1
From f2eb8e2b25844d6964129e0232e022995e27e11f Mon Sep 17 00:00:00 2001
2
From: Ray Strode <rstrode@redhat.com>
3
Date: Thu, 24 Mar 2011 20:47:37 +0000
4
Subject: worker: CVE-2011-0727: change to user before copying user files
6
This commit changes to a user before copying user files to prevent
7
a possible symlink local root exploit attack.
9
[Ubuntu note: natty patch refreshed against 2.32.0-0ubuntu12
13
daemon/gdm-session-worker.c | 29 +++++++++++++++++------------
14
1 file changed, 17 insertions(+), 12 deletions(-)
16
Index: b/daemon/gdm-session-worker.c
17
===================================================================
18
--- a/daemon/gdm-session-worker.c
19
+++ b/daemon/gdm-session-worker.c
20
@@ -1035,17 +1035,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
26
- res = chown (cachefilename,
30
- g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
31
- g_strerror (errno));
34
- g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
35
g_debug ("Copy successful");
38
@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (Gdm
41
if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
42
- gdm_session_worker_cache_userfiles (worker);
48
+ if (setuid (worker->priv->uid) < 0) {
49
+ g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
53
+ gdm_session_worker_cache_userfiles (worker);
58
+ gdm_wait_on_pid (pid);
60
pam_close_session (worker->priv->pam_handle, 0);
61
gdm_session_auditor_report_logout (worker->priv->auditor);