Sudo and its alternatives

Posted Feb 21, 2024 20:02 UTC (Wed) by sping (guest, #103256)
In reply to: Sudo and its alternatives by bluca
Parent article: Sudo and its alternatives

Many alternatives to sudo are (unlike recent sudo) vulnerable to TIOCSTI and TIOCLINUX hijacking attacks, either always or at least by default (e.g. runuser of util-linux), including doas and OpenDoas (always, except on OpenBSD) and pleaser. I'm maintaining a list of related CVEs at https://github.com/hartwork/antijack?tab=readme-ov-file#r... if curious. ttyjack (https://github.com/jwilk/ttyjack) would be the exploit demo of choice. For short: please choose your sudo alternatives carefully.

Sudo and its alternatives

Posted Feb 21, 2024 20:49 UTC (Wed) by josh (subscriber, #17465) [Link] (1 responses)

Current Linux does have an in-kernel approach to TIOCSTI mitigation as well.

That does not invalidate your point: yes, any alternative to sudo should carefully address TIOCSTI and TIOCLINUX, which the original sudo and sudo-rs both do but many other things don't.

Sudo and its alternatives

Posted Feb 21, 2024 22:08 UTC (Wed) by sping (guest, #103256) [Link]

I would like to add that not all Linux distros disable TIOCSTI via default kernel config (Debian bookworm does not, Arch does), and it needs a recent enough kernel also to even have that option (not ignoring backports). Plus TIOCSTI has less common but benign use cases, so not everyone will be happy with disabling it system-wide even if technically possible.

Sudo and its alternatives

Posted Feb 21, 2024 21:54 UTC (Wed) by bluca (subscriber, #118303) [Link] (1 responses)

From the uid0 manpage:

> An independent pseudo-tty is allocated for the invoked command, detaching its lifecycle and isolating it for security.

Sudo and its alternatives

Posted Feb 21, 2024 22:02 UTC (Wed) by sping (guest, #103256) [Link]

Sounds good so far. My apology for posting into the uid0 thread for TIOCSTI, it was by mistake and I didn't mean to be specific to uid0, which I only first heard about today.