[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: init scripts and su



On Mon, Jul 26, 2004 at 02:53:56PM +1000, Russell Coker wrote:
> The start scripts for some daemons do "su - user" or use
> "start-stop-daemon -c" to launch the daemon, postgresql is one example.
> 
> During the time between the daemon launch and it closing it's file handles and 
> calling setsid(2) (which some daemons don't do because they are buggy) any 
> other code running in the same UID could take over the process via ptrace, 
> fork off a child process that inherits the administrator tty, and then stuff 
> characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*).

If this is a real problem (which it sounds like), it's not specific to
init scripts.  Shouldn't it be fixed in su?

> init_su closes all file handles other than 1 and 2 (stdout and stderr).  File
> handles 1 and 2 are fstat()'d, if they are regular files or pipes then they
> are left open (no attack is possible through a file or pipe)

In principle any resource leaked to the target uid is a potential
threat.  The question is whether it can be blocked without breaking
intentional "leakage", eg echo ... | su - nobody ....  I think your
point is that a tty is usually dangerous and unnecessary leakage, and
thus should be blocked.

Maybe your changes should happen in su by default, with a --leak-tty
option if you want to keep the terminal.

Andrew



Reply to: