On Sun, Jan 20, 2002 at 02:45:53PM +1300, Adam Warner wrote: > Can anyone provide a plausible scenario for how someone might be able to > gain root level access because su - has been used to switch to a user > account. Martin has already answered that your tty session would have to > be stolen. How can you steal a tty session using only remote means?
The only thing I can think of off-hand is the old "tty bomb" approach - because you're running as the user at that point, your /dev/tty will likely have appropriate perms for the user to write to it, and they could conceivably send you escape sequences that may trigger strange behaviour at your client end. There used to be a sequence that'd trigger the execution of arbitrary commands in ansi terminals - that's been closed, but it flags one possible spot, I guess. Alternately, the user may be able to write spurious info to your terminal. That in itself could cause you to behave differently, although whether it could be leveraged to root-level access or not is something else altogether. Finally, "su -" will execute the user's own profile - which means you're executing user-controlled scripts, which may do interesting things like setup something to intercept and log keypresses etc. At the very least, su without the - is probably called for if you mistrust the user. KJL
