Bug 168436 - RHEL4: login will attempt to run if it has no read/write access to its terminal
Summary: RHEL4: login will attempt to run if it has no read/write access to its terminal
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: util-linux   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 168429
TreeView+ depends on / blocked
 
Reported: 2005-09-15 22:25 UTC by Jason Vas Dias
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHBA-2006-0061
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 18:04:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0061 qe-ready SHIPPED_LIVE util-linux bug fix update 2006-03-06 05:00:00 UTC

Description Jason Vas Dias 2005-09-15 22:25:13 UTC
Description of problem:

If you manage to exec login with a userid other than root, and its input /
output directed to a terminal for which it does not have read/write access,
it will attempt to proceed and can potentially hang forever (see bug 168434).

This was a root cause of mgetty bug 167830, in which mgetty ran login for
a terminal that the userid did not have read/write access for (this problem
will be fixed in a future mgetty release) - but mgetty was doing:
    p = fork();
    if (p==0) 
    {
       redirect stdin / stdout to terminal
       setuid() and setgid() to userid configured in login.config
       exec /bin/login 
    }

If this happens, login could hang forever - it never checks if it has 
read / write access to its terminal before it does tcsetattr(0...) .

I propose making login do so , in check_ttyname(), where it already does 
an lstat:

login.c, @ line 280:
static void
check_ttyname(char *ttyn) {
	struct stat statbuf;

	if (lstat(ttyn, &statbuf)
	    || !S_ISCHR(statbuf.st_mode)
	    || (statbuf.st_nlink > 1 && strncmp(ttyn, "/dev/", 5))
+           || (access(ttyn,R_OK | W_OK) != 0))                                
                                          
        {
		syslog(LOG_ERR, _("FATAL: bad tty"));
		sleep(1);
		exit(1);
	}
}

Version-Release number of selected component (if applicable):
ALL

How reproducible:
100%

Steps to Reproduce:
Exec login with stdin/stdout directed to a terminal for which it does not
have read+write access
  
Actual results:
login can hang forever or exit with unpredictable results

Expected results:
login should exit with an error

Additional info:
mgetty configuration to reproduce this available on request

Comment 1 Karel Zak 2005-10-03 14:36:51 UTC
Thanks. Add to RHEL proposed list.

Comment 6 Red Hat Bugzilla 2006-03-07 18:04:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0061.html



Note You need to log in before you can comment on or make changes to this bug.