Re: "su -" and "su" - what is the real difference?

To: debian-security@lists.debian.org
Subject: Re: "su -" and "su" - what is the real difference?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Thu, 10 Aug 2006 14:17:46 +0200
Message-id: <[🔎] 8764h0iy39.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 877j1gby2q.fsf@florent.maison> (Florent Rougon's message of "Thu, 10 Aug 2006 13:59:57 +0200")
References: <200607281558.04659.leva@az.isten.hu> <ceb0ad00607280704q1c822fack6818c32eb39020df@mail.gmail.com> <873bcl93xu.fsf@florent.maison> <[🔎] 877j1gby2q.fsf@florent.maison>

Florent Rougon <f.rougon@free.fr> writes:

> Florent Rougon <f.rougon@free.fr> wrote:
>
>> Is it possible for a malicious su wrapper to:
>>
>>   1. record root's password (of course, yes);
>>
>>   2. *and then* feed this password to the real "su".
>>
>> I suspect the real "su" empties the stdin buffer (or something like
>> that) to avoid such attacks, but would be glad to hear a confirmation
>> from people who know better.
>
> OK, answering my own question. su has the following code:
>
>     if (isatty (0) && (cp = ttyname (0))) {

For this to succeed the stdin must be a terminal. But nothing stops
you from using a pseudo terminal (pty).

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: "su -" and "su" - what is the real difference?
  - From: Florent Rougon <f.rougon@free.fr>

References:
- Re: "su -" and "su" - what is the real difference?
  - From: Florent Rougon <f.rougon@free.fr>

Prev by Date: Re: "su -" and "su" - what is the real difference?
Next by Date: Re: [SECURITY] [DSA 1134-1] New Mozilla Thunderbird packages fix several vulnerabilities
Previous by thread: Re: "su -" and "su" - what is the real difference?
Next by thread: Re: "su -" and "su" - what is the real difference?
Index(es):
- Date
- Thread