From c0b6ee89fd01088b54932e9bd4454602adf55740 Mon Sep 17 00:00:00 2001 From: Brian Cameron Date: Apr 07 2011 16:51:07 +0000 Subject: This commit changes to a user before copying user files to prevent a possible symlink local root exploit attack. --- diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c index 35a6bfe..9470824 100644 --- a/daemon/gdm-session-worker.c +++ b/daemon/gdm-session-worker.c @@ -1030,22 +1030,11 @@ gdm_cache_copy_file (GdmSessionWorker *worker, NULL, &error); - if (! res) { + if (! res) { g_warning ("Could not copy file to cache: %s", error->message); g_error_free (error); - } else { - int res; - - res = chown (cachefilename, - worker->priv->uid, - worker->priv->gid); - if (res == -1) { - g_warning ("GdmSessionWorker: Error setting owner of cache file: %s", - g_strerror (errno)); - } - - g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + } else { g_debug ("Copy successful"); } @@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (GdmSessionWorker *worker, return; if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) { - gdm_session_worker_cache_userfiles (worker); + pid_t pid; + + pid = fork (); + + if (pid == 0) { + if (setuid (worker->priv->uid) < 0) { + g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno)); + _exit (1); + } + + gdm_session_worker_cache_userfiles (worker); + _exit (0); + } + + if (pid > 0) { + gdm_wait_on_pid (pid); + } pam_close_session (worker->priv->pam_handle, 0); gdm_session_auditor_report_logout (worker->priv->auditor);