On Tue, Nov 11, 2008 at 07:36:18AM +1100, [EMAIL PROTECTED] wrote: > > Curious way of counting bugs. What do you mean exploitable: to do what? > (Surely is_my_tty cannot protect, being buggy itself.) > > As I see things, the following bugs are present: > > - bad selection of utmp entry [often choosing wrong]
Often is arguable. 2 reports in 10 years. > - is_my_tty uses stat [should be lstat] I'm not sure lstat is right. If the caller of login puts the name of a symbolic link for any reason in utmp, I don't think that should be a failure. > - is_my_tty compares rdev only [should also test dev ino etc] I don't think the device or the inode is relevant. If the major and minor of the device are identical, then they indicate the same device. > - maybe is_my_tty should scrutinize path [ensure directory components > are root-owned and safe] Same as lstat, I don't think the paths have to match. > - race between is_my_tty checks and chown Yes. > - chown of unsafe path [should be fchown anyway] Except for the race, I don't think the path in unsafe. > As things are, it is exploitable to elevate privileges from group utmp > to root. It is also buggy, often failing for legitimate use. Fixing all > bugs would be best; fixing some may already render it "safe" against > exploitation, and/or restore functionality. I currently think is_my_tty should be removed. checkutmp should check that ut_line matches with the current tty, and return a file descriptor Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
