On Mon, Jul 26, 2004 at 02:53:56PM +1000, Russell Coker wrote: > The start scripts for some daemons do "su - user" or use > "start-stop-daemon -c" to launch the daemon, postgresql is one example. > > During the time between the daemon launch and it closing it's file handles and > calling setsid(2) (which some daemons don't do because they are buggy) any > other code running in the same UID could take over the process via ptrace, > fork off a child process that inherits the administrator tty, and then stuff > characters into the keyboard buffer with ioctl(fd,TIOCSTI,&c) (*).
If this is a real problem (which it sounds like), it's not specific to init scripts. Shouldn't it be fixed in su? > init_su closes all file handles other than 1 and 2 (stdout and stderr). File > handles 1 and 2 are fstat()'d, if they are regular files or pipes then they > are left open (no attack is possible through a file or pipe) In principle any resource leaked to the target uid is a potential threat. The question is whether it can be blocked without breaking intentional "leakage", eg echo ... | su - nobody .... I think your point is that a tty is usually dangerous and unnecessary leakage, and thus should be blocked. Maybe your changes should happen in su by default, with a --leak-tty option if you want to keep the terminal. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
