Privilege Escalation via TTY

Privilege escalation in a TTY is not magic. It is the result of design flaws, configuration mistakes, or unsafe handling of interactive shells. When a process runs inside a terminal—whether local or remote—it can inherit environment variables, file descriptors, or elevated permissions that were intended only for a specific context. If those are exposed or mismanaged, an attacker can step from limited privileges to root or administrative rights in seconds.

A TTY (teletype terminal) session is linked to the controlling process. When you spawn a shell inside a privileged environment—like using sudo without proper sanitization—the terminal context might carry elevated rights into commands that were never meant to run as a superuser. This exploit path is known as privilege escalation via TTY. It is particularly common in misconfigured sudo policies, unsafe container exec sessions, and older SSH setups that rely on persistent PTY allocation.

Common techniques include switching user contexts while the TTY is still bound to a privileged session, exploiting poorly implemented su calls that don’t drop environment variables, or abusing tools like screen or tmux where the main process is privileged but child shells inherit its context. Weak tty or pty permission models can also allow attaching to another user’s terminal, effectively hijacking their access.

Protecting against privilege escalation in TTY environments requires strict policy enforcement. Always sanitize environment variables in privileged shells. Use Defaults secure_path and Defaults env_reset in sudoers to block transfer of unsafe contexts. Restrict PTY allocation in SSH for accounts with no need for interactive sessions. Drop permissions explicitly when spawning shells inside automation or container orchestration processes. Audit session logs regularly to catch unusual context switching.

Escalation through a TTY is not theoretical—it’s a live, practical attack vector that thrives on small oversights. Minimize trust boundaries. Close every gap between privilege levels.

See how hoop.dev can help you lock down interactive shell security and catch privilege escalation attempts. Deploy it and watch it run, live, in minutes.