This seems to be a major clusterfuck. Looking at the sudoers man page, it spends some time explaining how use_pty prevents a dangerous attack, just to then say: “This flag is off by default.” Which of course leaves the question: WHY? You know you have a major security vulnerability, you have a mitigation in place, and it is “off by default”?
For su the same applies, though you cannot even set this in a config file.
This is a great example why it’s not a good idea to do things like write your own sudo by yourself (unless you’re just doing it for kicks and giggles). Security is hard. There are just too many random edge cases in our operating systems for one lone brain to consider.
Oh don’t get me wrong, I totally agree we could benefit from a new sudo that’s less complex, has better defaults, and is written in a memory-safe language. I’m just saying that doing so alone without the support of other experts seems like a bad idea.
3 years ago OpenBSD entirely removed TIOCSTI[2], Android has had it filtered for longer[3], and the tools that
had historically used TIOCSTI either do not need it, are not commonly built with it, or have had its use removed.
[river@river Downloads]$ su
Password:
[root@river Downloads]# su river
[river@river Downloads]$ python inj.py id
Traceback (most recent call last):
File "/home/river/Downloads/inj.py", line 11, in <module>
fcntl.ioctl(0, termios.TIOCSTI, char)
OSError: [Errno 5] Input/output error
[1]+ Stopped su river
That is how it looks for me on a kernel 6.2 with the option mentioned in the post disabled. However that is very bleeding edge. On what system are you?
Ok, this surprised me…
This seems to be a major clusterfuck. Looking at the sudoers man page, it spends some time explaining how use_pty prevents a dangerous attack, just to then say: “This flag is off by default.” Which of course leaves the question: WHY? You know you have a major security vulnerability, you have a mitigation in place, and it is “off by default”?
For su the same applies, though you cannot even set this in a config file.
On Debian,
use_ptyis enabled by default in the shipped configuration file. This is quite recent (added two years ago).Isn’t it off by default to protect non-interactive sessions from wonky output? At least that’s the message I get from the linked article.
“Wonky output” vs. “major security vulnerability”: Choose your priorities.
This is a great example why it’s not a good idea to do things like write your own sudo by yourself (unless you’re just doing it for kicks and giggles). Security is hard. There are just too many random edge cases in our operating systems for one lone brain to consider.
I mean… yes, but the original sudo seems vulnerable, it has an optional protection, and that is off by default.
It appears sudo itself does everything wrong here.
Oh don’t get me wrong, I totally agree we could benefit from a new sudo that’s less complex, has better defaults, and is written in a memory-safe language. I’m just saying that doing so alone without the support of other experts seems like a bad idea.
this particular bug has nothing to do with memory-safety
So… which operating systems protect against this by default? I’m hoping at least some do…
The Linux kernel commit linked on the post mentions at least this:
what am i doing wrong?
That is how it looks for me on a kernel 6.2 with the option mentioned in the post disabled. However that is very bleeding edge. On what system are you?
I use arch linux
Do you have a
dev.tty.legacy_tiocstisysctl?