Bug 168436 - RHEL4: login will attempt to run if it has no read/write access to its terminal
RHEL4: login will attempt to run if it has no read/write access to its terminal
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: util-linux (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks: 168429
  Show dependency treegraph
 
Reported: 2005-09-15 18:25 EDT by Jason Vas Dias
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2006-0061
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:04:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Vas Dias 2005-09-15 18:25:13 EDT
Description of problem:

If you manage to exec login with a userid other than root, and its input /
output directed to a terminal for which it does not have read/write access,
it will attempt to proceed and can potentially hang forever (see bug 168434).

This was a root cause of mgetty bug 167830, in which mgetty ran login for
a terminal that the userid did not have read/write access for (this problem
will be fixed in a future mgetty release) - but mgetty was doing:
    p = fork();
    if (p==0) 
    {
       redirect stdin / stdout to terminal
       setuid() and setgid() to userid configured in login.config
       exec /bin/login 
    }

If this happens, login could hang forever - it never checks if it has 
read / write access to its terminal before it does tcsetattr(0...) .

I propose making login do so , in check_ttyname(), where it already does 
an lstat:

login.c, @ line 280:
static void
check_ttyname(char *ttyn) {
	struct stat statbuf;

	if (lstat(ttyn, &statbuf)
	    || !S_ISCHR(statbuf.st_mode)
	    || (statbuf.st_nlink > 1 && strncmp(ttyn, "/dev/", 5))
+           || (access(ttyn,R_OK | W_OK) != 0))                                
                                          
        {
		syslog(LOG_ERR, _("FATAL: bad tty"));
		sleep(1);
		exit(1);
	}
}

Version-Release number of selected component (if applicable):
ALL

How reproducible:
100%

Steps to Reproduce:
Exec login with stdin/stdout directed to a terminal for which it does not
have read+write access
  
Actual results:
login can hang forever or exit with unpredictable results

Expected results:
login should exit with an error

Additional info:
mgetty configuration to reproduce this available on request
Comment 1 Karel Zak 2005-10-03 10:36:51 EDT
Thanks. Add to RHEL proposed list.
Comment 6 Red Hat Bugzilla 2006-03-07 13:04:56 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0061.html

Note You need to log in before you can comment on or make changes to this bug.