* su: calling setsid() for -c only if non-root user?
@ 2012-06-06 11:50 Bernhard Voelker
2012-06-06 12:41 ` Ludwig Nussel
0 siblings, 1 reply; 3+ messages in thread
From: Bernhard Voelker @ 2012-06-06 11:50 UTC (permalink / raw)
To: util-linux@vger.kernel.org
I am playing around with the --command and --session-command options of su,
and I noticed that setsid() is only called iff a non-root new_user is given:
if (request_same_session || !command || !pw->pw_uid)
same_session = 1;
...
if (!same_session)
setsid ();
Why is the setsid() call dependent on the user?
The commit and the bug behind it don't give an answer
(c6a1746b5f5247b2fccaf5c7f68da3852a02e4fc):
call setsid() when called with -c
Prevents command injection via TIOCSTI
https://bugzilla.redhat.com/show_bug.cgi?id=173008
Have a nice day,
Berny
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: su: calling setsid() for -c only if non-root user?
2012-06-06 11:50 su: calling setsid() for -c only if non-root user? Bernhard Voelker
@ 2012-06-06 12:41 ` Ludwig Nussel
2012-06-06 13:07 ` Bernhard Voelker
0 siblings, 1 reply; 3+ messages in thread
From: Ludwig Nussel @ 2012-06-06 12:41 UTC (permalink / raw)
To: Bernhard Voelker; +Cc: util-linux@vger.kernel.org
Bernhard Voelker wrote:
> I am playing around with the --command and --session-command options of su,
> and I noticed that setsid() is only called iff a non-root new_user is given:
> [...]
> Why is the setsid() call dependent on the user?
First of all, this is a really nasty (mis-)feature. Introduced due to
abuse of su for things it shouldn't be used for in the first place.
The attack scenario are e.g. package %post scripts that execute commands
on behalf of some unprivileged daemon user. If such an account got
compromised the attacker might escalate privileges to root e.g. when
root installs updates for the daemon in question.
setsid() prevents injecting characters into the tty input buffer of root
in this case.
This kind of attack doesn't make sense if the target user is root as
that would mean the root account is compromised already.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: su: calling setsid() for -c only if non-root user?
2012-06-06 12:41 ` Ludwig Nussel
@ 2012-06-06 13:07 ` Bernhard Voelker
0 siblings, 0 replies; 3+ messages in thread
From: Bernhard Voelker @ 2012-06-06 13:07 UTC (permalink / raw)
To: Ludwig Nussel; +Cc: util-linux@vger.kernel.org
On 06/06/2012 02:41 PM, Ludwig Nussel wrote:
> Bernhard Voelker wrote:
>> I am playing around with the --command and --session-command options of su,
>> and I noticed that setsid() is only called iff a non-root new_user is given:
>> [...]
>> Why is the setsid() call dependent on the user?
>
> First of all, this is a really nasty (mis-)feature. Introduced due to
> abuse of su for things it shouldn't be used for in the first place.
> The attack scenario are e.g. package %post scripts that execute commands
> on behalf of some unprivileged daemon user. If such an account got
> compromised the attacker might escalate privileges to root e.g. when
> root installs updates for the daemon in question.
> setsid() prevents injecting characters into the tty input buffer of root
> in this case.
> This kind of attack doesn't make sense if the target user is root as
> that would mean the root account is compromised already.
Thanks for the fast explanation.
Have a nice day,
Berny
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-06-06 13:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-06 11:50 su: calling setsid() for -c only if non-root user? Bernhard Voelker
2012-06-06 12:41 ` Ludwig Nussel
2012-06-06 13:07 ` Bernhard Voelker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox