Description
When starting a program via "su - user -c program" the user session can escape
to the parent session by using the TIOCSTI ioctl to push characters into the
input buffer. This allows for example a non-root session to push
"chmod 666 /etc/shadow" or similarly bad commands into the input buffer such
that after the end of the session they are executed.
Notes
mdeslaur> sudo is also apprently vulnerable to this, so the use_pty
mdeslaur> option was added. We need to verify versions, and make sure
mdeslaur> it is actually getting honored (apparently the option wasn't
mdeslaur> working: http://www.openwall.com/lists/oss-security/2011/06/22/4)
jdstrand> sudo in 12.04 and higher has the fix for use_pty. A small patch
(http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it
on Ubuntu 11.04 and 11.10.
mdeslaur> Please note that use_pty is not enabled by default in sudo, it
mdeslaur> must be specifically enabled.
sarnold> su interactive has the same problem, no fix known on 20130305