13 Nov
2024
13 Nov
'24
11:17 p.m.
Hi Ed,
On Wed, Nov 13, 2024 at 09:45:47PM +0000, Ed Neville via BitFolk Users wrote:
Kernel < 6.1 that allows the process you sudo'd
to write back to the
user who ran the sudo when not using a pty for the process. It is fixed
in later kernels, but is a linux specific thing AKA antijack.
I think the above paragraph may have unintentionally given the
impression that Debian 12 (bookworm) ships with a kernel (currently
6.1.0-27) that protects against this. However, as far as I understand
things:
- CONFIG_LEGACY_TIOCSTI option is available from kernel 6.2.something
(i.e. not in Debian 12 (bookworm))
- Even then it defaults to 'y' which means that things can still do
TIOCSTI unless you take action to disable it.
- Even then there is TIOCLINUX which can do the same bad things as
TIOCSTI.
So in summary, I believe that every program in Debian 12 (bookworm) that
doesn't use a new pty is vulnerable to having its terminal hijacked by
anything it executes, and the "use_pty" setting in sudo is still
necessary if one doesn't want to risk that. There are alternative
mitigations.
If this is not correct please let me know!
(I am aware that what you have written is compatible with my assertions
above, it's just that I think it is open to other interpretations.)
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting