From nobody Fri Feb 27 12:59:08 2026 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fMpLN6nWqz6T05B for ; Fri, 27 Feb 2026 12:59:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fMpLN68Lrz3RcL for ; Fri, 27 Feb 2026 12:59:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1772197148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VwD6ZmR3cKbq1UGD5q3GMIY/f1wRSdHaVGAjeYOK1Xg=; b=J6i8FDWpNsZGTNoWlJMDrp+T6c4pfijb7CliBPLg4ZtqfSRHgNNpgKMhsa06iApSz1aAUu v9C7IFpLge4k+l9KPERPsZY50XV+JZzDYyK7pyAxOITUhl9NCvgjJynfDp8NCD0YrLmgW/ 0IpNmicggxVBHXQ9RS0MSQ9ta28Nwyzj/vXQHNKBSQLJKZPiF84zLMvcbhOEKLbUfDu9M1 7vYCWySY7jNvkh4SEYImamQLjg80rNeYKP0aROtDl1kXt8K7htnU3nimhSZjAoKcFiXb+/ 4kblMQGpNUIAZHqKzBaKUIfqyoAgFF+GPcMaChonHsa0JWkkb2x5Cd4eyWl95Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1772197148; a=rsa-sha256; cv=none; b=m6bd8/6iO82yZhjpHYp0uRHz27oUFGxmfq++Ydf9Qy+1kFGNGLdAdGr+Aij0qYgP0EXLJy iL+TkbZPghO2SS6xrEVjz6eGnw8rqWl67OdLNjrN+BIu9kndivMc3i7dyFfhq1Z7CvMHIp khUxdy/48mEmjNJ9anxCLmxmqwFmjjMhKhJwd7ly/et29puFjxqIuWJ4yOpSxziqFH3C7r 5Z8buzADC9uTfv+Um4B4mhouDbt4DWWi3cIx7u0LRs7x177DqCM4/adrlCYdEtV0gzi5zl f5vkuyHzSBxxL1HjMspoY+y3MnG+ytvzxLcHngch7vKGZumAI/zNIzXx1ZgCxw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1772197148; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VwD6ZmR3cKbq1UGD5q3GMIY/f1wRSdHaVGAjeYOK1Xg=; b=NFs9h6vU7Tlrab/KuQHF4pvApVd0PE/Gc5w0LGLg665sxaBRcskocx7EB5IXZILD6mBbxC HrAv5E5Zj8LAR+3UlISRrUlmdx4XsVfJHBJiLTzfMXrp9yAzUNiFlJrXsUdUsdWes+59MS yvdaTsvUSvcthZYjtLDb189/R248+Gjn+a6p/PCImNWnGUYenTuFtHottduQR2rQe6LvOr NS7QOCBIN5QDtsNXmchcl4fmZaaEIPnSNQCh2BLT1Euqijt/U8Dtm57tapcK2RwHBtpGpt MTYllXgj0v17iC0lWVGQg8FClTGo2RR9ybKBG1hCUWL/5BrQv0nIP7WXpnHwSw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fMpLN5jCrz3Rk for ; Fri, 27 Feb 2026 12:59:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 61RCx8xW029503 for ; Fri, 27 Feb 2026 12:59:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 61RCx85j029502 for bugs@FreeBSD.org; Fri, 27 Feb 2026 12:59:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 293485] TTY injection using TIOCSTI Date: Fri, 27 Feb 2026 12:59:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: wout@canodus.be X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D293485 Bug ID: 293485 Summary: TTY injection using TIOCSTI Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: wout@canodus.be Created attachment 268398 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D268398&action= =3Dedit Example to add tunable sysctl option to allow or deny TIOCSTI On FreeBSD it is possible to do TTY injection using TIOCSTI when using tools like su(1) and jexec(8). FreeBSD removed support for TIOCSTI briefly but added again in 328d9d2c96e2349acbc2da4efc5ad34d68a47df6. The author thinks this is conceptually bad but is needed for tools like mail(1). There may be other tools and shells that depend on it too. OpenBSD completely removed support for TIOCSTI in 2017. HardenedBSD has a toggle to disable TIOCSTI. The toggle is set to prohibit TIOCSTI by default. I want to propose adding a tunable sysctl(8) option which allows or denies TIOCSTI. A proof of concept is attached. Before the patch, when using jexec(8) to run a jailed command as a normal u= ser, it is possible to inject a command which then runs as the root user on the host: # jexec -U wout 3 /home/wout/inject whoami whoami # whoami root When I enable the new tunable, this is not permitted: # sysctl security.bsd.allow_tiocsti=3D0 security.bsd.allow_tiocsti: 1 -> 0 # jexec -U wout 3 /home/wout/inject whoami ioctl TIOCSTI failed: Operation not permitted This might be a good candidate to add to usr.sbin/bsdinstall/scripts/harden= ing as well. --=20 You are receiving this mail because: You are the assignee for the bug.=