From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Thu, 24 Mar 2011 20:47:37 +0000 Subject: worker: CVE-2011-0727: change to user before copying user files This commit changes to a user before copying user files to prevent a possible symlink local root exploit attack. [Ubuntu note: refreshed patch against 2.30 of daemon/gdm-session-worker.c -- sbeattie] diff -Nur -x '*.orig' -x '*~' gdm-2.28.1//daemon/gdm-session-worker.c gdm-2.28.1.new//daemon/gdm-session-worker.c --- gdm-2.28.1//daemon/gdm-session-worker.c 2009-10-19 15:12:45.000000000 -0700 +++ gdm-2.28.1.new//daemon/gdm-session-worker.c 2011-03-29 09:22:58.000000000 -0700 @@ -52,6 +52,7 @@ #include "ck-connector.h" +#include "gdm-common.h" #include "gdm-session-worker.h" #include "gdm-marshal.h" @@ -1031,10 +1032,6 @@ error->message); g_error_free (error); } else { - chown (cachefilename, - worker->priv->uid, - worker->priv->gid); - g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); g_debug ("Copy successful"); } @@ -1168,7 +1165,23 @@ return; if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) { - gdm_session_worker_cache_userfiles (worker); + pid_t pid; + + pid = fork (); + + if (pid == 0) { + if (setuid (worker->priv->uid) < 0) { + g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno)); + _exit (1); + } + + gdm_session_worker_cache_userfiles (worker); + _exit (0); + } + + if (pid > 0) { + gdm_wait_on_pid (pid); + } pam_close_session (worker->priv->pam_handle, 0); gdm_session_auditor_report_logout (worker->priv->auditor);