From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Sat, 22 Nov 2008 23:22:16 +0000 (+0000)
Subject: 	* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to
X-Git-Tag: 4.1.3~147
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eb4097180b594215aa3d5d5cf67a172bf747e4af;p=shadow

	* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to
	gaining ownership or changing mode of arbitrary files.
---

diff --git a/ChangeLog b/ChangeLog
index 02962127..31d5597f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-11-23  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to
+	gaining ownership or changing mode of arbitrary files.
+
 2008-10-11  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/gshadow.5.xml, man/shadow.5.xml, man/passwd.5.xml,
diff --git a/NEWS b/NEWS
index 39ef4898..b91ec42e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 $Id$
 
-shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
+shadow-4.1.2.2 -> shadow-4.1.3						UNRELEASED
 
 *** general:
 - packaging
@@ -59,6 +59,12 @@ shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
   * Allow adding LDAP users (or any user not present in the local passwd
     file) to local groups
 
+shadow-4.1.2.1 -> shadow-4.1.2.2					23-11-2008
+
+*** security
+- Fix a race condition in login that could lead to gaining ownership or
+  changing mode of arbitrary files.
+
 shadow-4.1.2 -> shadow-4.1.2.1						26-06-2008
 
 *** security
diff --git a/libmisc/chowntty.c b/libmisc/chowntty.c
index 0a68e337..4a4d0aeb 100644
--- a/libmisc/chowntty.c
+++ b/libmisc/chowntty.c
@@ -109,14 +109,14 @@ void chown_tty (const char *tty, const struct passwd *info)
 		exit (1);
 	}
 
-	if (   (chown (tty, info->pw_uid, gid) != 0)
-	    || (chmod (tty, getdef_num ("TTYPERM", 0600)) != 0)) {
+	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
+	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 
-		snprintf (buf, sizeof buf, _("Unable to change tty %s"), tty);
+		snprintf (buf, sizeof buf, _("Unable to change tty stdin"));
 		perror (buf);
 		SYSLOG ((LOG_WARN,
-			 "unable to change tty `%s' for user `%s'\n", tty,
+			 "unable to change tty stdin for user `%s'\n",
 			 info->pw_name));
 		closelog ();