[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)

Nicolas François nicolas.francois at centraliens.net
Mon Nov 10 23:52:57 UTC 2008

On Tue, Nov 11, 2008 at 07:36:18AM +1100, psz at maths.usyd.edu.au wrote:
> Curious way of counting bugs. What do you mean exploitable: to do what?
> (Surely is_my_tty cannot protect, being buggy itself.)
> As I see things, the following bugs are present:
> - bad selection of utmp entry [often choosing wrong]

Often is arguable.
2 reports in 10 years.

> - is_my_tty uses stat [should be lstat]

I'm not sure lstat is right.
If the caller of login puts the name of a symbolic link for any reason in
utmp, I don't think that should be a failure.

> - is_my_tty compares rdev only [should also test dev ino etc]

I don't think the device or the inode is relevant.
If the major and minor of the device are identical, then they indicate the
same device.

> - maybe is_my_tty should scrutinize path [ensure directory components
>   are root-owned and safe]

Same as lstat, I don't think the paths have to match.

> - race between is_my_tty checks and chown


> - chown of unsafe path [should be fchown anyway]

Except for the race, I don't think the path in unsafe.

> As things are, it is exploitable to elevate privileges from group utmp
> to root. It is also buggy, often failing for legitimate use. Fixing all
> bugs would be best; fixing some may already render it "safe" against
> exploitation, and/or restore functionality.

I currently think is_my_tty should be removed. checkutmp should check that
ut_line matches with the current tty, and return a file descriptor

Best Regards,

More information about the Pkg-shadow-devel mailing list