Ubuntu
shadow package

sux "cannot set terminal process group ...." error

Bug #1223873 reported by H.-Dirk Schmitt
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
shadow (Debian)
Fix Released
Unknown
shadow (Ubuntu)
Confirmed
Undecided
Unassigned
sux (Debian)
Fix Released
Unknown
sux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

After migration from precise to raring I can't use sux in a reliable manner.

1. After invocation I got the error message:
bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell

2. Pressing Ctrl+C kills the entire session

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: sux 1.0.1-6
ProcVersionSignature: Ubuntu 3.8.0-31.46-generic 3.8.13.8
Uname: Linux 3.8.0-31-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.9.2-0ubuntu8.4
Architecture: amd64
Date: Wed Sep 11 15:15:19 2013
MarkForUpload: True
PackageArchitecture: all
SourcePackage: sux
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :
Revision history for this message
H.-Dirk Schmitt (dirk-computer42) wrote :

After web research is seems that the bug is introduced by the schange of the login package from 1:4.1.4.2 (presice/quantal) to 1:4.1.5.1 (raring/saucy)

> shadow (1:4.1.5-1) unstable; urgency=low
>
> * The "Charolais" release.
>
> [ Nicolas FRANCOIS (Nekral) ]
> * New upstream release:
> - su: Fix possible tty hijacking by dropping the controlling terminal when
> executing a command (CVE-2005-4890). Closes: #628843
> ...

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Bug Watch Updater (bug-watch-updater)
Changed in shadow (Debian):
status: Unknown → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in sux (Debian):
status: Unknown → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shadow (Ubuntu):
status: New → Confirmed
Changed in sux (Ubuntu):
status: New → Confirmed
Revision history for this message
infernet (guattari) wrote :

Same here. It occurs on:

sudo su username -

Revision history for this message
mancha (mancha1) wrote :

Hello.

This is due to changes introduced in su in shadow 4.1.5 to address CVE-2005-4890. They amount, in sum, to dropping the controlling TTY when su is used non-interactively.

While the threat of command injection does exist, shadow's omni-directional solution is overkill.

As I documented back in May (http://seclists.org/oss-sec/2013/q2/374), crippling "su -c" when escalating privileges (i.e. callee is root) is unwarranted. After all, we're not really worried about root injecting commands to a non-privileged user.

Feel free to use the patch I constructed that addresses the issue being reported when sux (or any other su frontend/wrapper) invokes su non-interactively to escalate privs:

http://sf.net/projects/mancha/files/misc/shadow-4.1.5.1_CVE-2005-4890_relax.diff

--mancha

Bug Watch Updater (bug-watch-updater)
Changed in sux (Debian):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in shadow (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.