Re: [PATCH] BZ #15755: CVE-2013-2207: pt_chown tricked into granting access to another users pseudo-terminal

[Andreas Jaeger <aj at suse dot com>]

On 07/19/2013 07:55 AM, Carlos O'Donell wrote:
> CVE-2013-2207: pt_chown tricked into granting access to another 
> users pseudo-terminal
> 
> Pre-conditions for the attack:
> 
>  * Attacker with local user account
>  * Kernel with FUSE support
>  * "user_allow_other" in /etc/fuse.conf
>  * Victim with allocated slave in /dev/pts
> 
> Using the setuid installed pt_chown and a weak check on whether a file
> descriptor is a tty, an attacker could fake a pty check using FUSE and
> trick pt_chown to grant ownership of a pty descriptor that the current
> user does not own.  It cannot access /dev/pts/ptmx however.
> 
> pt_chown is not needed in most modern distributions since devpts is
> enabled by default.  So the fix is to add a configure option to
> enable building pt_chown.  This means that pt_chown will not be built
> by default.  Distributions will be required to avoid installing
> pt_chown in that case.
> 
> There is further discussion to be had around what is or is not valid
> for a FUSE filesystem to do and how glibc can help enforce some of that
> security in tcgetattr. However first things first we need to disable
> the use of pt_chown by default.
> 
> Siddhesh is out so I'm submitting this on his behalf.
> 
> OK to commit?


The patch looks fine to me,

thanks
Andreas
-- 
 Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
  SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
   GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126