Avoid falling prey to tiocsti#1660
Conversation
We've long known (see https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/ and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html) that su should be used to gain but not drop privilege. Much more recently, linux added the ability to prevent TIOCSTI through a configurable /proc/sys/dev/tty/legacy_tiocsti setting. If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected from the callee injecting commands on caller's tty through TIOCSTI. If it's 1, or doesn't exist, then we are not. That can be dangerous if caller is root. We currently give up the controlling terminal for non-interactive uses of su (-c). Let's do that for interactive calls as well, only in the dangerous case.
| /* | ||
| * See the following kernel commit: | ||
| * commit 83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d | ||
| * Author: Kees Cook <kees@kernel.org> | ||
| * Date: Sat Oct 22 11:29:49 2022 -0700 | ||
| * Subject: tty: Allow TIOCSTI to be disabled | ||
| */ |
There was a problem hiding this comment.
How about compacting that?:
// See linux.git 83efeeeb3d04 (2022-10-22; "tty: Allow TIOCSTI to be disabled")| * Date: Sat Oct 22 11:29:49 2022 -0700 | ||
| * Subject: tty: Allow TIOCSTI to be disabled | ||
| */ | ||
| static bool legacy_tiocsti_is_disabled(void) { |
There was a problem hiding this comment.
Please move the brace to a new line (and optionally the type, but at least the brace).
| if (ret == NULL) | ||
| return false; | ||
|
|
||
| return buf[0] == '0'; |
There was a problem hiding this comment.
I'd like to avoid all direct operations on bytes of strings. The good thing about str*() functions is that you can fortify them with _FORTIFY_SOURCE, and other niceties. They're also easier to grep(1).
I suggest using one of the following alternatives:
return streq(buf, "0\n");
return !!strspn(buf, "0");There was a problem hiding this comment.
I prefer the former, because it also implicitly validates the rest of the string.
Maybe it would be interesting to validate and remove the newline explicitly separately:
if (stpspn(buf, "\n") == NULL)
return false;
return streq(buf, "0");This makes the streq() call more readable, while still validating the entire line.
We've long known (see
https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/ and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html) that su should be used to gain but not drop privilege. Much more recently, linux added the ability to prevent TIOCSTI through a configurable /proc/sys/dev/tty/legacy_tiocsti setting.
If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected from the callee injecting commands on caller's tty through TIOCSTI. If it's 1, or doesn't exist, then we are not. That can be dangerous if caller is root. We currently give up the controlling terminal for non-interactive uses of su (-c). Let's do that for interactive calls as well, only in the dangerous case.