Date: Fri, 27 Feb 2026 12:59:08 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293485] TTY injection using TIOCSTI Message-ID: <bug-293485-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293485 Bug ID: 293485 Summary: TTY injection using TIOCSTI Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: wout@canodus.be Created attachment 268398 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=268398&action=edit Example to add tunable sysctl option to allow or deny TIOCSTI On FreeBSD it is possible to do TTY injection using TIOCSTI when using tools like su(1) and jexec(8). FreeBSD removed support for TIOCSTI briefly but added again in 328d9d2c96e2349acbc2da4efc5ad34d68a47df6. The author thinks this is conceptually bad but is needed for tools like mail(1). There may be other tools and shells that depend on it too. OpenBSD completely removed support for TIOCSTI in 2017. HardenedBSD has a toggle to disable TIOCSTI. The toggle is set to prohibit TIOCSTI by default. I want to propose adding a tunable sysctl(8) option which allows or denies TIOCSTI. A proof of concept is attached. Before the patch, when using jexec(8) to run a jailed command as a normal user, it is possible to inject a command which then runs as the root user on the host: # jexec -U wout 3 /home/wout/inject whoami whoami # whoami root When I enable the new tunable, this is not permitted: # sysctl security.bsd.allow_tiocsti=0 security.bsd.allow_tiocsti: 1 -> 0 # jexec -U wout 3 /home/wout/inject whoami ioctl TIOCSTI failed: Operation not permitted This might be a good candidate to add to usr.sbin/bsdinstall/scripts/hardening as well. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293485-227>