⚠️DANGER: Vulnerable by design! (on any system supporting TIOCSTI, such as Linux)

[jpouellet]

Hello,

I regret to inform you that any program which crosses privilege boundaries in the manner this program does without also restricting access to the parent TTY (which seems to be the main design (mis-)feature of this program), is fundamentally vulnerable by design on any system allowing the TIOCSTI ioctl on said TTY.

See: https://www.openwall.com/lists/oss-security/2017/06/03/9
See also: https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking
See also: tianon/gosu#37

Linux still supports TIOCSTI, and refuses to change due to its unfortunate posture of tying its own hands to keep backwards-compatibility with userspace forever. OpenBSD has removed it, but your users are probably mainly Linux people.

One way to address this is to do exactly as you currently complain about other programs doing (parent staying alive to proxy io), which seems to be the entire reason you wrote this. There are non-portable ways of filtering TIOCSTI without proxying io and otherwise breaking parent TTY manipulation (see util-linux/util-linux@8e49250, for example), but this will not necessarily work on all systems, and IMO manipulation of TTYs across privilege boundaries sounds more like a bug than a feature to begin with as it may allow intended-to-be-deprivileged code from triggering undefined behavior in the parent context.

Consider adding an appropriately scary warning to README.md, and notifying any downstream consumers you are aware of.

Sorry to be the bearer of bad news.

[jpouellet]

Also, sorry about the clickbaity title. I just wanted to make sure this wouldn't go unnoticed, and hopefully reduce the chance of people continuing to use this without being aware of and considering its limitations. No offense intended.

[ncopa]

I think we should add a big warning in the README. Care to create a PR?

[jakub-bochenski]

There is a more detailed discussion and links on the gosu bugreport: tianon/gosu#37

[Piraty]

https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=83efeeeb3d04b22aaed1df99bc70a48fe9d22c4d

[theAkito]

Provide a simple CONFIG and global sysctl to disable this for the system
builders who have wanted this functionality for literally decades now,
much like the ldisc_autoload CONFIG and sysctl.

Can we just add the solution referred to in the section of the comment quoted above to the warning & consider it done?

[kriansa]

Provide a simple CONFIG and global sysctl to disable this for the system
builders who have wanted this functionality for literally decades now,
much like the ldisc_autoload CONFIG and sysctl.

Can we just add the solution referred to in the section of the comment quoted above to the warning & consider it done?

For a subset of users, yes, as the new config (dev.tty.legacy_tiocsti) is only available on Kernel >= 6.2.