Sandboxed process can send input to terminal
CategoryFixed. Fixed by Story9
It is possible for a sandboxed process to put characters into the input stream of the terminal using the TIOCSTI ioctl() on the tty's file descriptor. This data may be interpreted by a shell running on the terminal, allowing the sandboxed process to run code with the full authority of the user.
See Debian bug #357561.
This is similar to the security issues in the X Window System (see X11Security).
Workaround
This vulnerability can be avoided by not granting access to /dev/tty (this includes not using the -B option to pola-run), and by proxying access to stdin/stdout/stderr by piping them through cat:
cat | pola-run ... 2>&1 | cat
Possible fixes
- Proxy access to the terminal. This would need to be done using ptys if the process is to be able to set terminal modes. ssh must do a similar thing. pola-run should close file descriptors by default.
- We also need to deny access to /dev/tty. Currently, pola-run's "-B" option grants access to /dev/tty. Maybe the code should check for tty FDs explicitly and refuse to send them to the sandboxed process. (It already avoids sending directory FDs.)
Implementing PtraceJail would allow us to block ioctl() calls.
Related issues
There are also issues with specific terminal emulators in the way they handle control sequences. For example, see http://archive.cert.uni-stuttgart.de/vulndiscuss/2003/02/msg00030.html.
sudo and su have the same problem, and a bug was filed by Jan Minar in 2004 (Debug bug #262454), but Debian has not considered this serious enough to fix, because they don't consider dropping privileges to be a supported use case for sudo.