about summary refs log tree commit diff
path: root/manual/install.texi
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@redhat.com>2013-07-19 02:42:03 -0400
committerCarlos O'Donell <carlos@redhat.com>2013-07-21 15:39:55 -0400
commite4608715e6e1dd2adc91982fd151d5ba4f761d69 (patch)
tree04bc13d3736e14045f0f9fc37e0303a067f943cf /manual/install.texi
parentda2d62df77de66e5de5755228759f8bc18481871 (diff)
downloadglibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.gz
glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.tar.xz
glibc-e4608715e6e1dd2adc91982fd151d5ba4f761d69.zip
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.

Pre-conditions for the attack:

 * Attacker with local user account
 * Kernel with FUSE support
 * "user_allow_other" in /etc/fuse.conf
 * Victim with allocated slave in /dev/pts

Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own.  It cannot access /dev/pts/ptmx however.

In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Diffstat (limited to 'manual/install.texi')
-rw-r--r--manual/install.texi14
1 files changed, 14 insertions, 0 deletions
diff --git a/manual/install.texi b/manual/install.texi
index 0c05f51bbb..4575d22319 100644
--- a/manual/install.texi
+++ b/manual/install.texi
@@ -163,6 +163,20 @@ so that they can be invoked directly.
 @item --enable-lock-elision=yes
 Enable lock elision for pthread mutexes by default.
 
+@pindex pt_chown
+@findex grantpt
+@item --enable-pt_chown
+The file @file{pt_chown} is a helper binary for @code{grantpt}
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
+fix up pseudo-terminal ownership.  It is not built by default because
+systems using the Linux kernel are commonly built with the @code{devpts}
+filesystem enabled and mounted at @file{/dev/pts}, which manages
+pseudo-terminal ownership automatically.  By using
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
+setuid and owned by @code{root}.  The use of @file{pt_chown} introduces
+additional security risks to the system and you should enable it only if
+you understand and accept those risks.
+
 @item --build=@var{build-system}
 @itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and