[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
nicolas.francois at centraliens.net
Mon Nov 10 23:52:57 UTC 2008
On Tue, Nov 11, 2008 at 07:36:18AM +1100, psz at maths.usyd.edu.au wrote:
> Curious way of counting bugs. What do you mean exploitable: to do what?
> (Surely is_my_tty cannot protect, being buggy itself.)
> As I see things, the following bugs are present:
> - bad selection of utmp entry [often choosing wrong]
Often is arguable.
2 reports in 10 years.
> - is_my_tty uses stat [should be lstat]
I'm not sure lstat is right.
If the caller of login puts the name of a symbolic link for any reason in
utmp, I don't think that should be a failure.
> - is_my_tty compares rdev only [should also test dev ino etc]
I don't think the device or the inode is relevant.
If the major and minor of the device are identical, then they indicate the
> - maybe is_my_tty should scrutinize path [ensure directory components
> are root-owned and safe]
Same as lstat, I don't think the paths have to match.
> - race between is_my_tty checks and chown
> - chown of unsafe path [should be fchown anyway]
Except for the race, I don't think the path in unsafe.
> As things are, it is exploitable to elevate privileges from group utmp
> to root. It is also buggy, often failing for legitimate use. Fixing all
> bugs would be best; fixing some may already render it "safe" against
> exploitation, and/or restore functionality.
I currently think is_my_tty should be removed. checkutmp should check that
ut_line matches with the current tty, and return a file descriptor
More information about the Pkg-shadow-devel