[Bug 9401] privilege escalation with TIOCSTI ioctl from busybox su

bugzilla at busybox.net bugzilla at busybox.net
Fri Nov 4 19:37:21 UTC 2016


--- Comment #4 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Lizzie Dixon from comment #3)

su USER -c '. SCRIPT'

where SCRIPT is:

while true; do read line; done

You can't interrupt that with ^C: the child process in new session has no ctty,
hence ^C does not get converted to SIGINT.

util-linux 2.28's su "works around it" by intercepting SIGINT and resending it
to children. Which opens it to further complications: how to know that child
does not exist anymore? waitpid? Heh. Try this SCRIPT:

(sleep 8; echo HELLO) &
while true; do read line; done

sh-4.3# su daemon -c '. SCRIPT' 
Session terminated, killing shell... ...killed.

sh-4.3# HELLO
        ^^^^^ ???

What is this? There is still child process which can access our tty! This is
bound to be bad. TIOCSTI is nasty, but far from the only bad thing which can be
done to a tty. E.g. it can be set to O_NONBLOCK. I just tried it. It seems to

You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list