-
Notifications
You must be signed in to change notification settings - Fork 274
Avoid falling prey to tiocsti #1660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,6 +56,7 @@ | |
| #ifdef USE_PAM | ||
| #include "pam_defs.h" | ||
| #endif /* USE_PAM */ | ||
| #include "io/fgets/fgets.h" | ||
| #include "pwauth.h" | ||
| #include "prototypes.h" | ||
| #include "shadowlog.h" | ||
|
|
@@ -996,6 +997,29 @@ static void set_environment (struct passwd *pw) | |
|
|
||
| } | ||
|
|
||
| /* | ||
| * See the following kernel commit: | ||
| * commit 83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d | ||
| * Author: Kees Cook <kees@kernel.org> | ||
| * Date: Sat Oct 22 11:29:49 2022 -0700 | ||
| * Subject: tty: Allow TIOCSTI to be disabled | ||
| */ | ||
| static bool legacy_tiocsti_is_disabled(void) { | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please move the brace to a new line (and optionally the type, but at least the brace). |
||
| char buf[3]; | ||
|
alejandro-colomar marked this conversation as resolved.
|
||
| FILE *fp; | ||
| void *ret; | ||
|
|
||
| fp = fopen("/proc/sys/dev/tty/legacy_tiocsti", "r"); | ||
| if (NULL == fp) | ||
| return false; | ||
| ret = fgets_a(buf, fp); | ||
| fclose(fp); | ||
| if (ret == NULL) | ||
| return false; | ||
|
|
||
| return buf[0] == '0'; | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'd like to avoid all direct operations on bytes of strings. The good thing about str*() functions is that you can fortify them with _FORTIFY_SOURCE, and other niceties. They're also easier to grep(1). I suggest using one of the following alternatives: return streq(buf, "0\n");
return !!strspn(buf, "0");
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I prefer the former, because it also implicitly validates the rest of the string. Maybe it would be interesting to validate and remove the newline explicitly separately: if (stpspn(buf, "\n") == NULL)
return false;
return streq(buf, "0");This makes the streq() call more readable, while still validating the entire line. |
||
| } | ||
|
|
||
| /* | ||
| * su - switch user id | ||
| * | ||
|
|
@@ -1010,6 +1034,7 @@ int main (int argc, char **argv) | |
| { | ||
| const char *cp; | ||
| struct passwd *pw = NULL; | ||
| bool need_pty_prot; | ||
|
|
||
| #ifdef USE_PAM | ||
| int ret; | ||
|
|
@@ -1023,6 +1048,8 @@ int main (int argc, char **argv) | |
|
|
||
| save_caller_context(); | ||
|
|
||
| need_pty_prot = caller_is_root && !legacy_tiocsti_is_disabled(); | ||
|
|
||
| OPENLOG (Prog); | ||
|
|
||
| process_flags (argc, argv); | ||
|
|
@@ -1152,7 +1179,7 @@ int main (int argc, char **argv) | |
|
|
||
| set_environment (pw); | ||
|
|
||
| if (!doshell) { | ||
| if (!doshell || need_pty_prot) { | ||
| /* There is no need for a controlling terminal. | ||
| * This avoids the callee to inject commands on | ||
| * the caller's tty. */ | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about compacting that?:
// See linux.git 83efeeeb3d04 (2022-10-22; "tty: Allow TIOCSTI to be disabled")