You are not logged in.
- Topics: Active | Unanswered
#1 2014-08-15 10:02:08
- thelastblack
- Member
- Registered: 2010-11-14
- Posts: 43
[SOLVED] Is this considered a bug or it is intentional?
Hello
I just found something interesting.
Open a terminal and become root. Run a program (like `php`) which will wait for user input.
Now run `lsof -p` and find devices for its input/output (file descriptors numbered 0,1,2 which is at /dev/pts on my system). Lets say it is /dev/pts/2.
Now if you see `ls -l /dev/pts`, you can see that /dev/pts/2 (and all other number which are input/output for other processes) are owning by my user!
So this means I can access them and read/write them. I tested this in a python shell and I can totally read/write on input/output of that process.
Although I can't run `lsof -p` for that root process under my own user, this is still some kind of problem.
So I thought this could be a security issue. Reading/writing a root process' input/output from a normal user may lead to abuse.
Is this intentional? A security bug, in kernel, maybe?
Where to report this bug, if it is?
Thank you
P.S. I couldn't find anywhere related to security in forum, so I posted this here. If it is in wrong place, please move it.
Last edited by thelastblack (2014-08-15 11:18:22)
Offline
#2 2014-08-15 10:18:25
- Lone_Wolf
- Forum Moderator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 11,966
Re: [SOLVED] Is this considered a bug or it is intentional?
Open a terminal and become root
some questions to clarify situation :
How did you 'become root' (ex. su , su - root, kdesu ) ?
TTYx or a x-terminal ?
If an x-terminal, which one are you using (ex : konsole, xterm, urxvt )
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
#3 2014-08-15 10:26:40
- thelastblack
- Member
- Registered: 2010-11-14
- Posts: 43
Re: [SOLVED] Is this considered a bug or it is intentional?
I am using lxterminal and su to become root
Offline
#4 2014-08-15 10:37:57
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,564
- Website
Re: [SOLVED] Is this considered a bug or it is intentional?
I can't replicate this.
Yes, the pts is owner by my user, but that is not the root process, that is the terminal session that I opened as a regular user. I open one urxvt window - call it urxvtA - that creates /dev/pts/0 owned by my user. Then I open another - urxvtB - also as a regular user, and /dev/pts/1 is created and owned by my user. I 'su' in urxvtB, no new pts is created, by /dev/ptsB is still owned by my user, of course. From urxvtA I can write commands to /dev/pts/1 and they will show up in urxvtB, but they will not be executed.
The /dev/pts/# are not the stdin and stdout of the process running in the terminal session (those are under /proc/), but they are just the connection to the original shell launched in that terminal.
Further and more clear evidence: I start fresh again with no terminals running. I start urxvtA which creates /dev/pts/0 owned by my user. From that shell I I 'su' then from the root shell session I launch another urxvt (urxvtB). As previously this creates /dev/pts/1, but this time /dev/pts/1 is owned by root.
The pty session in the first case is executed by my user. The terminal was opened as a regular user, and so a regular user can read what's in that terminal and type things into that terminal.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#5 2014-08-15 11:18:02
- thelastblack
- Member
- Registered: 2010-11-14
- Posts: 43
Re: [SOLVED] Is this considered a bug or it is intentional?
Thanks, pretty good explanation 
Offline