Description of problem: If you manage to exec login with a userid other than root, and its input / output directed to a terminal for which it does not have read/write access, it will attempt to proceed and can potentially hang forever (see bug 168434). This was a root cause of mgetty bug 167830, in which mgetty ran login for a terminal that the userid did not have read/write access for (this problem will be fixed in a future mgetty release) - but mgetty was doing: p = fork(); if (p==0) { redirect stdin / stdout to terminal setuid() and setgid() to userid configured in login.config exec /bin/login } If this happens, login could hang forever - it never checks if it has read / write access to its terminal before it does tcsetattr(0...) . I propose making login do so , in check_ttyname(), where it already does an lstat: login.c, @ line 280: static void check_ttyname(char *ttyn) { struct stat statbuf; if (lstat(ttyn, &statbuf) || !S_ISCHR(statbuf.st_mode) || (statbuf.st_nlink > 1 && strncmp(ttyn, "/dev/", 5)) + || (access(ttyn,R_OK | W_OK) != 0)) { syslog(LOG_ERR, _("FATAL: bad tty")); sleep(1); exit(1); } } Version-Release number of selected component (if applicable): ALL How reproducible: 100% Steps to Reproduce: Exec login with stdin/stdout directed to a terminal for which it does not have read+write access Actual results: login can hang forever or exit with unpredictable results Expected results: login should exit with an error Additional info: mgetty configuration to reproduce this available on request
Thanks. Add to RHEL proposed list.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0061.html