|
|
29e444 |
#* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
|
|
|
29e444 |
# has been fixed by disabling the use of pt_chown (Bugzilla #15755).
|
|
|
29e444 |
# Distributions can re-enable building and using pt_chown via the new configure
|
|
|
29e444 |
# option `--enable-pt_chown'. Enabling the use of pt_chown carries with it
|
|
|
29e444 |
# considerable security risks and should only be used if the distribution
|
|
|
29e444 |
# understands and accepts the risks.
|
|
|
29e444 |
#
|
|
|
29e444 |
#2013-07-21 Siddhesh Poyarekar <siddhesh@redhat.com>
|
|
|
29e444 |
# Andreas Schwab <schwab@suse.de>
|
|
|
29e444 |
# Roland McGrath <roland@hack.frob.com>
|
|
|
29e444 |
# Joseph Myers <joseph@codesourcery.com>
|
|
|
29e444 |
# Carlos O'Donell <carlos@redhat.com>
|
|
|
29e444 |
#
|
|
|
29e444 |
# [BZ #15755]
|
|
|
29e444 |
# * config.h.in: Define HAVE_PT_CHOWN.
|
|
|
29e444 |
# * config.make.in (build-pt-chown): New variable.
|
|
|
29e444 |
# * configure.in (--enable-pt_chown): New configure option.
|
|
|
29e444 |
# * configure: Regenerate.
|
|
|
29e444 |
# * login/Makefile: Include Makeconfig. Build pt_chown only if
|
|
|
29e444 |
# build-pt-chown is enabled.
|
|
|
29e444 |
# * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
|
|
|
29e444 |
# pt_chown to fix pty ownership.
|
|
|
29e444 |
# * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
|
|
|
29e444 |
# CLOSE_ALL_FDS.
|
|
|
29e444 |
# * manual/install.texi (Configuring and compiling): Mention
|
|
|
29e444 |
# --enable-pt_chown. Add @findex for grantpt.
|
|
|
29e444 |
# * INSTALL: Regenerate.
|
|
|
29e444 |
#
|
|
|
29e444 |
diff -Nrup a/config.h.in b/config.h.in
|
|
|
29e444 |
--- a/config.h.in 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/config.h.in 2013-07-24 00:20:07.651301252 -0400
|
|
|
29e444 |
@@ -232,4 +232,7 @@
|
|
|
29e444 |
/* The ARM hard-float ABI is being used. */
|
|
|
29e444 |
#undef HAVE_ARM_PCS_VFP
|
|
|
29e444 |
|
|
|
29e444 |
+/* The pt_chown binary is being built and used by grantpt. */
|
|
|
29e444 |
+#undef HAVE_PT_CHOWN
|
|
|
29e444 |
+
|
|
|
29e444 |
#endif
|
|
|
29e444 |
diff -Nrup a/config.make.in b/config.make.in
|
|
|
29e444 |
--- a/config.make.in 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/config.make.in 2013-07-24 00:21:15.244176098 -0400
|
|
|
29e444 |
@@ -101,6 +101,7 @@ force-install = @force_install@
|
|
|
29e444 |
link-obsolete-rpc = @link_obsolete_rpc@
|
|
|
29e444 |
build-nscd = @build_nscd@
|
|
|
29e444 |
use-nscd = @use_nscd@
|
|
|
29e444 |
+build-pt-chown = @build_pt_chown@
|
|
|
29e444 |
|
|
|
29e444 |
# Build tools.
|
|
|
29e444 |
CC = @CC@
|
|
|
29e444 |
diff -Nrup a/configure b/configure
|
|
|
29e444 |
--- a/configure 2013-07-24 00:25:10.090174244 -0400
|
|
|
29e444 |
+++ b/configure 2013-07-24 00:20:07.769174345 -0400
|
|
|
29e444 |
@@ -653,6 +653,7 @@ multi_arch
|
|
|
29e444 |
base_machine
|
|
|
29e444 |
add_on_subdirs
|
|
|
29e444 |
add_ons
|
|
|
29e444 |
+build_pt_chown
|
|
|
29e444 |
build_nscd
|
|
|
29e444 |
link_obsolete_rpc
|
|
|
29e444 |
libc_cv_nss_crypt
|
|
|
29e444 |
@@ -759,6 +760,7 @@ enable_obsolete_rpc
|
|
|
29e444 |
enable_systemtap
|
|
|
29e444 |
enable_build_nscd
|
|
|
29e444 |
enable_nscd
|
|
|
29e444 |
+enable_pt_chown
|
|
|
29e444 |
with_cpu
|
|
|
29e444 |
'
|
|
|
29e444 |
ac_precious_vars='build_alias
|
|
|
29e444 |
@@ -1419,6 +1421,7 @@ Optional Features:
|
|
|
29e444 |
--enable-systemtap enable systemtap static probe points [default=no]
|
|
|
29e444 |
--disable-build-nscd disable building and installing the nscd daemon
|
|
|
29e444 |
--disable-nscd library functions will not contact the nscd daemon
|
|
|
29e444 |
+ --enable-pt_chown Enable building and installing pt_chown
|
|
|
29e444 |
|
|
|
29e444 |
Optional Packages:
|
|
|
29e444 |
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
|
|
|
29e444 |
@@ -3934,6 +3937,19 @@ else
|
|
|
29e444 |
fi
|
|
|
29e444 |
|
|
|
29e444 |
|
|
|
29e444 |
+# Check whether --enable-pt_chown was given.
|
|
|
29e444 |
+if test "${enable_pt_chown+set}" = set; then :
|
|
|
29e444 |
+ enableval=$enable_pt_chown; build_pt_chown=$enableval
|
|
|
29e444 |
+else
|
|
|
29e444 |
+ build_pt_chown=no
|
|
|
29e444 |
+fi
|
|
|
29e444 |
+
|
|
|
29e444 |
+
|
|
|
29e444 |
+if test $build_pt_chown = yes; then
|
|
|
29e444 |
+ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
|
|
|
29e444 |
+
|
|
|
29e444 |
+fi
|
|
|
29e444 |
+
|
|
|
29e444 |
# The way shlib-versions is used to generate soversions.mk uses a
|
|
|
29e444 |
# fairly simplistic model for name recognition that can't distinguish
|
|
|
29e444 |
# i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
|
|
|
29e444 |
diff -Nrup a/configure.in b/configure.in
|
|
|
29e444 |
--- a/configure.in 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/configure.in 2013-07-24 00:20:07.658298658 -0400
|
|
|
29e444 |
@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
|
|
|
29e444 |
[use_nscd=$enableval],
|
|
|
29e444 |
[use_nscd=yes])
|
|
|
29e444 |
|
|
|
29e444 |
+AC_ARG_ENABLE([pt_chown],
|
|
|
29e444 |
+ [AS_HELP_STRING([--enable-pt_chown],
|
|
|
29e444 |
+ [Enable building and installing pt_chown])],
|
|
|
29e444 |
+ [build_pt_chown=$enableval],
|
|
|
29e444 |
+ [build_pt_chown=no])
|
|
|
29e444 |
+AC_SUBST(build_pt_chown)
|
|
|
29e444 |
+if test $build_pt_chown = yes; then
|
|
|
29e444 |
+ AC_DEFINE(HAVE_PT_CHOWN)
|
|
|
29e444 |
+fi
|
|
|
29e444 |
+
|
|
|
29e444 |
# The way shlib-versions is used to generate soversions.mk uses a
|
|
|
29e444 |
# fairly simplistic model for name recognition that can't distinguish
|
|
|
29e444 |
# i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
|
|
|
29e444 |
diff -Nrup a/INSTALL b/INSTALL
|
|
|
29e444 |
--- a/INSTALL 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/INSTALL 2013-07-24 00:20:07.650300624 -0400
|
|
|
29e444 |
@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
|
|
|
29e444 |
this can be prevented though there generally is no reason since it
|
|
|
29e444 |
creates compatibility problems.
|
|
|
29e444 |
|
|
|
29e444 |
+`--enable-pt_chown'
|
|
|
29e444 |
+ The file `pt_chown' is a helper binary for `grantpt' (*note
|
|
|
29e444 |
+ Pseudo-Terminals: Allocation.) that is installed setuid root to
|
|
|
29e444 |
+ fix up pseudo-terminal ownership. It is not built by default
|
|
|
29e444 |
+ because systems using the Linux kernel are commonly built with the
|
|
|
29e444 |
+ `devpts' filesystem enabled and mounted at `/dev/pts', which
|
|
|
29e444 |
+ manages pseudo-terminal ownership automatically. By using
|
|
|
29e444 |
+ `--enable-pt_chown', you may build `pt_chown' and install it
|
|
|
29e444 |
+ setuid and owned by `root'. The use of `pt_chown' introduces
|
|
|
29e444 |
+ additional security risks to the system and you should enable it
|
|
|
29e444 |
+ only if you understand and accept those risks.
|
|
|
29e444 |
+
|
|
|
29e444 |
`--build=BUILD-SYSTEM'
|
|
|
29e444 |
`--host=HOST-SYSTEM'
|
|
|
29e444 |
These options are for cross-compiling. If you specify both
|
|
|
29e444 |
diff -Nrup a/login/Makefile b/login/Makefile
|
|
|
29e444 |
--- a/login/Makefile 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/login/Makefile 2013-07-24 00:20:07.660298670 -0400
|
|
|
29e444 |
@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid
|
|
|
29e444 |
|
|
|
29e444 |
CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
|
|
|
29e444 |
|
|
|
29e444 |
-others = utmpdump pt_chown
|
|
|
29e444 |
+others = utmpdump
|
|
|
29e444 |
+
|
|
|
29e444 |
+include ../Makeconfig
|
|
|
29e444 |
+
|
|
|
29e444 |
+ifeq (yes,$(build-pt-chown))
|
|
|
29e444 |
+others += pt_chown
|
|
|
29e444 |
others-pie = pt_chown
|
|
|
29e444 |
install-others-programs = $(inst_libexecdir)/pt_chown
|
|
|
29e444 |
+endif
|
|
|
29e444 |
|
|
|
29e444 |
subdir-dirs = programs
|
|
|
29e444 |
vpath %.c programs
|
|
|
29e444 |
diff -Nrup a/manual/install.texi b/manual/install.texi
|
|
|
29e444 |
--- a/manual/install.texi 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/manual/install.texi 2013-07-24 00:20:07.662298261 -0400
|
|
|
29e444 |
@@ -155,6 +155,20 @@ if the used tools support it. By using
|
|
|
29e444 |
prevented though there generally is no reason since it creates
|
|
|
29e444 |
compatibility problems.
|
|
|
29e444 |
|
|
|
29e444 |
+@pindex pt_chown
|
|
|
29e444 |
+@findex grantpt
|
|
|
29e444 |
+@item --enable-pt_chown
|
|
|
29e444 |
+The file @file{pt_chown} is a helper binary for @code{grantpt}
|
|
|
29e444 |
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
|
|
|
29e444 |
+fix up pseudo-terminal ownership. It is not built by default because
|
|
|
29e444 |
+systems using the Linux kernel are commonly built with the @code{devpts}
|
|
|
29e444 |
+filesystem enabled and mounted at @file{/dev/pts}, which manages
|
|
|
29e444 |
+pseudo-terminal ownership automatically. By using
|
|
|
29e444 |
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
|
|
|
29e444 |
+setuid and owned by @code{root}. The use of @file{pt_chown} introduces
|
|
|
29e444 |
+additional security risks to the system and you should enable it only if
|
|
|
29e444 |
+you understand and accept those risks.
|
|
|
29e444 |
+
|
|
|
29e444 |
@item --build=@var{build-system}
|
|
|
29e444 |
@itemx --host=@var{host-system}
|
|
|
29e444 |
These options are for cross-compiling. If you specify both options and
|
|
|
29e444 |
diff -Nrup a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c
|
|
|
29e444 |
--- a/sysdeps/unix/grantpt.c 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/sysdeps/unix/grantpt.c 2013-07-24 00:20:07.663299235 -0400
|
|
|
29e444 |
@@ -173,9 +173,10 @@ grantpt (int fd)
|
|
|
29e444 |
retval = 0;
|
|
|
29e444 |
goto cleanup;
|
|
|
29e444 |
|
|
|
29e444 |
- /* We have to use the helper program. */
|
|
|
29e444 |
+ /* We have to use the helper program if it is available. */
|
|
|
29e444 |
helper:;
|
|
|
29e444 |
|
|
|
29e444 |
+#ifdef HAVE_PT_CHOWN
|
|
|
29e444 |
pid_t pid = __fork ();
|
|
|
29e444 |
if (pid == -1)
|
|
|
29e444 |
goto cleanup;
|
|
|
29e444 |
@@ -190,9 +191,9 @@ grantpt (int fd)
|
|
|
29e444 |
if (__dup2 (fd, PTY_FILENO) < 0)
|
|
|
29e444 |
_exit (FAIL_EBADF);
|
|
|
29e444 |
|
|
|
29e444 |
-#ifdef CLOSE_ALL_FDS
|
|
|
29e444 |
+# ifdef CLOSE_ALL_FDS
|
|
|
29e444 |
CLOSE_ALL_FDS ();
|
|
|
29e444 |
-#endif
|
|
|
29e444 |
+# endif
|
|
|
29e444 |
|
|
|
29e444 |
execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
|
|
|
29e444 |
_exit (FAIL_EXEC);
|
|
|
29e444 |
@@ -231,6 +232,7 @@ grantpt (int fd)
|
|
|
29e444 |
assert(! "getpt: internal error: invalid exit code from pt_chown");
|
|
|
29e444 |
}
|
|
|
29e444 |
}
|
|
|
29e444 |
+#endif
|
|
|
29e444 |
|
|
|
29e444 |
cleanup:
|
|
|
29e444 |
if (buf != _buf)
|
|
|
29e444 |
diff -Nrup a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c
|
|
|
29e444 |
--- a/sysdeps/unix/sysv/linux/grantpt.c 2012-12-24 22:02:13.000000000 -0500
|
|
|
29e444 |
+++ b/sysdeps/unix/sysv/linux/grantpt.c 2013-07-24 00:20:07.664298465 -0400
|
|
|
29e444 |
@@ -11,7 +11,7 @@
|
|
|
29e444 |
|
|
|
29e444 |
#include "pty-private.h"
|
|
|
29e444 |
|
|
|
29e444 |
-
|
|
|
29e444 |
+#if HAVE_PT_CHOWN
|
|
|
29e444 |
/* Close all file descriptors except the one specified. */
|
|
|
29e444 |
static void
|
|
|
29e444 |
close_all_fds (void)
|
|
|
29e444 |
@@ -38,6 +38,7 @@ close_all_fds (void)
|
|
|
29e444 |
__dup2 (STDOUT_FILENO, STDERR_FILENO);
|
|
|
29e444 |
}
|
|
|
29e444 |
}
|
|
|
29e444 |
-#define CLOSE_ALL_FDS() close_all_fds()
|
|
|
29e444 |
+# define CLOSE_ALL_FDS() close_all_fds()
|
|
|
29e444 |
+#endif
|
|
|
29e444 |
|
|
|
29e444 |
#include <sysdeps/unix/grantpt.c>
|