Re: init scripts and su
On Mon, Jul 26, 2004 at 02:53:56PM +1000, Russell Coker wrote:
> The start scripts for some daemons do "su - user" or use
> "start-stop-daemon -c" to launch the daemon, postgresql is one example.
> During the time between the daemon launch and it closing it's file handles and
> calling setsid(2) (which some daemons don't do because they are buggy) any
> other code running in the same UID could take over the process via ptrace,
> fork off a child process that inherits the administrator tty, and then stuff
> characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*).
If this is a real problem (which it sounds like), it's not specific to
init scripts. Shouldn't it be fixed in su?
> init_su closes all file handles other than 1 and 2 (stdout and stderr). File
> handles 1 and 2 are fstat()'d, if they are regular files or pipes then they
> are left open (no attack is possible through a file or pipe)
In principle any resource leaked to the target uid is a potential
threat. The question is whether it can be blocked without breaking
intentional "leakage", eg echo ... | su - nobody .... I think your
point is that a tty is usually dangerous and unnecessary leakage, and
thus should be blocked.
Maybe your changes should happen in su by default, with a --leak-tty
option if you want to keep the terminal.