From: Jann Horn <jannh@google.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Matt Brown <matt@nmatt.com>,
serge@hallyn.com, jmorris@namei.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
jslaby@suse.com, Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
kernel-hardening@lists.openwall.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org
Subject: Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN
Date: Tue, 25 Apr 2017 23:44:50 +0200 [thread overview]
Message-ID: <CAG48ez31W30Qqmf5ZZ1_eVQC0uobBrva3_zgRdzejztFLzKoPg@mail.gmail.com> (raw)
In-Reply-To: <20170425222135.2859b1a8@lxorguk.ukuu.org.uk>
On Tue, Apr 25, 2017 at 11:21 PM, One Thousand Gnomes
<gnomes@lxorguk.ukuu.org.uk> wrote:
>> Really? By "pty", are you referring to the master? If so, as far as I know,
>> to go from the slave to the master, you need one of:
>>
>> - ptrace access to a process that already has an FD to the master, via
>> ptrace() or so (/proc/$pid/fd/$fd won't work)
>> - for a BSD PTY (which AFAIK isn't used much anymore), access to
>> /dev/ptyXX
>
> fstat() and then open *assuming* I have permissions.
open() what? As far as I know, for System-V PTYs, there is no path you can
open() that will give you the PTY master. Am I missing something?
>> > If I want to do the equvalent of the TIOCSTI attack then I fork a process
>> > and exit the parent. The child can now use ptrace to reprogram your shell
>> > to do whatever interesting things it likes (eg running child processes
>> > called "su" via a second pty/tty pair). Not exactly rocket science.
>>
>> Why would the child be able to ptrace the shell? AFAICS, in the most
>> relevant scenarios, the child can't ptrace the shell because the
>> shell has a different UID (in the case of e.g. su or sudo). In other
>
> If I am the attacker wanting to type something into your su when you go
> and su from my account, or where the user account is trojanned I do the
> following
>
> fork
> exit parent
> child ptraces the shell (same uid as it's not setuid)
>
> You type "su" return
> The modified shell opens a new pty/tty pair and runs su over it
> My ptrace hooks watch the pty/tty traffic until you go to the loo
> My ptrace hooks switch the console
> My ptrace hooks type lots of stuff and hack your machine while eating the
> output
>
> and you come back, do stuff and then exit
>
> And if you are in X it's even easier and I don't even need to care about
> sessions or anything. X has no mechanism to sanely fix the problem, but
> Wayland does.
I think the "When using a program like su or sudo" in the patch description
refers to the usecase where you go from a more privileged context (e.g. a
root shell) to a less privileged one (e.g. a shell as a service-specific
account used to run a daemon), not the other way around.
[However, I do think that it's a nice side effect of this patch that it will
prevent a malicious program from directly injecting something like an
SSH command into my shell in a sufficiently hardened environment
(with LSM restrictions that prevent the malicious program from opening
SSH keyfiles or executing another program that can do that). Although
you could argue that in such a case, the LSM should be taking care of
blocking TIOCSTI.]
WARNING: multiple messages have this Message-ID (diff)
From: jannh@google.com (Jann Horn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN
Date: Tue, 25 Apr 2017 23:44:50 +0200 [thread overview]
Message-ID: <CAG48ez31W30Qqmf5ZZ1_eVQC0uobBrva3_zgRdzejztFLzKoPg@mail.gmail.com> (raw)
In-Reply-To: <20170425222135.2859b1a8@lxorguk.ukuu.org.uk>
On Tue, Apr 25, 2017 at 11:21 PM, One Thousand Gnomes
<gnomes@lxorguk.ukuu.org.uk> wrote:
>> Really? By "pty", are you referring to the master? If so, as far as I know,
>> to go from the slave to the master, you need one of:
>>
>> - ptrace access to a process that already has an FD to the master, via
>> ptrace() or so (/proc/$pid/fd/$fd won't work)
>> - for a BSD PTY (which AFAIK isn't used much anymore), access to
>> /dev/ptyXX
>
> fstat() and then open *assuming* I have permissions.
open() what? As far as I know, for System-V PTYs, there is no path you can
open() that will give you the PTY master. Am I missing something?
>> > If I want to do the equvalent of the TIOCSTI attack then I fork a process
>> > and exit the parent. The child can now use ptrace to reprogram your shell
>> > to do whatever interesting things it likes (eg running child processes
>> > called "su" via a second pty/tty pair). Not exactly rocket science.
>>
>> Why would the child be able to ptrace the shell? AFAICS, in the most
>> relevant scenarios, the child can't ptrace the shell because the
>> shell has a different UID (in the case of e.g. su or sudo). In other
>
> If I am the attacker wanting to type something into your su when you go
> and su from my account, or where the user account is trojanned I do the
> following
>
> fork
> exit parent
> child ptraces the shell (same uid as it's not setuid)
>
> You type "su" return
> The modified shell opens a new pty/tty pair and runs su over it
> My ptrace hooks watch the pty/tty traffic until you go to the loo
> My ptrace hooks switch the console
> My ptrace hooks type lots of stuff and hack your machine while eating the
> output
>
> and you come back, do stuff and then exit
>
> And if you are in X it's even easier and I don't even need to care about
> sessions or anything. X has no mechanism to sanely fix the problem, but
> Wayland does.
I think the "When using a program like su or sudo" in the patch description
refers to the usecase where you go from a more privileged context (e.g. a
root shell) to a less privileged one (e.g. a shell as a service-specific
account used to run a daemon), not the other way around.
[However, I do think that it's a nice side effect of this patch that it will
prevent a malicious program from directly injecting something like an
SSH command into my shell in a sufficiently hardened environment
(with LSM restrictions that prevent the malicious program from opening
SSH keyfiles or executing another program that can do that). Although
you could argue that in such a case, the LSM should be taking care of
blocking TIOCSTI.]
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
Cc: Matt Brown <matt@nmatt.com>,
serge@hallyn.com, jmorris@namei.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
jslaby@suse.com, Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
kernel-hardening@lists.openwall.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN
Date: Tue, 25 Apr 2017 23:44:50 +0200 [thread overview]
Message-ID: <CAG48ez31W30Qqmf5ZZ1_eVQC0uobBrva3_zgRdzejztFLzKoPg@mail.gmail.com> (raw)
In-Reply-To: <20170425222135.2859b1a8@lxorguk.ukuu.org.uk>
On Tue, Apr 25, 2017 at 11:21 PM, One Thousand Gnomes
<gnomes@lxorguk.ukuu.org.uk> wrote:
>> Really? By "pty", are you referring to the master? If so, as far as I know,
>> to go from the slave to the master, you need one of:
>>
>> - ptrace access to a process that already has an FD to the master, via
>> ptrace() or so (/proc/$pid/fd/$fd won't work)
>> - for a BSD PTY (which AFAIK isn't used much anymore), access to
>> /dev/ptyXX
>
> fstat() and then open *assuming* I have permissions.
open() what? As far as I know, for System-V PTYs, there is no path you can
open() that will give you the PTY master. Am I missing something?
>> > If I want to do the equvalent of the TIOCSTI attack then I fork a process
>> > and exit the parent. The child can now use ptrace to reprogram your shell
>> > to do whatever interesting things it likes (eg running child processes
>> > called "su" via a second pty/tty pair). Not exactly rocket science.
>>
>> Why would the child be able to ptrace the shell? AFAICS, in the most
>> relevant scenarios, the child can't ptrace the shell because the
>> shell has a different UID (in the case of e.g. su or sudo). In other
>
> If I am the attacker wanting to type something into your su when you go
> and su from my account, or where the user account is trojanned I do the
> following
>
> fork
> exit parent
> child ptraces the shell (same uid as it's not setuid)
>
> You type "su" return
> The modified shell opens a new pty/tty pair and runs su over it
> My ptrace hooks watch the pty/tty traffic until you go to the loo
> My ptrace hooks switch the console
> My ptrace hooks type lots of stuff and hack your machine while eating the
> output
>
> and you come back, do stuff and then exit
>
> And if you are in X it's even easier and I don't even need to care about
> sessions or anything. X has no mechanism to sanely fix the problem, but
> Wayland does.
I think the "When using a program like su or sudo" in the patch description
refers to the usecase where you go from a more privileged context (e.g. a
root shell) to a less privileged one (e.g. a shell as a service-specific
account used to run a daemon), not the other way around.
[However, I do think that it's a nice side effect of this patch that it will
prevent a malicious program from directly injecting something like an
SSH command into my shell in a sufficiently hardened environment
(with LSM restrictions that prevent the malicious program from opening
SSH keyfiles or executing another program that can do that). Although
you could argue that in such a case, the LSM should be taking care of
blocking TIOCSTI.]
next prev parent reply other threads:[~2017-04-25 21:45 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 4:15 [PATCH v5 0/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN Matt Brown
2017-04-25 4:15 ` [kernel-hardening] " Matt Brown
2017-04-25 4:15 ` Matt Brown
2017-04-25 4:15 ` [PATCH v5 1/2] security: tty: Add owner user namespace to tty_struct Matt Brown
2017-04-25 4:15 ` [kernel-hardening] " Matt Brown
2017-04-25 4:15 ` Matt Brown
2017-04-25 4:15 ` [PATCH v5 2/2] security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN Matt Brown
2017-04-25 4:15 ` [kernel-hardening] " Matt Brown
2017-04-25 4:15 ` Matt Brown
2017-04-25 13:47 ` [PATCH v5 0/2] " Alan Cox
2017-04-25 13:47 ` [kernel-hardening] " Alan Cox
2017-04-25 13:47 ` Alan Cox
2017-04-25 13:56 ` Jann Horn
2017-04-25 13:56 ` [kernel-hardening] " Jann Horn
2017-04-25 13:56 ` Jann Horn
2017-04-25 19:30 ` One Thousand Gnomes
2017-04-25 19:30 ` [kernel-hardening] " One Thousand Gnomes
2017-04-25 19:30 ` One Thousand Gnomes
2017-04-25 20:06 ` Jann Horn
2017-04-25 20:06 ` [kernel-hardening] " Jann Horn
2017-04-25 20:06 ` Jann Horn
2017-04-25 21:21 ` One Thousand Gnomes
2017-04-25 21:21 ` [kernel-hardening] " One Thousand Gnomes
2017-04-25 21:21 ` One Thousand Gnomes
2017-04-25 21:44 ` Jann Horn [this message]
2017-04-25 21:44 ` [kernel-hardening] " Jann Horn
2017-04-25 21:44 ` Jann Horn
2017-04-26 12:47 ` One Thousand Gnomes
2017-04-26 12:47 ` [kernel-hardening] " One Thousand Gnomes
2017-04-26 12:47 ` One Thousand Gnomes
2017-04-26 14:21 ` Matt Brown
2017-04-26 14:21 ` [kernel-hardening] " Matt Brown
2017-04-26 14:21 ` Matt Brown
2017-04-27 12:34 ` One Thousand Gnomes
2017-04-27 12:34 ` [kernel-hardening] " One Thousand Gnomes
2017-04-27 12:34 ` One Thousand Gnomes
2017-05-03 19:30 ` Kees Cook
2017-05-03 19:30 ` [kernel-hardening] " Kees Cook
2017-05-03 19:30 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez31W30Qqmf5ZZ1_eVQC0uobBrva3_zgRdzejztFLzKoPg@mail.gmail.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=corbet@lwn.net \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matt@nmatt.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.