summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrian Cameron <brian.cameron@oracle.com>2011-04-07 11:46:46 -0500
committerBrian Cameron <brian.cameron@oracle.com>2011-04-07 11:51:07 -0500
commitc0b6ee89fd01088b54932e9bd4454602adf55740 (patch)
tree5b1af9890c4f475311bf5b2b7c596bce08f74bc9
parentb02cbe775a121766eea52d2c670352d2954a6e81 (diff)
downloadgdm-c0b6ee89fd01088b54932e9bd4454602adf55740.tar.gz
This commit changes to a user before copying user files to prevent
a possible symlink local root exploit attack.
Diffstat
-rw-r--r--daemon/gdm-session-worker.c33
1 files changed, 19 insertions, 14 deletions
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 35a6bfec..9470824f 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -1030,22 +1030,11 @@ gdm_cache_copy_file (GdmSessionWorker *worker,
NULL,
&error);
- if (! res) {
+ if (! res) {
g_warning ("Could not copy file to cache: %s",
error->message);
g_error_free (error);
- } else {
- int res;
-
- res = chown (cachefilename,
- worker->priv->uid,
- worker->priv->gid);
- if (res == -1) {
- g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
- g_strerror (errno));
- }
-
- g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+ } else {
g_debug ("Copy successful");
}
@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (GdmSessionWorker *worker,
return;
if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
- gdm_session_worker_cache_userfiles (worker);
+ pid_t pid;
+
+ pid = fork ();
+
+ if (pid == 0) {
+ if (setuid (worker->priv->uid) < 0) {
+ g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
+ _exit (1);
+ }
+
+ gdm_session_worker_cache_userfiles (worker);
+ _exit (0);
+ }
+
+ if (pid > 0) {
+ gdm_wait_on_pid (pid);
+ }
pam_close_session (worker->priv->pam_handle, 0);
gdm_session_auditor_report_logout (worker->priv->auditor);
View Lorry Controller Status