#* CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal # has been fixed by disabling the use of pt_chown (Bugzilla #15755). # Distributions can re-enable building and using pt_chown via the new configure # option `--enable-pt_chown'. Enabling the use of pt_chown carries with it # considerable security risks and should only be used if the distribution # understands and accepts the risks. # #2013-07-21 Siddhesh Poyarekar <siddhesh@redhat.com> # Andreas Schwab <schwab@suse.de> # Roland McGrath <roland@hack.frob.com> # Joseph Myers <joseph@codesourcery.com> # Carlos O'Donell <carlos@redhat.com> # # [BZ #15755] # * config.h.in: Define HAVE_PT_CHOWN. # * config.make.in (build-pt-chown): New variable. # * configure.in (--enable-pt_chown): New configure option. # * configure: Regenerate. # * login/Makefile: Include Makeconfig. Build pt_chown only if # build-pt-chown is enabled. # * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn # pt_chown to fix pty ownership. # * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define # CLOSE_ALL_FDS. # * manual/install.texi (Configuring and compiling): Mention # --enable-pt_chown. Add @findex for grantpt. # * INSTALL: Regenerate. # diff -Nurp glibc-2.14.1.orig/config.h.in glibc-2.14.1/config.h.in --- glibc-2.14.1.orig/config.h.in 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/config.h.in 2013-10-06 16:14:33.757668256 +0300 @@ -229,6 +229,9 @@ #undef HAVE__CTYPE #undef HAVE__LOCP +/* The pt_chown binary is being built and used by grantpt. */ +#undef HAVE_PT_CHOWN + #endif /* diff -Nurp glibc-2.14.1.orig/config.make.in glibc-2.14.1/config.make.in --- glibc-2.14.1.orig/config.make.in 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/config.make.in 2013-10-06 16:18:32.312808847 +0300 @@ -102,6 +102,7 @@ add-on-subdirs = @add_on_subdirs@ sysdeps-add-ons = @sysdeps_add_ons@ cross-compiling = @cross_compiling@ force-install = @force_install@ +build-pt-chown = @build_pt_chown@ # Build tools. CC = @CC@ diff -Nurp glibc-2.14.1.orig/configure glibc-2.14.1/configure --- glibc-2.14.1.orig/configure 2013-10-06 15:45:04.409580949 +0300 +++ glibc-2.14.1/configure 2013-10-06 16:17:41.941724570 +0300 @@ -682,6 +682,7 @@ multi_arch base_machine add_on_subdirs add_ons +build_pt_chown libc_cv_nss_crypt experimental_malloc all_warnings @@ -784,6 +785,7 @@ enable_all_warnings enable_multi_arch enable_experimental_malloc enable_nss_crypt +enable_pt_chown with_cpu ' ac_precious_vars='build_alias @@ -1444,6 +1446,7 @@ Optional Features: --enable-experimental-malloc enable experimental malloc features --enable-nss-crypt enable libcrypt to use nss + --enable-pt_chown Enable building and installing pt_chown Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3823,6 +3826,19 @@ else fi +# Check whether --enable-pt_chown was given. +if test "${enable_pt_chown+set}" = set; then : + enableval=$enable_pt_chown; build_pt_chown=$enableval +else + build_pt_chown=no +fi + + +if test $build_pt_chown = yes; then + $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h + +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff -Nurp glibc-2.14.1.orig/configure.in glibc-2.14.1/configure.in --- glibc-2.14.1.orig/configure.in 2013-10-06 15:45:04.409580949 +0300 +++ glibc-2.14.1/configure.in 2013-10-06 16:14:33.797669128 +0300 @@ -316,6 +316,16 @@ else fi AC_SUBST(libc_cv_nss_crypt) +AC_ARG_ENABLE([pt_chown], + [AS_HELP_STRING([--enable-pt_chown], + [Enable building and installing pt_chown])], + [build_pt_chown=$enableval], + [build_pt_chown=no]) +AC_SUBST(build_pt_chown) +if test $build_pt_chown = yes; then + AC_DEFINE(HAVE_PT_CHOWN) +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os diff -Nurp glibc-2.14.1.orig/INSTALL glibc-2.14.1/INSTALL --- glibc-2.14.1.orig/INSTALL 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/INSTALL 2013-10-06 16:14:33.797669128 +0300 @@ -138,6 +138,18 @@ will be used, and CFLAGS sets optimizati this can be prevented though there generally is no reason since it creates compatibility problems. +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + `--build=BUILD-SYSTEM' `--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both diff -Nurp glibc-2.14.1.orig/login/Makefile glibc-2.14.1/login/Makefile --- glibc-2.14.1.orig/login/Makefile 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/login/Makefile 2013-10-06 16:14:33.797669128 +0300 @@ -29,9 +29,15 @@ routines := getutent getutent_r getutid CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' -others = utmpdump pt_chown +others = utmpdump + +include ../Makeconfig + +ifeq (yes,$(build-pt-chown)) +others += pt_chown others-pie = pt_chown install-others-programs = $(inst_libexecdir)/pt_chown +endif distribute := utmp-private.h utmp-equal.h pty-private.h diff -Nurp glibc-2.14.1.orig/manual/install.texi glibc-2.14.1/manual/install.texi --- glibc-2.14.1.orig/manual/install.texi 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/manual/install.texi 2013-10-06 16:14:33.797669128 +0300 @@ -160,6 +160,20 @@ if the used tools support it. By using prevented though there generally is no reason since it creates compatibility problems. +@pindex pt_chown +@findex grantpt +@item --enable-pt_chown +The file @file{pt_chown} is a helper binary for @code{grantpt} +(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to +fix up pseudo-terminal ownership. It is not built by default because +systems using the Linux kernel are commonly built with the @code{devpts} +filesystem enabled and mounted at @file{/dev/pts}, which manages +pseudo-terminal ownership automatically. By using +@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it +setuid and owned by @code{root}. The use of @file{pt_chown} introduces +additional security risks to the system and you should enable it only if +you understand and accept those risks. + @item --build=@var{build-system} @itemx --host=@var{host-system} These options are for cross-compiling. If you specify both options and diff -Nurp glibc-2.14.1.orig/sysdeps/unix/grantpt.c glibc-2.14.1/sysdeps/unix/grantpt.c --- glibc-2.14.1.orig/sysdeps/unix/grantpt.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/sysdeps/unix/grantpt.c 2013-10-06 16:14:33.797669128 +0300 @@ -174,9 +174,10 @@ grantpt (int fd) retval = 0; goto cleanup; - /* We have to use the helper program. */ + /* We have to use the helper program if it is available. */ helper:; +#ifdef HAVE_PT_CHOWN pid_t pid = __fork (); if (pid == -1) goto cleanup; @@ -191,9 +192,9 @@ grantpt (int fd) if (__dup2 (fd, PTY_FILENO) < 0) _exit (FAIL_EBADF); -#ifdef CLOSE_ALL_FDS +#ifdef CLOSE_ALL_FDS CLOSE_ALL_FDS (); -#endif +#endif execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); _exit (FAIL_EXEC); @@ -232,6 +233,7 @@ grantpt (int fd) assert(! "getpt: internal error: invalid exit code from pt_chown"); } } +#endif cleanup: if (buf != _buf) diff -Nurp glibc-2.14.1.orig/sysdeps/unix/sysv/linux/grantpt.c glibc-2.14.1/sysdeps/unix/sysv/linux/grantpt.c --- glibc-2.14.1.orig/sysdeps/unix/sysv/linux/grantpt.c 2011-10-07 12:48:55.000000000 +0300 +++ glibc-2.14.1/sysdeps/unix/sysv/linux/grantpt.c 2013-10-06 16:14:33.797669128 +0300 @@ -10,7 +10,7 @@ #include "not-cancel.h" #include "pty-private.h" - +#if HAVE_PT_CHOWN /* Close all file descriptors except the one specified. */ static void close_all_fds (void) @@ -37,6 +37,7 @@ close_all_fds (void) __dup2 (STDOUT_FILENO, STDERR_FILENO); } } -#define CLOSE_ALL_FDS() close_all_fds() +# define CLOSE_ALL_FDS() close_all_fds() +#endif #include <sysdeps/unix/grantpt.c>