LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 12-05-2013, 03:48 AM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
[Slackware 14.1] su -c, tty hijacking, and some breakage


0. Background

It was discovered "su -c" (as implemented by shadow and coreutils) was vulnerable to tty hijacking (CVE-2005-4890). In particular, the threat was the potential for a non-privileged user to inject commands to a privileged tty.

Shadow 4.1.5+ addresses this by forking/setsid'ing in its PAM code. In the non-PAM code (which Slackware uses), this is addressed with a somewhat inelegant solution: detaching the controlling terminal via a TIOCNOTTY request.

1. Issue

Shadow's solution is omni-directional. In other words, "su -c" drops the controlling tty even when escalating privileges. This is rather unwarranted [1] because the threat vector of concern is injection from unprivileged->privileged.

There's a cost to shadow's fix since it renders a commonly-used method for executing commands as root (e.g. xterm -e /bin/su -s /bin/bash -c /bin/bash myscript) inoperable. See [2] and [3].

2. Proposal

There is an ongoing parallel effort by the shadow folks to develop a robust pty-based su (for both PAM and non-PAM cases). When mainlined, if it proves stable, it might be a good candidate for inclusion in Slackware's next version.

Meantime, for Slackware 14.1, I recommend the application of a patch I put together that makes "su -c" detach the controlling tty only if the callee is not root. This protects from unprivileged users injecting to privileged ttys while preserving old-style behavior when escalating privs:

shadow-4.1.5.1_CVE-2005-4890_relax.diff

Alternatively, the CVE fix could be reverted altogether making "su -c" always preserve the controlling tty as it did in shadow-4.1.4.3:

shadow-4.1.5.1_CVE-2005-4890_revert.diff

--mancha

-----
[1] http://seclists.org/oss-sec/2013/q2/374
[2] https://github.com/IgnorantGuru/spacefm/issues/394
[3] http://www.linuxquestions.org/questi...ks-4175462570/

Last edited by mancha; 12-05-2013 at 05:12 AM.
 
Old 12-05-2013, 08:01 AM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 3,324

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
I think I prefer the full revert, at least until they can fix it without breaking functionality.

Maybe the answer is to move to PAM? The non-pam stuff seems to be getting increasingly marginalised as time goes on, and PAM should have matured by now. Is there still any reason to avoid it?
 
Old 12-05-2013, 08:24 AM   #3
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,507

Rep: Reputation: 405Reputation: 405Reputation: 405Reputation: 405Reputation: 405
I installed PAM as part of MSB package (in testing/) for screensaver to work (without it, it can't lock your desktop) and so far, everything worked out of the box without any problem
 
Old 12-05-2013, 10:54 AM   #4
bartgymnast
Member
 
Registered: Feb 2003
Location: Lelystad, Netherlands
Distribution: slack 7.1 till latest and -current, LFS
Posts: 252

Rep: Reputation: 86
mancha that is an intresting problem.

I would say that the full revert is indeed the best solution here.

@willysr: I haven't had issues with pam either. 1 of the good things about pam these days is that you control what programs are using pam.
for example, for system logon with shadow it uses pam, but you dont want your ssh to use pam, than that is possible.

also it is interesting to see that pam seems to be more and more required by some things, like you said: screensaver *not only Mate has this issue, also (Dropline) Gnome)
ConsoleKit development has been stalled and since march 2012 nothing has been done.
The following has been written on the ConsoleKit website: http://www.freedesktop.org/wiki/Software/ConsoleKit/

Code:
ConsoleKit
ConsoleKit is a framework for defining and tracking users, login sessions, and seats.
    ConsoleKit is currently not actively maintained. The focus has shifted to the built-in seat/user/session management of Software/systemd called systemd-logind!
For this to work, pam is required.

Apart from ConsoleKit and systemd-logind, and dont know which other programs have these framework definitions.

As security has been a big issue over the last years, pam is a good candidate imo.

so for now full revert should be defiantly an option for PV.
and pam should be looked into

I expect difficult times coming for the Slackware team.
The upcoming 2-3 years we will see a lot of changes in distributions. (systemd/upstart) - (wayland/Xorg-server) - (linux kernel/non linux kernel)
 
Old 12-05-2013, 09:34 PM   #5
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Another example of breakage to add to the list: aszabo was unable to use gksu until he re-built shadow with either my relax or revert patch.

--mancha

Last edited by mancha; 12-07-2013 at 05:42 PM. Reason: clarify both relax and revert patches fix the issue
 
Old 02-20-2014, 06:11 AM   #6
GazL
Senior Member
 
Registered: May 2008
Posts: 3,324

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
Code:
Thu Feb 20 00:30:49 UTC 2014
patches/packages/shadow-4.1.5.1-i486-3_slack14.1.txz:  Rebuilt.
  Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c"
  (CVE-2005-4890) by detaching the controlling terminal in the non-PAM
  case via a TIOCNOTTY request.  Bi-directional protection is excessive
  and breaks a commonly-used methods for privilege escalation on non-PAM
  systems (e.g. xterm -e /bin/su -s /bin/bash -c /bin/bash myscript).
  This update relaxes the restriction and only detaches the controlling
  tty when the callee is not root (which is, after all, the threat vector).
  Thanks to mancha for the patch (and the above information).
Looks like your modification hit patches/ - though I think I still prefer your full revert patch in this case as the risk can be avoided by user behaviour without sacrificing expected functionality.
 
Old 02-20-2014, 10:36 AM   #7
mancha
Member
 
Registered: Aug 2012
Posts: 279

Original Poster
Rep: Reputation: Disabled
Many slackers will be happy about this update; tagging as SOLVED.

--mancha

Last edited by mancha; 02-20-2014 at 11:14 AM.
 
2 members found this post helpful.
Old 02-20-2014, 11:28 AM   #8
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 2,507

Rep: Reputation: 405Reputation: 405Reputation: 405Reputation: 405Reputation: 405
This should make one less known issues for MSB Project as well

Thanks
 
Old 02-20-2014, 11:37 AM   #9
GazL
Senior Member
 
Registered: May 2008
Posts: 3,324

Rep: Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881Reputation: 881
edit: nevermind, answer occurred to me. Forget I asked.

Last edited by GazL; 02-20-2014 at 02:18 PM.
 
Old 02-20-2014, 07:09 PM   #10
j_v
Member
 
Registered: Oct 2011
Distribution: Slackware64, LFS, Crux
Posts: 173

Rep: Reputation: 25
@mancha: Nice job with the fix. Very happy indeed.
 
  


Reply

Tags
gksu, shadow, slackware -current, slackware 14.1, su


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Yum breakage in new installation... himalayan Linux - Software 1 10-15-2010 07:39 AM
Yum Update Breakage on CentOS 5 spacejunk Linux - Software 3 07-19-2010 01:42 PM
USB Mouse wire breakage smeezekitty General 13 02-13-2010 08:29 PM
xfs random breakage Erik Thorsson Fedora 0 06-15-2004 11:46 PM
Fluxbox upgrade breakage Phantomas Linux - Newbie 3 08-11-2003 01:21 PM


All times are GMT -5. The time now is 01:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration