[Pkg-shadow-devel] Bug#628843: (forw) Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl

Daniel Ruoso daniel at ruoso.com
Thu Jun 2 12:14:27 UTC 2011

On Thu, Jun 02, 2011 at 07:34:59AM +0200, Christian PERRIER wrote:
> My expertise is, as you may expect, way outreached. So, in short, what
> I need is someone with enough expertise to look at this bug report and
> help deciding if adopting Redhat's patch is correct (assuming it
> applies: I'm not sure that RH is using the same "su" than we do).

Ok, to give more context to the fix applied by RedHat.

What they did was use setsid() to start a new session and remove the
controlling terminal from the running command. This removes from the
child process the ability to open "/dev/tty", which is how the
hijacking works.

But doing only that is complicated because the translation of Ctrl+C
to SIGINT depends on controlling the tty, so you wouldn't be able to
stop the process easily. What they did was simply to add SIGINT to the
signal mask that causes the su to exit the waitpit loop.

The thing I don't like about RedHat's patch is that it turns a SIGINT
on su into a SIGTERM to the process, it would be better to send the
same signal received.

I don't have the time to do it right now, but I can give a shot on
writing a patch that preserves the signal interaction sane, which is
not the case in RedHat.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20110602/2c61e04f/attachment.pgp>

More information about the Pkg-shadow-devel mailing list