runuser|su: Start supporting option -T|--no-pty

.. to pave the way for a future with -P|--pty for a default.

diff --git a/login-utils/runuser.1.adoc b/login-utils/runuser.1.adoc
index 4708e02a1b70fbc469d9e737ed0cdd81f8843d24..aea95f743b65689d1899ecd2f0fcb106f46ef246 100644 (file)
--- a/login-utils/runuser.1.adoc
+++ b/login-utils/runuser.1.adoc
@@ -73,6 +73,10 @@ If the target user has a restricted shell (i.e., not listed in _/etc/shells_), t
 **--session-command=**__command__::
 Same as *-c*, but do not create a new session. (Discouraged.)
 
+*-T*, *--no-pty**::
+Do not create a pseudo-terminal, opposite of *--pty* and *-P*.
+Note that running without a pseudo-terminal opens the security risk of privilege escalation through TIOCSTI/TIOCLINUX ioctl command injection.
+
 *-w*, *--whitelist-environment*=_list_::
 Don't reset the environment variables specified in the comma-separated _list_ when clearing the environment for *--login*. The whitelist is ignored for the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME*, and *PATH*.
 

diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index 06ce5dba2e1b638f527cd70f69386d455dc387e5..4cc24e34c148868dd19823c9bf4287929a23898d 100644 (file)
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -902,6 +902,7 @@ static void usage_common(void)
        fputs(_(" -f, --fast                      pass -f to the shell (for csh or tcsh)\n"), stdout);
        fputs(_(" -s, --shell <shell>             run <shell> if /etc/shells allows it\n"), stdout);
        fputs(_(" -P, --pty                       create a new pseudo-terminal\n"), stdout);
+       fputs(_(" -T, --no-pty                    do not create a new pseudo-terminal (bad security!)\n"), stdout);
 
        fputs(USAGE_SEPARATOR, stdout);
        printf(USAGE_HELP_OPTIONS(33));
@@ -1057,6 +1058,7 @@ int su_main(int argc, char **argv, int mode)
                {"login", no_argument, NULL, 'l'},
                {"preserve-environment", no_argument, NULL, 'p'},
                {"pty", no_argument, NULL, 'P'},
+               {"no-pty", no_argument, NULL, 'T'},
                {"shell", required_argument, NULL, 's'},
                {"group", required_argument, NULL, 'g'},
                {"supp-group", required_argument, NULL, 'G'},
@@ -1082,7 +1084,7 @@ int su_main(int argc, char **argv, int mode)
        su->conv.appdata_ptr = (void *) su;
 
        while ((optc =
-               getopt_long(argc, argv, "c:fg:G:lmpPs:u:hVw:", longopts,
+               getopt_long(argc, argv, "c:fg:G:lmpPTs:u:hVw:", longopts,
                            NULL)) != -1) {
 
                err_exclusive_options(optc, longopts, excl, excl_st);
@@ -1132,6 +1134,10 @@ int su_main(int argc, char **argv, int mode)
 #endif
                        break;
 
+               case 'T':
+                       su->force_pty = 0;
+                       break;
+
                case 's':
                        shell = optarg;
                        break;

diff --git a/login-utils/su.1.adoc b/login-utils/su.1.adoc
index 36a892fab5c137f99cc3a6d3d4fa418d8da1f308..76c54aa00fc15e82bca828bbda3223fe0da00b43 100644 (file)
--- a/login-utils/su.1.adoc
+++ b/login-utils/su.1.adoc
@@ -74,6 +74,10 @@ If the target user has a restricted shell (i.e., not listed in _/etc/shells_), t
 **--session-command=**__command__::
 Same as *-c*, but do not create a new session. (Discouraged.)
 
+*-T*, *--no-pty**::
+Do not create a pseudo-terminal, opposite of *--pty* and *-P*.
+Note that running without a pseudo-terminal opens the security risk of privilege escalation through TIOCSTI/TIOCLINUX ioctl command injection.
+
 *-w*, **--whitelist-environment**=__list__::
 Don't reset the environment variables specified in the comma-separated _list_ when clearing the environment for *--login*. The whitelist is ignored for the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME*, and *PATH*.