|
Home > Archive > Debian Developers > July 2004 > su/sudo arbitrary character injection in keyboard buffer [Was: init scripts and su]
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
su/sudo arbitrary character injection in keyboard buffer [Was: init scripts and su]
|
|
| Jan Minar 2004-07-31, 2:47 am |
| | |
| Miquel van Smoorenburg 2004-07-31, 5:52 pm |
| In article <20040731055734.GA27166@kontryhel.haltyr.dyndns.org>,
Jan Minar <jjminar@fastmail.fm> wrote:
>I've filed bugs against su (package `login') & sudo. I've made a simple
>proof-of-concept program (attached). Despite of what has been said
>earlier, it can ioctl(0,TIOCSTI,&c), even after fork().
You cannot use TIOCSTI after fork() and setsid(). Unless you're
root, because root can do anything.
Mike.
--
The question is, what is a "manamanap".
The question is, who cares ?
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andrew Pimlott 2004-07-31, 5:52 pm |
| On Sat, Jul 31, 2004 at 02:17:39PM +0000, Miquel van Smoorenburg wrote:
> You cannot use TIOCSTI after fork() and setsid(). Unless you're
> root, because root can do anything.
Aren't read/write serious enough to be a significant vulnerability?
Andrew
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|