Re: su - user question

[darius@obsidian.com.au (Kevin Littlejohn)]

On Sun, Jan 20, 2002 at 02:45:53PM +1300, Adam Warner wrote:
> Can anyone provide a plausible scenario for how someone might be able to
> gain root level access because su - has been used to switch to a user
> account. Martin has already answered that your tty session would have to
> be stolen. How can you steal a tty session using only remote means?

The only thing I can think of off-hand is the old "tty bomb" approach -
because you're running as the user at that point, your /dev/tty will likely
have appropriate perms for the user to write to it, and they could
conceivably send you escape sequences that may trigger strange behaviour
at your client end.  There used to be a sequence that'd trigger the
execution of arbitrary commands in ansi terminals - that's been closed,
but it flags one possible spot, I guess.

Alternately, the user may be able to write spurious info to your terminal.
That in itself could cause you to behave differently, although whether it
could be leveraged to root-level access or not is something else altogether.

Finally, "su -" will execute the user's own profile - which means you're
executing user-controlled scripts, which may do interesting things like
setup something to intercept and log keypresses etc.  At the very least,
su without the - is probably called for if you mistrust the user.

KJL