From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 25 11:57:12 2016 Received: (at submit) by debbugs.gnu.org; 25 Sep 2016 15:57:12 +0000 Received: from localhost ([127.0.0.1]:35716 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boBnj-0004Jg-Km for submit@debbugs.gnu.org; Sun, 25 Sep 2016 11:57:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59576) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bo7n6-0004aW-UK for submit@debbugs.gnu.org; Sun, 25 Sep 2016 07:40:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bo7n0-00064P-TE for submit@debbugs.gnu.org; Sun, 25 Sep 2016 07:40:11 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:38728) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bo7n0-00063h-QM for submit@debbugs.gnu.org; Sun, 25 Sep 2016 07:40:10 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50494) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bo7my-0001tv-EV for bug-coreutils@gnu.org; Sun, 25 Sep 2016 07:40:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bo7mu-0005x1-Bl for bug-coreutils@gnu.org; Sun, 25 Sep 2016 07:40:08 -0400 Received: from mail.alunos.dcc.fc.up.pt ([193.136.39.109]:54571 helo=smtp.alunos.dcc.fc.up.pt) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bo7mt-0005uv-U5 for bug-coreutils@gnu.org; Sun, 25 Sep 2016 07:40:04 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp.alunos.dcc.fc.up.pt (Postfix) with ESMTP id 2AFDCACD8D for ; Sun, 25 Sep 2016 12:40:00 +0100 (WEST) Received: from smtp.alunos.dcc.fc.up.pt ([127.0.0.1]) by localhost (mail.alunos.dcc.fc.up.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id 21705-08 for ; Sun, 25 Sep 2016 12:39:58 +0100 (WEST) Received: from webmail.alunos.dcc.fc.up.pt (webmail.alunos.dcc.fc.up.pt [192.168.0.11]) by smtp.alunos.dcc.fc.up.pt (Postfix) with ESMTP id EB923ACD50 for ; Sun, 25 Sep 2016 12:39:57 +0100 (WEST) Received: from 89-180-188-135.net.novis.pt (89-180-188-135.net.novis.pt [89.180.188.135]) by webmail.alunos.dcc.fc.up.pt (Horde Framework) with HTTP; Sun, 25 Sep 2016 13:39:55 +0200 Message-ID: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> Date: Sun, 25 Sep 2016 13:39:55 +0200 From: up201407890@alunos.dcc.fc.up.pt To: bug-coreutils@gnu.org Subject: runcon tty hijacking via TIOCSTI ioctl MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2) X-Virus-Scanned: amavisd-new at alunos.dcc.fc.up.pt X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sun, 25 Sep 2016 11:57:10 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) When executing a program via the runcon utility, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to execute arbitrary commands without the SELinux security context. $ cat test.c #include #include int main() { char *cmd =3D "id\n"; while(*cmd) ioctl(0, TIOCSTI, cmd++); execlp("/bin/id", "id", NULL); } $ gcc test.c -o test $ runcon -t sandbox_t ./test id uid=3D1000 gid=3D1000 groups=3D1000 =20 context=3Dunconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 $ id <--- did not type this uid=3D1000(saken) gid=3D1000(saken) groups=3D1000(saken) context=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 This issue has been recently patched in the SELinux sandbox (CVE-2016-7545): https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b63688= 6af99c0915379 Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 25 14:49:50 2016 Received: (at 24541) by debbugs.gnu.org; 25 Sep 2016 18:49:51 +0000 Received: from localhost ([127.0.0.1]:35779 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boEUo-0000LF-Lk for submit@debbugs.gnu.org; Sun, 25 Sep 2016 14:49:50 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:36008) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boEUn-0000L2-9i for 24541@debbugs.gnu.org; Sun, 25 Sep 2016 14:49:49 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 7A3CD160EA7; Sun, 25 Sep 2016 11:49:42 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id kcE25kQyJoM7; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 529BB160D6F; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rvMTTghIB3KJ; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Received: from [192.168.1.9] (unknown [47.153.191.53]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 2DD10160EA7; Sun, 25 Sep 2016 11:49:41 -0700 (PDT) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: up201407890@alunos.dcc.fc.up.pt, 24541@debbugs.gnu.org, SE-Linux References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Sun, 25 Sep 2016 11:49:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> Content-Type: multipart/mixed; boundary="------------0E4B4496D9029FEB435C050E" X-Spam-Score: -3.1 (---) X-Debbugs-Envelope-To: 24541 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.1 (---) This is a multi-part message in MIME format. --------------0E4B4496D9029FEB435C050E Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable up201407890@alunos.dcc.fc.up.pt wrote re : > When executing a program via the runcon utility, the nonpriv session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the terminal's input buffer, allowing an attacker to > execute arbitrary commands without the SELinux security context. Thanks for the bug report. Surely this is a bug in the setexeccon system = call,=20 not in the runcon command that uses the system call. That being said, per= haps=20 runcon should work around the bug via something like the attached patch. --------------0E4B4496D9029FEB435C050E Content-Type: text/x-diff; name="runcon.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="runcon.diff" diff --git a/src/runcon.c b/src/runcon.c index b25db04..52b0b36 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -249,6 +249,11 @@ main (int argc, char **argv) error (EXIT_FAILURE, errno, _("invalid context: %s"), quote (context_str (con))); =20 + /* Prevent the sandboxed process from using the TIOCSTI ioctl to + push characters into the controlling terminal's input buffer. */ + if (setsid () !=3D 0) + error (EXIT_FAILURE, errno, _("cannot create session")); + if (setexeccon (context_str (con)) !=3D 0) error (EXIT_FAILURE, errno, _("unable to set security context %s"), quote (context_str (con))); --------------0E4B4496D9029FEB435C050E-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 26 06:16:55 2016 Received: (at submit) by debbugs.gnu.org; 26 Sep 2016 10:16:55 +0000 Received: from localhost ([127.0.0.1]:36038 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boSxz-0001Ag-Bv for submit@debbugs.gnu.org; Mon, 26 Sep 2016 06:16:55 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boSxx-0001AS-2Q for submit@debbugs.gnu.org; Mon, 26 Sep 2016 06:16:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boSxq-0004id-QN for submit@debbugs.gnu.org; Mon, 26 Sep 2016 06:16:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:33496) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boSxq-0004hN-NK for submit@debbugs.gnu.org; Mon, 26 Sep 2016 06:16:46 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48750) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boSxo-0001QH-DG for bug-coreutils@gnu.org; Mon, 26 Sep 2016 06:16:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boSxk-0004ar-1Z for bug-coreutils@gnu.org; Mon, 26 Sep 2016 06:16:43 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:60680) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boSxj-0004ZX-R0 for bug-coreutils@gnu.org; Mon, 26 Sep 2016 06:16:39 -0400 Received: from [192.168.1.80] (unknown [109.77.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 7B4D24B06 for ; Mon, 26 Sep 2016 11:16:38 +0100 (IST) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: bug-coreutils@gnu.org References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Mon, 26 Sep 2016 11:16:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On 25/09/16 12:39, up201407890@alunos.dcc.fc.up.pt wrote: > When executing a program via the runcon utility, the nonpriv session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the terminal's input buffer, allowing an attacker to > execute arbitrary commands without the SELinux security context. >=20 > $ cat test.c > #include > #include >=20 > int main() > { > char *cmd =3D "id\n"; > while(*cmd) > ioctl(0, TIOCSTI, cmd++); > execlp("/bin/id", "id", NULL); > } > $ gcc test.c -o test > $ runcon -t sandbox_t ./test > id > uid=3D1000 gid=3D1000 groups=3D1000 =20 > context=3Dunconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 > $ id <--- did not type this > uid=3D1000(saken) gid=3D1000(saken) groups=3D1000(saken) > context=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >=20 > This issue has been recently patched in the SELinux sandbox (CVE-2016-7= 545): > https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b= 636886af99c0915379 There are side effects to that though like not being able to background t= asks etc.? There collection of links on the issue at https://bugs.debian.org/816320 If setsid was an option, one could use `runcon ... setsid the_command` though that would be less secure operation by default. The same issue impacts chroot(1) somewhat also. I'm not sure of the best fix here. P=E1draig From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 26 06:18:17 2016 Received: (at 24541) by debbugs.gnu.org; 26 Sep 2016 10:18:17 +0000 Received: from localhost ([127.0.0.1]:36042 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boSzI-0001D5-NN for submit@debbugs.gnu.org; Mon, 26 Sep 2016 06:18:16 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:58792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boSzG-0001Ct-Dq for 24541@debbugs.gnu.org; Mon, 26 Sep 2016 06:18:15 -0400 Received: from [192.168.1.80] (unknown [109.77.168.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 377D34B06; Mon, 26 Sep 2016 11:18:11 +0100 (IST) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: up201407890@alunos.dcc.fc.up.pt, 24541@debbugs.gnu.org References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: Date: Mon, 26 Sep 2016 11:18:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 24541 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) On 25/09/16 12:39, up201407890@alunos.dcc.fc.up.pt wrote: > When executing a program via the runcon utility, the nonpriv session > can escape to the parent session by using the TIOCSTI ioctl to push > characters into the terminal's input buffer, allowing an attacker to > execute arbitrary commands without the SELinux security context. > > $ cat test.c > #include > #include > > int main() > { > char *cmd = "id\n"; > while(*cmd) > ioctl(0, TIOCSTI, cmd++); > execlp("/bin/id", "id", NULL); > } > $ gcc test.c -o test > $ runcon -t sandbox_t ./test > id > uid=1000 gid=1000 groups=1000 > context=unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 > $ id <--- did not type this > uid=1000(saken) gid=1000(saken) groups=1000(saken) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > This issue has been recently patched in the SELinux sandbox (CVE-2016-7545): > https://github.com/SELinuxProject/selinux/commit/acca96a135a4d2a028ba9b636886af99c0915379 There are side effects to that though like not being able to background tasks etc.? There collection of links on the issue at https://bugs.debian.org/816320 If setsid was an option, one could use `runcon ... setsid the_command` though that would be less secure operation by default. The same issue impacts chroot(1) somewhat also. I'm not sure of the best fix here. thanks, Pádraig From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 26 11:12:41 2016 Received: (at 24541) by debbugs.gnu.org; 26 Sep 2016 15:12:41 +0000 Received: from localhost ([127.0.0.1]:36554 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boXa9-0001ff-Na for submit@debbugs.gnu.org; Mon, 26 Sep 2016 11:12:41 -0400 Received: from mail.alunos.dcc.fc.up.pt ([193.136.39.109]:49336 helo=smtp.alunos.dcc.fc.up.pt) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boPYZ-00044G-CP for 24541@debbugs.gnu.org; Mon, 26 Sep 2016 02:38:28 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp.alunos.dcc.fc.up.pt (Postfix) with ESMTP id 8FD3DACD2D; Mon, 26 Sep 2016 07:38:18 +0100 (WEST) Received: from smtp.alunos.dcc.fc.up.pt ([127.0.0.1]) by localhost (mail.alunos.dcc.fc.up.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id 12721-02-2; Mon, 26 Sep 2016 07:38:13 +0100 (WEST) Received: from webmail.alunos.dcc.fc.up.pt (webmail.alunos.dcc.fc.up.pt [192.168.0.11]) by smtp.alunos.dcc.fc.up.pt (Postfix) with ESMTP id C001AACD2C; Mon, 26 Sep 2016 07:38:12 +0100 (WEST) Received: from 89-180-190-245.net.novis.pt (89-180-190-245.net.novis.pt [89.180.190.245]) by webmail.alunos.dcc.fc.up.pt (Horde Framework) with HTTP; Mon, 26 Sep 2016 08:38:11 +0200 Message-ID: <20160926083811.30682dgg5kr92vr4@webmail.alunos.dcc.fc.up.pt> Date: Mon, 26 Sep 2016 08:38:11 +0200 From: up201407890@alunos.dcc.fc.up.pt To: "Paul Eggert" Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2) X-Virus-Scanned: amavisd-new at alunos.dcc.fc.up.pt X-Spam-Score: -5.4 (-----) X-Debbugs-Envelope-To: 24541 X-Mailman-Approved-At: Mon, 26 Sep 2016 11:12:36 -0400 Cc: 24541@debbugs.gnu.org, SE-Linux X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.3 (-----) Quoting "Paul Eggert" : Hello, I set the bug report here before I got a response from Paul Moore https://marc.info/?l=3Dselinux&m=3D147481004710264&w=3D2 "I don't think we need to fix this for runcon, as it isn't as sandboxing tool like sandbox, and the loss of job control would likely be much more noticeable for runcon." > up201407890@alunos.dcc.fc.up.pt wrote re : >> When executing a program via the runcon utility, the nonpriv session >> can escape to the parent session by using the TIOCSTI ioctl to push >> characters into the terminal's input buffer, allowing an attacker to >> execute arbitrary commands without the SELinux security context. > > Thanks for the bug report. Surely this is a bug in the setexeccon =20 > system call, not in the runcon command that uses the system call. =20 > That being said, perhaps runcon should work around the bug via =20 > something like the attached patch. > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 26 11:53:43 2016 Received: (at 24541-done) by debbugs.gnu.org; 26 Sep 2016 15:53:43 +0000 Received: from localhost ([127.0.0.1]:36576 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boYDv-0002ui-Ji for submit@debbugs.gnu.org; Mon, 26 Sep 2016 11:53:43 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:55216) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1boYDt-0002uT-Dy for 24541-done@debbugs.gnu.org; Mon, 26 Sep 2016 11:53:41 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 8B54C161286; Mon, 26 Sep 2016 08:53:35 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 5amECv_gW7sl; Mon, 26 Sep 2016 08:53:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id B48A3161283; Mon, 26 Sep 2016 08:53:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qbaRnvANFTiQ; Mon, 26 Sep 2016 08:53:34 -0700 (PDT) Received: from Penguin.CS.UCLA.EDU (Penguin.CS.UCLA.EDU [131.179.64.200]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 9B4E4161280; Mon, 26 Sep 2016 08:53:34 -0700 (PDT) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: up201407890@alunos.dcc.fc.up.pt References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> <20160926083811.30682dgg5kr92vr4@webmail.alunos.dcc.fc.up.pt> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Mon, 26 Sep 2016 08:53:34 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <20160926083811.30682dgg5kr92vr4@webmail.alunos.dcc.fc.up.pt> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -3.0 (---) X-Debbugs-Envelope-To: 24541-done Cc: 24541-done@debbugs.gnu.org, SE-Linux X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.0 (---) > "I don't think we need to fix this for runcon, as it isn't as > sandboxing tool like sandbox, and the loss of job control would likely > be much more noticeable for runcon." Thanks, closing the debbugs bug report. From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 29 11:16:19 2016 Received: (at 24541) by debbugs.gnu.org; 29 Sep 2016 15:16:19 +0000 Received: from localhost ([127.0.0.1]:38918 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bpd4N-0005ro-48 for submit@debbugs.gnu.org; Thu, 29 Sep 2016 11:16:19 -0400 Received: from mout.kundenserver.de ([212.227.17.13]:59639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bpd4L-0005rX-NC for 24541@debbugs.gnu.org; Thu, 29 Sep 2016 11:16:18 -0400 Received: from [10.0.2.15] ([62.153.148.194]) by mrelayeu.kundenserver.de (mreue103) with ESMTPSA (Nemesis) id 0Lpyfn-1bK8Oc0AUh-00ffHh; Thu, 29 Sep 2016 17:16:01 +0200 Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: 24541@debbugs.gnu.org, eggert@cs.ucla.edu References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> <20160926083811.30682dgg5kr92vr4@webmail.alunos.dcc.fc.up.pt> From: Bernhard Voelker Message-ID: Date: Thu, 29 Sep 2016 17:15:57 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:NZnVswKnPhwBjiyJjyUDyKN+6w5b3erV7s2IyGzKa40qRbcpxJS rCL5yUUpy4/VJ3/R3j4commo2d6+fSGVMBkpiGXTILtz9PSynrxJRNwLDVGIsQsLha8i9Uo J2sQWQdd+f9QVgYE7RSjMdzuZsJ4Gj2d0b0tU4vHBwjYgdrWluSaXZ4ldAiFfaa7UBTHeSY xz8s2vXwAyBHGhpqNzyEQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:Jjs1L6aeTTw=:Vo/9eJWmNTxm7nlLoUGMBE Yl+4qFbt+O65Op5SavaL2iWG94EgaSMsckMppfXxFJxZnOZFEENvbTEu2l/fbP3qlu/9c/k6r 6/0uqHrVBco7s/iGV2rccHmuKauIEj2gkhLIuzRPt2MiQrUt4fEfq4MjustTd8VE04gqZg1in 7Lh3vcH40jCVYLwgHNQynTczWtzv88r4K6eJmcwfBCDr2tHNYBlXx2vMRvdiXDgJOzbAegtcZ ACOgc0jqd5we8a11ozryHq59B8sFmCfcc2bUatcCvVK2vUmqr2hPugqfF/em1vfCzp1XkIYoy tlTqBBZsOKi3quG9W+iBujkKbZ2JcGazJP3ieNGYGDiB5rmPr84vKhwfXW0R4w2xcpyjGamoq OiDF5eozMtDEDcTHA1UlJaEJ/KSJN1QZ652jLra0zDlpnnJ4NXC48lWeNg9DE5UohO3aLJsHH WEsGtzFsZb1E+b0qaNcCQyOC9/gSV0Zgml6zoByCLneKRoaD34K/TNDMMoOtMLLqImMgC5fvI +C8SlxDJRM2lvWvA9lu4wnyFvZ+K1p9Pxi/I/WkwWTqchQLvzpwW0niAbc52URL8qC6J5OIeS 85LgItCti2tWRs0k/j35AGPd6mxb+rvmLA/R99AFSFH4NCGwnKkhAIzPURf7IgYNX8i6kpd8x IC1D5A9bY2D+cn0c9OCOnRD0EBoYiW5QKjSHhwm5TO2oBJoN8Pf715NfqFVxY310FMbG7ekTT NwlVNQ//AH+5DA3q X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 24541 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) On 09/26/2016 05:53 PM, Paul Eggert wrote: >> "I don't think we need to fix this for runcon, as it isn't as >> sandboxing tool like sandbox, and the loss of job control would likely >> be much more noticeable for runcon." > > Thanks, closing the debbugs bug report. FWIW Karel just committed a workaround for su/runuser in util-linux using libseccomp: https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2 Have a nice day, Berny From unknown Sat Jun 21 12:19:47 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 28 Oct 2016 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 28 05:42:53 2017 Received: (at control) by debbugs.gnu.org; 28 Aug 2017 09:42:53 +0000 Received: from localhost ([127.0.0.1]:58655 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmGZJ-0003xI-DJ for submit@debbugs.gnu.org; Mon, 28 Aug 2017 05:42:53 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:58418) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmGZG-0003x6-J6 for control@debbugs.gnu.org; Mon, 28 Aug 2017 05:42:51 -0400 Received: from localhost.localdomain (c-73-158-116-184.hsd1.ca.comcast.net [73.158.116.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 1BDFD4A7E for ; Mon, 28 Aug 2017 10:42:48 +0100 (IST) To: GNU bug tracker automated control server From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: <4bbc8f6f-4bdc-e994-b140-de790952fe70@draigBrady.com> Date: Mon, 28 Aug 2017 02:42:47 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: unarchive 24541 [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: unarchive 24541 [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 TVD_SPACE_RATIO No description available. 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject unarchive 24541 From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 28 05:51:31 2017 Received: (at 24541-done) by debbugs.gnu.org; 28 Aug 2017 09:51:31 +0000 Received: from localhost ([127.0.0.1]:58661 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmGhV-0005zf-70 for submit@debbugs.gnu.org; Mon, 28 Aug 2017 05:51:31 -0400 Received: from mail.magicbluesmoke.com ([82.195.144.49]:36032) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmGhP-0005zS-VB for 24541-done@debbugs.gnu.org; Mon, 28 Aug 2017 05:51:19 -0400 Received: from localhost.localdomain (c-73-158-116-184.hsd1.ca.comcast.net [73.158.116.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.magicbluesmoke.com (Postfix) with ESMTPSA id 025A34AEA for <24541-done@debbugs.gnu.org>; Mon, 28 Aug 2017 10:51:14 +0100 (IST) Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl To: 24541-done@debbugs.gnu.org References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> <20160926083811.30682dgg5kr92vr4@webmail.alunos.dcc.fc.up.pt> From: =?UTF-8?Q?P=c3=a1draig_Brady?= Message-ID: <1deb80dc-80bc-188c-7e2d-2d1f2d342f0e@draigBrady.com> Date: Mon, 28 Aug 2017 02:51:12 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------D7D49FA73BDEC584A18B5123" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 24541-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.0 (/) This is a multi-part message in MIME format. --------------D7D49FA73BDEC584A18B5123 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 29/09/16 08:15, Bernhard Voelker wrote: > On 09/26/2016 05:53 PM, Paul Eggert wrote: >>> "I don't think we need to fix this for runcon, as it isn't as >>> sandboxing tool like sandbox, and the loss of job control would likely >>> be much more noticeable for runcon." >> >> Thanks, closing the debbugs bug report. > > FWIW Karel just committed a workaround for su/runuser in util-linux > using libseccomp: > > https://github.com/karelzak/util-linux/commit/8e492501 I think this issue is worth addressing with libseccomp. That lib is a widely used dependency on SELinux systems so not a significant dependency to add. The attached uses libseccomp if available, and falls back to using setsid() in the edge cases where not. cheers, Pádraig --------------D7D49FA73BDEC584A18B5123 Content-Type: text/x-patch; name="runcon-inject.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="runcon-inject.patch" =46rom d2ad8ae5c56330f46fe891346025e1e0164372e3 Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?P=3DC3=3DA1draig=3D20Brady?=3D Date: Mon, 28 Aug 2017 01:57:54 -0700 Subject: [PATCH] runcon: disable use of the TIOCSTI ioctl Similar to the issue with SELinux sandbox (CVE-2016-7545), children of runcon can inject arbitrary input to the terminal that would be run at the originating terminal privileges. The new libseccomp dependency is widely available and used on modern SELinux systems, but is not available by default on older systems like RHEL6 etc. * m4/jm-macros.m4: Check for libseccomp and warn if unavailable on selinux supporting systems. * src/local.mk: Link runcon with -lseccomp. * src/runcon.c (disable_tty_inject): A new function to disable use of the TIOCSTI using libseccomp, or with setsid() where libseccomp is unavailable. * tests/misc/runcon-no-inject.sh: A new test that uses python to make the TIOCSTI call, and ensure that doesn't succeed. * tests/local.mk: Reference the new test * NEWS: Mention the fix. Addresses http://bugs.gnu.org/24541 --- NEWS | 4 ++++ m4/jm-macros.m4 | 13 +++++++++++++ src/local.mk | 1 + src/runcon.c | 28 ++++++++++++++++++++++++++++ tests/local.mk | 1 + tests/misc/runcon-no-inject.sh | 31 +++++++++++++++++++++++++++++++ 6 files changed, 78 insertions(+) create mode 100755 tests/misc/runcon-no-inject.sh diff --git a/NEWS b/NEWS index d37195e..0c744a8 100644 --- a/NEWS +++ b/NEWS @@ -68,6 +68,10 @@ GNU coreutils NEWS = -*- outline -*- non regular files are specified, as inotify is ineffective with these.= [bug introduced with inotify support added in coreutils-7.5] =20 + runcon now disables use of the TIOCSTI ioctl in its children, which co= uld + be used to inject commands to the terminal and run at the original con= text. + [the bug dates back to the initial implementation] + uptime no longer outputs the AM/PM component of the current time, as that's inconsistent with the 24 hour time format used. [bug introduced in coreutils-7.0] diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4 index ef915bd..de0657b 100644 --- a/m4/jm-macros.m4 +++ b/m4/jm-macros.m4 @@ -63,6 +63,19 @@ AC_DEFUN([coreutils_MACROS], esac fi ]) + + # Used by runcon.c + LIB_SECCOMP=3D + AC_SUBST([LIB_SECCOMP]) + if test "$with_selinux" !=3D no; then + AC_SEARCH_LIBS([seccomp_init], [seccomp], + [test "$ac_cv_search_seccomp_init" =3D "none required" || + LIB_SECCOMP=3D$ac_cv_search_seccomp_init + AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])], + [test "$ac_cv_header_selinux_selinux_h" =3D yes && + AC_MSG_WARN([libseccomp library was not found or not usable]) + AC_MSG_WARN([runcon will be vulnerable to tty injection])]) + fi LIBS=3D$coreutils_saved_libs =20 # Used by sort.c. diff --git a/src/local.mk b/src/local.mk index 1cb6859..9275b1f 100644 --- a/src/local.mk +++ b/src/local.mk @@ -243,6 +243,7 @@ src_mkfifo_LDADD +=3D $(LIB_SMACK) src_mknod_LDADD +=3D $(LIB_SELINUX) src_mknod_LDADD +=3D $(LIB_SMACK) src_runcon_LDADD +=3D $(LIB_SELINUX) +src_runcon_LDADD +=3D $(LIB_SECCOMP) src_stat_LDADD +=3D $(LIB_SELINUX) =20 # for nvlist_lookup_uint64_array diff --git a/src/runcon.c b/src/runcon.c index 92f519d..611b788 100644 --- a/src/runcon.c +++ b/src/runcon.c @@ -45,6 +45,10 @@ #include #include #include +#ifdef HAVE_SECCOMP +# include +# include +#endif #include #include "system.h" #include "die.h" @@ -102,6 +106,28 @@ With neither CONTEXT nor COMMAND, print the current = security context.\n\ exit (status); } =20 +static void +disable_tty_inject (void) +{ +#ifdef HAVE_SECCOMP + scmp_filter_ctx ctx =3D seccomp_init (SCMP_ACT_ALLOW); + if (! ctx) + die (EXIT_FAILURE, 0, _("failed to initialize seccomp context")); + if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1= , + SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0) + die (EXIT_FAILURE, 0, _("failed to add seccomp rule")); + if (seccomp_load (ctx) < 0) + die (EXIT_FAILURE, 0, _("failed to load seccomp rule")); + seccomp_release (ctx); +#else + /* This may have unwanted side effects, but is a fallback + on older systems without libseccomp. */ + if (setsid () !=3D 0) + die (EXIT_FAILURE, errno, _("cannot create session")); +#endif /* HAVE_SECCOMP */ +} + + int main (int argc, char **argv) { @@ -195,6 +221,8 @@ main (int argc, char **argv) die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"), program_name); =20 + disable_tty_inject (); + if (context) { con =3D context_new (context); diff --git a/tests/local.mk b/tests/local.mk index fd4713d..f904ffb 100644 --- a/tests/local.mk +++ b/tests/local.mk @@ -333,6 +333,7 @@ all_tests =3D \ tests/misc/readlink-root.sh \ tests/misc/realpath.sh \ tests/misc/runcon-no-reorder.sh \ + tests/misc/runcon-no-inject.sh \ tests/misc/sha1sum.pl \ tests/misc/sha1sum-vec.pl \ tests/misc/sha224sum.pl \ diff --git a/tests/misc/runcon-no-inject.sh b/tests/misc/runcon-no-inject= =2Esh new file mode 100755 index 0000000..f1ea6ec --- /dev/null +++ b/tests/misc/runcon-no-inject.sh @@ -0,0 +1,31 @@ +#!/bin/sh +# Ensure that runcon does not reorder its arguments. + +# Copyright (C) 2017 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. "${srcdir=3D.}/tests/init.sh"; path_prepend_ ./src +print_ver_ runcon + +cat <<\EOF >inject.py || framework_failure_ +import fcntl, termios +fcntl.ioctl(0, termios.TIOCSTI, '\n') +EOF + +python inject.py || skip_ 'python TIOCSTI check failed' + +returns_ 1 runcon $(id -Z) python inject.py || fail=3D1 + +Exit $fail --=20 2.9.3 --------------D7D49FA73BDEC584A18B5123-- From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 28 07:24:51 2017 Received: (at submit) by debbugs.gnu.org; 28 Aug 2017 11:24:51 +0000 Received: from localhost ([127.0.0.1]:58886 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmI9z-0008KE-Jn for submit@debbugs.gnu.org; Mon, 28 Aug 2017 07:24:51 -0400 Received: from eggs.gnu.org ([208.118.235.92]:38692) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dmI9x-0008K1-W7 for submit@debbugs.gnu.org; Mon, 28 Aug 2017 07:24:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dmI9p-0003Z4-N3 for submit@debbugs.gnu.org; Mon, 28 Aug 2017 07:24:44 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:40525) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dmI9p-0003Yw-K9 for submit@debbugs.gnu.org; Mon, 28 Aug 2017 07:24:41 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dmI9j-0006fJ-Mf for bug-coreutils@gnu.org; Mon, 28 Aug 2017 07:24:41 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dmI9g-0003V6-Iq for bug-coreutils@gnu.org; Mon, 28 Aug 2017 07:24:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44628) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dmI9g-0003US-CB for bug-coreutils@gnu.org; Mon, 28 Aug 2017 07:24:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 93D7A883B9; Mon, 28 Aug 2017 11:24:30 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 93D7A883B9 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=kdudka@redhat.com Received: from kdudka-nb.localnet (unknown [10.43.2.37]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3B01177DD5; Mon, 28 Aug 2017 11:24:30 +0000 (UTC) From: Kamil Dudka To: =?ISO-8859-1?Q?P=E1draig?= Brady Subject: Re: bug#24541: runcon tty hijacking via TIOCSTI ioctl Date: Mon, 28 Aug 2017 13:24:41 +0200 Message-ID: <1788333.M5zUhTcoRp@kdudka-nb> In-Reply-To: <1deb80dc-80bc-188c-7e2d-2d1f2d342f0e@draigBrady.com> References: <20160925133955.72163x0kftak7yqs@webmail.alunos.dcc.fc.up.pt> <1deb80dc-80bc-188c-7e2d-2d1f2d342f0e@draigBrady.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 28 Aug 2017 11:24:30 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit Cc: 24541-done@debbugs.gnu.org, bug-coreutils@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.1 (----) On Monday, August 28, 2017 11:51:12 AM CEST P=E1draig Brady wrote: > On 29/09/16 08:15, Bernhard Voelker wrote: > > On 09/26/2016 05:53 PM, Paul Eggert wrote: > >>> "I don't think we need to fix this for runcon, as it isn't as > >>> sandboxing tool like sandbox, and the loss of job control would likely > >>> be much more noticeable for runcon." > >>=20 > >> Thanks, closing the debbugs bug report. > >=20 > > FWIW Karel just committed a workaround for su/runuser in util-linux > > using libseccomp: > >=20 > > https://github.com/karelzak/util-linux/commit/8e492501 Note that the above mentioned commit was reverted long time ago: https://github.com/karelzak/util-linux/commit/23f75093 Kamil > I think this issue is worth addressing with libseccomp. > That lib is a widely used dependency on SELinux systems > so not a significant dependency to add. > The attached uses libseccomp if available, > and falls back to using setsid() in the edge cases where not. >=20 > cheers, > P=E1draig From unknown Sat Jun 21 12:19:47 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 26 Sep 2017 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator