From c122ebed451272090e594f3a511cc8a6017a62e2 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Thu, 24 Mar 2011 16:47:37 -0400
Subject: [PATCH] worker: CVE-2011-0727: change to user before copying user files
This commit changes to a user before copying user files to prevent
a possible symlink local root exploit attack.
---
daemon/gdm-session-worker.c | 29 +++++++++++++++++------------
1 files changed, 17 insertions(+), 12 deletions(-)
diff -up gdm-2.30.2/daemon/gdm-session-worker.c.with-fix gdm-2.30.2/daemon/gdm-session-worker.c
--- gdm-2.30.2/daemon/gdm-session-worker.c.with-fix 2011-03-28 13:56:04.488869029 -0400
+++ gdm-2.30.2/daemon/gdm-session-worker.c 2011-03-28 13:57:15.205843697 -0400
@@ -1034,10 +1034,6 @@ gdm_cache_copy_file (GdmSessionWorker *w
error->message);
g_error_free (error);
} else {
- chown (cachefilename,
- worker->priv->uid,
- worker->priv->gid);
- g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
g_debug ("Copy successful");
}
@@ -1171,7 +1167,23 @@ gdm_session_worker_uninitialize_pam (Gdm
return;
if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
- gdm_session_worker_cache_userfiles (worker);
+ pid_t pid;
+
+ pid = fork ();
+
+ if (pid == 0) {
+ if (setuid (worker->priv->uid) < 0) {
+ g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
+ _exit (1);
+ }
+
+ gdm_session_worker_cache_userfiles (worker);
+ _exit (0);
+ }
+
+ if (pid > 0) {
+ gdm_wait_on_pid (pid);
+ }
pam_close_session (worker->priv->pam_handle, 0);
gdm_session_auditor_report_logout (worker->priv->auditor);