Skip to content

Avoid falling prey to tiocsti#1660

Merged
hallyn merged 1 commit into
shadow-maint:masterfrom
hallyn:shadow.tiocsti
Jul 8, 2026
Merged

Avoid falling prey to tiocsti#1660
hallyn merged 1 commit into
shadow-maint:masterfrom
hallyn:shadow.tiocsti

Conversation

@hallyn

@hallyn hallyn commented Jun 24, 2026

Copy link
Copy Markdown
Member

We've long known (see
https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/ and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html) that su should be used to gain but not drop privilege. Much more recently, linux added the ability to prevent TIOCSTI through a configurable /proc/sys/dev/tty/legacy_tiocsti setting.

If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected from the callee injecting commands on caller's tty through TIOCSTI. If it's 1, or doesn't exist, then we are not. That can be dangerous if caller is root. We currently give up the controlling terminal for non-interactive uses of su (-c). Let's do that for interactive calls as well, only in the dangerous case.

@hallyn hallyn requested a review from alejandro-colomar June 24, 2026 14:31
Comment thread src/su.c Outdated
Comment thread src/su.c Outdated
Comment thread src/su.c Outdated
Comment thread src/su.c Outdated
Comment thread src/su.c Outdated
Comment thread src/su.c Outdated
Comment thread src/su.c
We've long known (see
https://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/
and https://jdebp.uk/FGA/dont-abuse-su-for-dropping-privileges.html)
that su should be used to gain but not drop privilege.  Much more
recently, linux added the ability to prevent TIOCSTI through a
configurable /proc/sys/dev/tty/legacy_tiocsti setting.

If /proc/sys/dev/tty/legacy_tiocsti is set to 0, then we are protected
from the callee injecting commands on caller's tty through TIOCSTI.
If it's 1, or doesn't exist, then we are not.  That can be dangerous
if caller is root.  We currently give up the controlling terminal
for non-interactive uses of su (-c).  Let's do that for interactive
calls as well, only in the dangerous case.

@alejandro-colomar alejandro-colomar left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Alejandro Colomar <alx@kernel.org>

@hallyn hallyn merged commit f384b3d into shadow-maint:master Jul 8, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants