Quoting "Phil Susi" <[email protected]>:

On 2/27/2016 4:23 AM, [email protected] wrote:
And yes, there would be no job control if you started a shell from
there. This is why in "su" setsid() is called only with "-c", partially
fixing the issue. If one would to "su - user" it would still be vulnerable.

That isn't good.  Shouldn't only the foreground process group be allowed
to use this ioctl, thus preventing any background forked processes from
exploiting this?

I believe that is up to kernel developers.
grsecurity released a new feature named GRKERNSEC_HARDEN_TTY on Feb 18 that disallows the use of TIOCSTI to unprivileged users, unless they have the CAP_SYS_ADMIN capability, mitigating these issues.

He said looking into it, he didn't find any legitimate uses of such ioctl.

Check out gr_handle_tiocsti()

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply via email to