[4723] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@VT.EDU)
Thu Jun 19 11:59:54 1997
Date: Wed, 18 Jun 1997 04:10:46 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis.Kletnieks@VT.EDU
X-To: posse@CORINNE.MAC.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 18 Jun 1997 03:02:15 -0000."
<19970618030215.3665.qmail@corinne.mac.edu>
On Wed, 18 Jun 1997 03:02:15 -0000, you said:
> ************** Corinne Posse Security Notice **************
> Issue Number 5: 970717
> ************** http://corinne.mac.edu/posse **************
>
> **** Problem with su on HP/UX 9.00 VIA a dumb-terminal ****
>
> When the shell calling "su" is killed, the user is logged out,
> but in-between login prompts, a user can still enter commands as
> root.
I have to admit that it's 4AM, and I'm not an HP/UX expert, but I suspect the
follwoing is happening:
When the other sysadmin does a 'kill -9' or whatever of the *parent shell*,
this is failing to propagate a SIGHUP to the shell spawned by the su command
(which makes sense, as it is probablyin a different process group for job
control purposes). The login shell exits, the su-shell keeps running.
init notices the login shell exiting, and re-spawns a getty. You then
get a getty/login and a su-shell fighting in a race condition for any
given line of terminal input.
The problem is probably exacerbated by a lack of a revoke() call in HP/UX 9.0,
which was designed to close exactly this hole - getty can revoke() on the /dev/tty
and be *sure* that no other processes are still reading. (And yes, I *know*
about the funky race conditions in many Unixoid kernels that allow a blocked
open() to slip past a revoke() call. But revoke() is better than nothing ;)
Work-around: Make sure to kill the su-shell first, and THEN the login
shell. If this is too hard to remember, create a shell or perl script
called 'nuke-admin' ;)
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
