Bug 168436

Summary: RHEL4: login will attempt to run if it has no read/write access to its terminal
Product: Red Hat Enterprise Linux 4 Reporter: Jason Vas Dias <jvdias>
Component: util-linuxAssignee: Karel Zak <kzak>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0061 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 18:04:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 168429    

Description Jason Vas Dias 2005-09-15 22:25:13 UTC
Description of problem:

If you manage to exec login with a userid other than root, and its input /
output directed to a terminal for which it does not have read/write access,
it will attempt to proceed and can potentially hang forever (see bug 168434).

This was a root cause of mgetty bug 167830, in which mgetty ran login for
a terminal that the userid did not have read/write access for (this problem
will be fixed in a future mgetty release) - but mgetty was doing:
    p = fork();
    if (p==0) 
    {
       redirect stdin / stdout to terminal
       setuid() and setgid() to userid configured in login.config
       exec /bin/login 
    }

If this happens, login could hang forever - it never checks if it has 
read / write access to its terminal before it does tcsetattr(0...) .

I propose making login do so , in check_ttyname(), where it already does 
an lstat:

login.c, @ line 280:
static void
check_ttyname(char *ttyn) {
	struct stat statbuf;

	if (lstat(ttyn, &statbuf)
	    || !S_ISCHR(statbuf.st_mode)
	    || (statbuf.st_nlink > 1 && strncmp(ttyn, "/dev/", 5))
+           || (access(ttyn,R_OK | W_OK) != 0))                                
                                          
        {
		syslog(LOG_ERR, _("FATAL: bad tty"));
		sleep(1);
		exit(1);
	}
}

Version-Release number of selected component (if applicable):
ALL

How reproducible:
100%

Steps to Reproduce:
Exec login with stdin/stdout directed to a terminal for which it does not
have read+write access
  
Actual results:
login can hang forever or exit with unpredictable results

Expected results:
login should exit with an error

Additional info:
mgetty configuration to reproduce this available on request

Comment 1 Karel Zak 2005-10-03 14:36:51 UTC
Thanks. Add to RHEL proposed list.

Comment 6 Red Hat Bugzilla 2006-03-07 18:04:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0061.html