> | ||
| * Date: Sat Oct 22 11:29:49 2022 -0700 | ||
| * Subject: tty: Allow TIOCSTI to be disabled | ||
| */ |
Collaborator
There was a problem hiding this comment.
How about compacting that?:
// See kernel.git 83efeeeb3d04 (2022-10-22; "tty: Allow TIOCSTI to be disabled")| * Date: Sat Oct 22 11:29:49 2022 -0700 | ||
| * Subject: tty: Allow TIOCSTI to be disabled | ||
| */ | ||
| static bool legacy_tiocsti_is_disabled(void) { |
Collaborator
There was a problem hiding this comment.
Please move the brace to a new line (and optionally the type, but at least the brace).
| if (ret == NULL) | ||
| return false; | ||
|
|
||
| return buf[0] == '0'; |
Collaborator
There was a problem hiding this comment.
I'd like to avoid all direct operations on bytes of strings. The good thing about str*() functions is that you can fortify them with _FORTIFY_SOURCE, and other niceties. They're also easier to grep(1).
I suggest using one of the following alternatives:
return streq(buf, "0\n");
return !!strspn(buf, "0");
Collaborator
There was a problem hiding this comment.
I prefer the former, because it also implicitly validates the rest of the string.
Maybe it would be interesting to validate and remove the newline explicitly separately:
if (stpspn(buf, "\n") == NULL)
return false;
return streq(buf, "0");This makes the streq() call more readable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We've long known (see
https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/ and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html) that su should be used to gain but not drop privilege. Much more recently, linux added the ability to prevent TIOCSTI through a configurable /proc/sys/dev/tty/legacy_tiocsti setting.
If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected from the callee injecting commands on caller's tty through TIOCSTI. If it's 1, or doesn't exist, then we are not. That can be dangerous if caller is root. We currently give up the controlling terminal for non-interactive uses of su (-c). Let's do that for interactive calls as well, only in the dangerous case.