[Bug 9401] privilege escalation with TIOCSTI ioctl from busybox su

bugzilla at busybox.net bugzilla at busybox.net
Thu Nov 3 21:23:08 UTC 2016


https://bugs.busybox.net/show_bug.cgi?id=9401

--- Comment #2 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Lizzie Dixon from comment #0)

Nasty.
However, this only works interactively, when root runs "su lizzie -c ./tiocsti"
from a command line shell. This will not work from a script, when stdin is not
used for command input.

I would think root should be a little suspicious when users ask him to run
unknown scripts via "su -c SCRIPT".

The solution used by "standard" su versions is to run -c SCRIPT in a new
session, IOW: without controlling tty (because TIOCSTI then does not work). In
practice, not having controlling tty is at times a serious inconvenience.

I'm not sure it makes sense to do this: for more contrived code, we can end up
having a somewhat _less_ usable tool.

For now I added comment explaining existence of this exploit.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list