OpenBSD disabled TIOCSTI in 2017 (https://marc.info/?l=openbsd-tech&m=149866235528186) and then removed the #define entirely in 2018 (see rev 1.17 at https://cvsweb.openbsd.org/src/sys/sys/ttycom.h) after addressing ports issues. Not an OpenBSD boast; just pointing out that OpenBSD already dealt with the fallout from its use in common open source projects.

It's also been disabled in Android, apparently, so that would've also brought its unavailability to the attention of many Linux-specific open source projects. The concern, now, would presumably largely just be any proprietary Linux software floating around that makes use of it.

I have been wondering if there is a minimal and composable solution for creating a pseudoterminal, using just command-line tools in GNU Linux distros. bubblewrap has the --new-session flag, but it results in a terminal situation that is not really usable by programs like bash and emacs. It seems weird that the only way to truly prevent untrusted code from being able to exploit the terminal is to use su or sudo.

This attack also doesn't work if you `exec su lowpriv_user` since there is no parent shell.

Any links to bug tickets for su & sudo reporting the insecure default?