mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
646a5c1cbf
a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded.
55 lines
1.8 KiB
Diff
55 lines
1.8 KiB
Diff
su: properly clear child PID
|
|
|
|
If su is compiled with PAM support, it is possible for any local user
|
|
to send SIGKILL to other processes with root privileges. There are
|
|
only two conditions. First, the user must be able to perform su with
|
|
a successful login. This does NOT have to be the root user, even using
|
|
su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
|
|
can only be sent to processes which were executed after the su process.
|
|
It is not possible to send SIGKILL to processes which were already
|
|
running. I consider this as a security vulnerability, because I was
|
|
able to write a proof of concept which unlocked a screen saver of
|
|
another user this way.
|
|
|
|
diff --git a/src/su.c b/src/su.c
|
|
index f20d230..d86aa86 100644
|
|
--- a/src/su.c
|
|
+++ b/src/su.c
|
|
@@ -379,11 +379,13 @@ static void prepare_pam_close_session (void)
|
|
/* wake child when resumed */
|
|
kill (pid, SIGCONT);
|
|
stop = false;
|
|
+ } else {
|
|
+ pid_child = 0;
|
|
}
|
|
} while (!stop);
|
|
}
|
|
|
|
- if (0 != caught) {
|
|
+ if (0 != caught && 0 != pid_child) {
|
|
(void) fputs ("\n", stderr);
|
|
(void) fputs (_("Session terminated, terminating shell..."),
|
|
stderr);
|
|
@@ -393,9 +395,22 @@ static void prepare_pam_close_session (void)
|
|
snprintf (wait_msg, sizeof wait_msg, _(" ...waiting for child to terminate.\n"));
|
|
|
|
(void) signal (SIGALRM, kill_child);
|
|
+ (void) signal (SIGCHLD, catch_signals);
|
|
(void) alarm (2);
|
|
|
|
- (void) wait (&status);
|
|
+ sigemptyset (&ourset);
|
|
+ if ((sigaddset (&ourset, SIGALRM) != 0)
|
|
+ || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
|
|
+ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
|
|
+ kill_child (0);
|
|
+ } else {
|
|
+ while (0 == waitpid (pid_child, &status, WNOHANG)) {
|
|
+ sigsuspend (&ourset);
|
|
+ }
|
|
+ pid_child = 0;
|
|
+ (void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
|
|
+ }
|
|
+
|
|
(void) fputs (_(" ...terminated.\n"), stderr);
|
|
}
|