> I currently can't find any idea how to fix this issue. > > The security issue had to be solved by dropping the controlling > terminal, so you cannot start a command that would interact with the > current terminal. I don't have enough terminal handling skills to find > other way to fix the security issue than by dropping the terminal. > > An option could be to keep the controlling terminal when su-ing to root. > The issue would be less visible in sux (probably used mostly to gain > root privileges), but even if the risk when su'ing to root is lower, it > does not smell good.
Is this just a security risk when suing from root to an unprivledged account (eg, in init.d scripts), and that unprivledged account injects keystrokes back into the root shell? If it's not a risk when trying to get into the root account and running something with -c where you desire there to be a tty, then maybe you could keep the tty in that situation. Or what about providing an extra flag (eg, -C) where the user explicitly acknoledges that they're happy to take on the risk that you have a controlling tty and are executing a command with it? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
