[Bug 9401] privilege escalation with TIOCSTI ioctl from busybox su

bugzilla at busybox.net bugzilla at busybox.net
Fri Nov 4 19:37:21 UTC 2016


https://bugs.busybox.net/show_bug.cgi?id=9401

--- Comment #4 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Lizzie Dixon from comment #3)

su USER -c '. SCRIPT'

where SCRIPT is:

while true; do read line; done

You can't interrupt that with ^C: the child process in new session has no ctty,
hence ^C does not get converted to SIGINT.

util-linux 2.28's su "works around it" by intercepting SIGINT and resending it
to children. Which opens it to further complications: how to know that child
does not exist anymore? waitpid? Heh. Try this SCRIPT:

(sleep 8; echo HELLO) &
while true; do read line; done

sh-4.3# su daemon -c '. SCRIPT' 
^C
Session terminated, killing shell... ...killed.

sh-4.3# HELLO
        ^^^^^ ???

What is this? There is still child process which can access our tty! This is
bound to be bad. TIOCSTI is nasty, but far from the only bad thing which can be
done to a tty. E.g. it can be set to O_NONBLOCK. I just tried it. It seems to
work.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list