https://bugzilla.novell.com/show_bug.cgi?id=716973 https://bugzilla.novell.com/show_bug.cgi?id=716973#c0 Summary: coreutils patch for 697897 breaks su'd childrens access to /dev/tty Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: i586 OS/Version: openSUSE 11.4 Status: NEW Severity: Critical Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Robert.Dahlem@gmx.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 After installing Online Updates (in particular: coreutils-8.9-9.1) children of the su command no longer have access to /dev/tty. While this might fix a security problem it also breaks a zillion of scripts. Reproducible: Always Steps to Reproduce: 1. Install OpenSUSE 11.4 out of the box, but without Online Update 2. # su nobody -c "echo Test >/dev/tty" 3. Yast -> Online Update (updating coreutils is sufficient) 4. # su nobody -c "echo Test >/dev/tty" Actual Results: # su nobody -c "echo Test >/dev/tty" bash: /dev/tty: No such device or address Expected Results: # su nobody -c "echo Test >/dev/tty" Test The workaround would be to use --session-command instead of -c. This however would require us to check and modify a vast amount of shell scripts. Something like I_ACCEPT_TO_BE_VULNERABLE_TO_TTY_HIJACKING_VIA_TIOCSTI=1 in /etc/default/su would be acceptable as a workaround. Long term solution probably would be to allocate a pty. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.