You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The deprecation of TIOCSTI in newer Linux kernels has not yet been sufficiently addressed.
The story of the deadly Swiss knife command
This is the story of ioctl - nicknamed Swiss army knife - and its deprecated TIOCSTI command.
ABSTRACT
PROBLEM STATEMENT
SOLUTION
ALTERNATIVE APPROACHES
NEXT STEPS
RESOURCES
ABSTRACT
TIOCSTI is an ioctl syscall command in the Linux kernel that allows a process to simulate terminal input by injecting characters into the input queue of a terminal device as if they were typed by a user. This feature has a long history and has been part of Unix-like systems for decades:
ioctl() is the kernel system call for device-specific input/output operation which Linux inherited from Unix in early 1990s.
The TIOCSTI - terminal I/O control, simulate terminal input - ioctlcommand can push a character into a device stream.
The TIOCSTIioctl was implemented in the Linux kernel's terminal driver subsystem, allowing processes with the appropriate permissions to inject characters into a terminal's input queue.
This feature was/is useful for certain applications, such as terminal emulators or debugging tools, where simulating user input was necessary.
Over time, TIOCSTI became a source of security concerns. Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.
I use TIOCSTI in the HSTR project, where it inserts the user's past commands into the terminal.
TIOCSTI has been deprecated in Linux kernels >= 6.2.0.
The history of TIOCSTI in the Linux kernel reflects the evolution of Unix-like systems and the ongoing balance between functionality and security. While it remains a part of the kernel for legacy reasons, its use is heavily restricted to prevent abuse, and modern applications are encouraged to use safer alternatives.
Therefore HSTR needs to find a way how to work withoutTIOCSTI.
PROBLEM STATEMENT
Over time, TIOCSTI became a source of security concerns:
Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.
Despite various mitigations, TIOCSTI remains a potential attack vector, and its use is generally discouraged in modern applications.
Examples of attack vectors:
Privilege escalation: If a user ran a program with elevated privileges (e.g., via sudo), a malicious process could use TIOCSTI to inject commands into the terminal, effectively executing them with elevated privileges.
Session hijacking: An attacker can use TIOCSTI to inject commands into another user's terminal session, especially if the attacker has access to the same terminal device (e.g., /dev/pts/X).
Bypassing input sanitization: If a process relies on terminal input for sensitive operations (e.g., password prompts), TIOCSTI can be used to inject malicious input that bypasses expected sanitization or validation.
Exploiting misconfigured permissions: If a terminal device has overly permissive access controls (e.g., world-writable permissions), any user on the system can use TIOCSTI to inject commands into that terminal.
Injection commands into background shells: If a user backgrounds a shell (e.g., using Ctrl+Z), an attacker can use TIOCSTI to inject commands into the backgrounded shell, which will execute when the shell is brought back to the foreground.
Mitigation to address these security issues:
The CAP_SYS_ADMIN capability was required to use TIOCSTI on terminals not owned by the calling process.
What is it?
Some distributions and kernel configurations further restricted or disabled TIOCSTI to prevent abuse.
TIOCSTI is still present in the Linux kernel for backward compatibility, but its use is limited and often restricted.
Linux kernel >= 6.2.0 disabled TIOCSTI by default in several distributions.
The problem for useful applications - like HSTR - is how to implement the capability of inserting commands to the terminal input withoutTIOCSTI.
SOLUTION
readline based solution :
Configuration:
TIOCSTI detection - can or cannot be used?
Runtime:
simulation of the terminal input by injecting characters into the input queue of a terminal device withoutTIOCSTI by writing to /dev/ttydevice
User must configure HSTR, which might be show stopper in comparison to "no config needed" past.
ALTERNATIVE APPROACHES
There are several alternative approaches for working around the absence of TIOCSTI availability. What are they and what are their pros and cons?
Alternative approach: default kernel configuration override
How to:
Override default kernel parameter CONFIG_LEGACY_TIOCSTI=y (compilation),
at runtime using sysctl:
sysctl -w dev.tty.legacy_tiocsti=1
Diagnostics:
sysctl kernel.osrelease
sysctl -a | grep tiocsti
Pros:
HSTR can use TIOCSTI and therefore works without any modification.
Cons:
Malicious processes can use re-enabled TIOCSTI as described in the abstract.
Alternative approach: Richard Lindberg solution:
...
Alternative approach: Pseudo-terminals (ptys)
...
NEXT STEPS
Enhancements to implement:
HSTR binary to detect TIOCSTI availability and whether HSTR
is configured in the shell (HSTR function availability in the environment)
and based on that echo instructions of how to properly configure HSTR:
TIOCSTI is not available and HSTR is not properly configured - shell
function which injects commands to the terminal is not set. Use hstr --show-configuration command to get configuration to be added
to your .bashrc / .zshrc (based on which shell you use)
blocker
The deprecation of
TIOCSTIin newer Linux kernels has not yet been sufficiently addressed.The story of the deadly Swiss knife command
This is the story of
ioctl- nicknamed Swiss army knife - and its deprecatedTIOCSTIcommand.ABSTRACT
TIOCSTIis anioctlsyscall command in the Linux kernel that allows a process to simulate terminal input by injecting characters into the input queue of a terminal device as if they were typed by a user. This feature has a long history and has been part of Unix-like systems for decades:ioctl()is the kernel system call for device-specific input/output operation which Linux inherited from Unix in early 1990s.TIOCSTI- terminal I/O control, simulate terminal input -ioctlcommand can push a character into a device stream.TIOCSTIioctlwas implemented in the Linux kernel's terminal driver subsystem, allowing processes with the appropriate permissions to inject characters into a terminal's input queue.TIOCSTIbecame a source of security concerns. Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.TIOCSTIin the HSTR project, where it inserts the user's past commands into the terminal.TIOCSTIhas been deprecated in Linux kernels >=6.2.0.The history of
TIOCSTIin the Linux kernel reflects the evolution of Unix-like systems and the ongoing balance between functionality and security. While it remains a part of the kernel for legacy reasons, its use is heavily restricted to prevent abuse, and modern applications are encouraged to use safer alternatives.Therefore
HSTRneeds to find a way how to work withoutTIOCSTI.PROBLEM STATEMENT
Over time,
TIOCSTIbecame a source of security concerns:Malicious programs could use it to inject commands into another user's terminal session, potentially leading to privilege escalation or other attacks.
Despite various mitigations, TIOCSTI remains a potential attack vector, and its use is generally discouraged in modern applications.
Examples of attack vectors:
sudo), a malicious process could useTIOCSTIto inject commands into the terminal, effectively executing them with elevated privileges.Mitigation to address these security issues:
The
CAP_SYS_ADMINcapability was required to use TIOCSTI on terminals not owned by the calling process.Some distributions and kernel configurations further restricted or disabled TIOCSTI to prevent abuse.
TIOCSTIis still present in the Linux kernel for backward compatibility, but its use is limited and often restricted.Linux kernel
>= 6.2.0disabledTIOCSTIby default in several distributions.The problem for useful applications - like HSTR - is how to implement the capability of inserting commands to the terminal input without
TIOCSTI.SOLUTION
readlinebased solution :TIOCSTIdetection - can or cannot be used?TIOCSTIby writing to/dev/ttydeviceWell what is this beauty?
function hstrnoticsti:hstr/src/hstr.c
Line 347 in 59f1b0d
function hstr_no_tiocsti:hstr/src/hstr.c
Line 386 in 59f1b0d
Pros:
TIOCSTI.Cons:
HSTR, which might be show stopper in comparison to "no config needed" past.ALTERNATIVE APPROACHES
There are several alternative approaches for working around the absence of
TIOCSTIavailability. What are they and what are their pros and cons?Alternative approach: default kernel configuration override
CONFIG_LEGACY_TIOCSTI=y(compilation),at runtime using
sysctl:sysctl -w dev.tty.legacy_tiocsti=1sysctl kernel.osreleasesysctl -a | grep tiocstiTIOCSTIand therefore works without any modification.TIOCSTIas described in the abstract.Alternative approach: Richard Lindberg solution:
...
Alternative approach: Pseudo-terminals (ptys)
...
NEXT STEPS
Enhancements to implement:
is configured in the shell (HSTR function availability in the environment)
and based on that echo instructions of how to properly configure HSTR:
function which injects commands to the terminal is not set. Use
hstr --show-configurationcommand to get configuration to be addedto your .bashrc / .zshrc (based on which shell you use)
RESOURCES
Resources:
ioctl()kernel syscall for device-specific input/outputoperation.
ioctl()documentation in LPGbashandzshshell history suggest box - easily view, navigate, search and manage your command history.TIOCSTIumbrella issue.The text was updated successfully, but these errors were encountered: