← Back to branch summary

~ubuntu-branches/ubuntu/maverick/gdm/maverick-security

« back to all changes in this revision

Viewing changes to daemon/gdm-session-worker.c

  • Committer: Bazaar Package Importer
  • Author(s): Steve Beattie
  • Date: 2011-03-29 09:27:07 UTC
  • Revision ID: james.westby@ubuntu.com-20110329092707-rl6vegdx3i1bl3ca
Tags: 2.30.5-0ubuntu4.1
* SECURITY UPDATE: race condition allowing privilege escalation
  - debian/patches/91_CVE-2011-0727.patch: fix
    daemon/gdm-session-worker.c to copy files as session user rather
    than root followed by a subsequent chown.
  - CVE-2011-0727

Show diffs side-by-side

added added

removed removed

Lines of Context:
daemon/gdm-session-worker.c
1035
1035
                                   error->message);
1036
1036
                        g_error_free (error);
1037
1037
                 } else {
1038
 
                         int res;
1039
 
 
1040
 
                         res = chown (cachefilename,
1041
 
                                      worker->priv->uid,
1042
 
                                      worker->priv->gid);
1043
 
                         if (res == -1) {
1044
 
                                 g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
1045
 
                                            g_strerror (errno));
1046
 
                         }
1047
 
 
1048
 
                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
1049
1038
                        g_debug ("Copy successful");
1050
1039
                }
1051
1040
 
1183
1172
                return;
1184
1173
 
1185
1174
        if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
1186
 
                gdm_session_worker_cache_userfiles (worker);
 
1175
                pid_t pid;
 
1176
 
 
1177
                pid = fork ();
 
1178
 
 
1179
                if (pid == 0) {
 
1180
                        if (setuid (worker->priv->uid) < 0) {
 
1181
                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
 
1182
                                _exit (1);
 
1183
                        }
 
1184
 
 
1185
                        gdm_session_worker_cache_userfiles (worker);
 
1186
                        _exit (0);
 
1187
                }
 
1188
 
 
1189
                if (pid > 0) {
 
1190
                        gdm_wait_on_pid (pid);
 
1191
                }
1187
1192
                pam_close_session (worker->priv->pam_handle, 0);
1188
1193
                gdm_session_auditor_report_logout (worker->priv->auditor);
1189
1194