On Sat, Oct 01, 2016 at 05:15:31PM -0500, Chris Bennett wrote: > On Sat, Oct 01, 2016 at 03:54:40PM -0600, Theo de Raadt wrote: > > Use of su, doas, or sudo -- means you EXPLICITLY want the tty to > > remain the same. > > > > De-escalation using these "sudo" or "doas" like tools on a tty is > > somewhat unsafe - it has always been unsafe - because tty's have > > capabilities. > > > > If you wish to be safer, do these operations without retaining access > > to a tty. > > > > Escalation on the other hand (user -> root) is different, because then > > it is clear you want to do more / everything. But de-escalation is a > > joke. > > > > This is just one mechanism on tty, there are others. On other > > descriptors there are other abilities. > > > > Would you mind explaining this a little bit. I don't really mean the > sudo/doas part. > > How to do operations without retaining access to a tty? > What other descriptors? > > And, I would especially appreciate any areas in src that could more > fully give me an understanding of this. Studying code has to be > essential to get this. >
there is a recent thread on oss-security about the specific problem of sharing tty: http://openwall.com/lists/oss-security/2016/09/25/1 or a more ancien stuff (same problem): http://www.openwall.com/lists/oss-security/2011/12/20/2 when using doas/sudo you share a tty. # tty /dev/ttypa # doas -u user -s $ tty /dev/ttypa so at a moment, user has access to the tty device that root will use later. for example, user is able to push chars in tty buffer, logout, and let the root process eats the controlled input. alternative way (and more secure in this context) is to use ssh(1). But note it needs additionnal configuration. ssh(1) will allocate a new pty(4) device for the user. # tty /dev/ttypa # ssh user@localhost Last login: ... OpenBSD 6.0-current ... ... $ tty /dev/ttypb Regards. -- Sebastien Marie
