Carlos O'Donell e4608715e6 CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.

Pre-conditions for the attack:

 * Attacker with local user account
 * Kernel with FUSE support
 * "user_allow_other" in /etc/fuse.conf
 * Victim with allocated slave in /dev/pts

Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own.  It cannot access /dev/pts/ptmx however.

In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
2013-07-21 15:39:55 -04:00

45 lines
1.0 KiB
C

#include <assert.h>
#include <ctype.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
#include <stdlib.h>
#include <unistd.h>
#include <not-cancel.h>
#include "pty-private.h"
#if HAVE_PT_CHOWN
/* Close all file descriptors except the one specified. */
static void
close_all_fds (void)
{
DIR *dir = __opendir ("/proc/self/fd");
if (dir != NULL)
{
struct dirent64 *d;
while ((d = __readdir64 (dir)) != NULL)
if (isdigit (d->d_name[0]))
{
char *endp;
long int fd = strtol (d->d_name, &endp, 10);
if (*endp == '\0' && fd != PTY_FILENO && fd != dirfd (dir))
close_not_cancel_no_status (fd);
}
__closedir (dir);
int nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_RDONLY);
assert (nullfd == STDIN_FILENO);
nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_WRONLY);
assert (nullfd == STDOUT_FILENO);
__dup2 (STDOUT_FILENO, STDERR_FILENO);
}
}
# define CLOSE_ALL_FDS() close_all_fds()
#endif
#include <sysdeps/unix/grantpt.c>