slackware-current/source/a/shadow/shadow.CVE-2005-4890.relax.diff

From 0f6a809b7c4c9a8f4adb5b25808dd68000e17aa2 Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Wed, 04 Dec 2013
Subject: restrict "su -c" only when callee is not root

Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c"
(CVE-2005-4890) by detaching the controlling terminal in the non-PAM
case via a TIOCNOTTY request.

Bi-directional protection is excessive and breaks a commonly-used
methods for privilege escalation on non-PAM systems (e.g. xterm -e 
/bin/su -s /bin/bash -c /bin/bash myscript).

This patch relaxes the restriction and only detaches the controlling
tty when the callee is not root (which is, after all, the threat vector).

---
 src/su.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/src/su.c
+++ b/src/su.c
@@ -1076,10 +1076,10 @@ int main (int argc, char **argv)
 
 	set_environment (pw);
 
-	if (!doshell) {
+	if (!doshell && pw->pw_uid != 0) {
 		/* There is no need for a controlling terminal.
 		 * This avoids the callee to inject commands on
-		 * the caller's tty. */
+		 * the caller's tty when the callee is not root. */
 		int err = -1;
 
 #ifdef USE_PAM
Slackware 14.2 Thu Jun 30 20:26:57 UTC 2016 Slackware 14.2 x86_64 stable is released! The long development cycle (the Linux community has lately been living in "interesting times", as they say) is finally behind us, and we're proud to announce the release of Slackware 14.2. The new release brings many updates and modern tools, has switched from udev to eudev (no systemd), and adds well over a hundred new packages to the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-) 2016-06-30 22:26:57 +02:00			`From 0f6a809b7c4c9a8f4adb5b25808dd68000e17aa2 Mon Sep 17 00:00:00 2001`
			`From: mancha <mancha1@hush.com>`
			`Date: Wed, 04 Dec 2013`
			`Subject: restrict "su -c" only when callee is not root`

			`Shadow 4.1.5 addressed a tty-hijacking vulnerability in "su -c"`
			`(CVE-2005-4890) by detaching the controlling terminal in the non-PAM`
			`case via a TIOCNOTTY request.`

			`Bi-directional protection is excessive and breaks a commonly-used`
			`methods for privilege escalation on non-PAM systems (e.g. xterm -e`
			`/bin/su -s /bin/bash -c /bin/bash myscript).`

			`This patch relaxes the restriction and only detaches the controlling`
			`tty when the callee is not root (which is, after all, the threat vector).`

			`---`
			`src/su.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`--- a/src/su.c`
			`+++ b/src/su.c`
			`@@ -1076,10 +1076,10 @@ int main (int argc, char **argv)`

			`set_environment (pw);`

			`- if (!doshell) {`
			`+ if (!doshell && pw->pw_uid != 0) {`
			`/* There is no need for a controlling terminal.`
			`* This avoids the callee to inject commands on`
			`- * the caller's tty. */`
			`+ * the caller's tty when the callee is not root. */`
			`int err = -1;`

			`#ifdef USE_PAM`