[Pkg-shadow-commits] r288 - in trunk/debian: . patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Tue, 21 Jun 2005 23:24:02 +0000
Author: nekral-guest
Date: 2005-06-21 23:24:01 +0000 (Tue, 21 Jun 2005)
New Revision: 288
Modified:
trunk/debian/changelog
trunk/debian/patches/008_su_ignore_SIGINT
Log:
Also ignore SIGQUIT to avoid an user to defeat the delay.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-06-21 23:22:54 UTC (rev 287)
+++ trunk/debian/changelog 2005-06-21 23:24:01 UTC (rev 288)
@@ -51,6 +51,10 @@
before the call to exec.
* If no command is provided, the arguments after the username are for
the shell, no -c has to be appended.
+ - 008_su_ignore_SIGINT
+ * Also ignore SIGQUIT in su to avoid defeating the delay.
+ The gain in security is very minor.
+ Closes: #288827
* Upstream bugs already fixed in upstream releases or CVS:
- Corrected typos in chfn.1. Closes: #312428
- Corrected typos in gshadow.5. Closes: #312429
Modified: trunk/debian/patches/008_su_ignore_SIGINT
===================================================================
--- trunk/debian/patches/008_su_ignore_SIGINT 2005-06-21 23:22:54 UTC (rev 287)
+++ trunk/debian/patches/008_su_ignore_SIGINT 2005-06-21 23:24:01 UTC (rev 288)
@@ -1,21 +1,33 @@
Goal: Ignore SIGINT while authenticating. A ^C could defeat the waiting
period and permit brute-force attacks.
-Fixes: 52372
+ Also ignore SIGQUIT.
+
+Fixes: #52372 (SIGINT), #288827 (SIGQUIT)
Status wrt upstream: It should be forwarded to upstream.
Note: Even with a waiting period, a brute-force attack can be performed
- by parralelizing attacks. The gain in security is minor.
+ by parralelizing attacks (or sending a KILL signal).
+ The gain in security is minor.
Index: shadow-4.0.3/src/su.c
===================================================================
---- shadow-4.0.3.orig/src/su.c 2005-05-30 22:57:55.776974000 +0200
-+++ shadow-4.0.3/src/su.c 2005-05-30 22:58:36.326974000 +0200
-@@ -538,6 +538,7 @@
+--- shadow-4.0.3.orig/src/su.c 2005-06-21 23:26:13.808723000 +0200
++++ shadow-4.0.3/src/su.c 2005-06-21 23:27:58.518723000 +0200
+@@ -538,6 +538,8 @@
if (shell == 0)
shell = (char *) strdup (pwent.pw_shell);
+ signal(SIGINT, SIG_IGN);
++ signal(SIGQUIT, SIG_IGN);
#ifdef USE_PAM
ret = pam_authenticate (pamh, 0);
if (ret != PAM_SUCCESS) {
+@@ -629,6 +631,7 @@
+ #endif /* !USE_PAM */
+
+ signal (SIGINT, SIG_DFL);
++ signal (SIGQUIT, SIG_DFL);
+ cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
+ #if 0
+ addenv (cp ? cp : "PATH=/bin:/usr/bin", NULL);