Debian Bug report logs - #288827
su ignores signals inconsistently

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Renie <dmrenie@cs.umd.edu>

To: <submit@bugs.debian.org>

Subject: su ignores signals inconsistently

Date: Wed, 5 Jan 2005 16:19:46 -0500 (EST)

Package: login
Version: 4.0.3-30.7

su cannot be terminated by pressing ctrl+c (sending a SIGINT to the
process).  It appears this change was made about 4 years ago in response
to bug #52372.  There it was suggested the being able to terminate su was
a security issue.  This is a weak claim at best since the ability to su
can be restricted to certain users and even with only one login, a user
can run many instances of su concurrently.

However, my main point is that su does not ignore SIGQUIT and thus can be
terminated immediately by pressing ctrl+\ .  Other signals probably will
terminate su as well.  My suggestion is to revert the changes that ignore
SIGINT during authentication.  I suspect that this will be a simple change
to reverse, but if you wish, I will gladly submit a patch for this.

I am using the unstable distribution (sid) of Debian GNU/Linux.  I suspect
that this issue is present in other versions as well.

This issue also exists in login version 4.0.3-30.4 using the testing
distribution of Debian GNU/Linux.


Sincerely,
David Renie
dmrenie@cs.umd.edu

Message #10 received at 288827@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: David Renie <dmrenie@cs.umd.edu>, 288827@bugs.debian.org

Subject: Re: Bug#288827: su ignores signals inconsistently

Date: Wed, 5 Jan 2005 23:18:38 +0100

Quoting David Renie (dmrenie@cs.umd.edu):
> Package: login
> Version: 4.0.3-30.7
> 
> su cannot be terminated by pressing ctrl+c (sending a SIGINT to the
> process).  It appears this change was made about 4 years ago in response
> to bug #52372.  There it was suggested the being able to terminate su was
> a security issue.  This is a weak claim at best since the ability to su
> can be restricted to certain users and even with only one login, a user
> can run many instances of su concurrently.
> 
> However, my main point is that su does not ignore SIGQUIT and thus can be
> terminated immediately by pressing ctrl+\ .  Other signals probably will
> terminate su as well.  My suggestion is to revert the changes that ignore
> SIGINT during authentication.  I suspect that this will be a simple change
> to reverse, but if you wish, I will gladly submit a patch for this.
> 
> I am using the unstable distribution (sid) of Debian GNU/Linux.  I suspect
> that this issue is present in other versions as well.
> 
> This issue also exists in login version 4.0.3-30.4 using the testing
> distribution of Debian GNU/Linux.


Thanks for your report.

The shadow source package to which login belongs to is in the process
of being taken over by a new maintenance team. This will soon be
announced in debian-devel, I think.

All Debian specific patches will be reviewed and either the behaviour
change you describe is a Debian patch and it will be discussed by
future Debian maintenance team....or
this is an upstream change and it will be discussed with upstream.

However, all this is likely to take place after sarge release....

Please note that the maintenance team is currently being constructed,
so if you feel interested in maintaining the shadow package, help to
bug triage or just bring in your experience, please feel welcome.

Message #15 received at 288827@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 288827@bugs.debian.org

Subject: So, should su handle SIGINT or not?

Date: Sun, 17 Apr 2005 22:29:50 +0200

In #288827, the bug submitter suggests that we remove the (Debian
only) change which makes su ignore SIGINT. He suggests that the
rationale for this change (making automatic password guess easier as
this allow bypassing the login failure delay) is a bit weak...and
anyway that su does not ignore other signals such as SIGQUIT.

I tend to think he's right and the change is somewhat
overzealous. However, I'm quite reluctant for taking the decision to
revert somethign done by a previous maintainer.

Any thoughts before we ask for advices in -devel or any other place ?

PS : upstream su DOES NOT ignore SIGINT.

-- 

Message #20 received at 288827@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 288827@bugs.debian.org

Subject: Debian bug 288827 : su ignores signals inconsistently

Date: Mon, 20 Jun 2005 23:40:33 +0200

From the bug reporter:

=====================================
su cannot be terminated by pressing ctrl+c (sending a SIGINT to the
process).  It appears this change was made about 4 years ago in response
to bug #52372.  There it was suggested the being able to terminate su was
a security issue.  This is a weak claim at best since the ability to su
can be restricted to certain users and even with only one login, a user
can run many instances of su concurrently.

However, my main point is that su does not ignore SIGQUIT and thus can be
terminated immediately by pressing ctrl+\ .  Other signals probably will
terminate su as well.  My suggestion is to revert the changes that ignore
SIGINT during authentication.  I suspect that this will be a simple change
to reverse, but if you wish, I will gladly submit a patch for this.

I am using the unstable distribution (sid) of Debian GNU/Linux.  I suspect
that this issue is present in other versions as well.

This issue also exists in login version 4.0.3-30.4 using the testing
distribution of Debian GNU/Linux.
=====================================


This is done in 008_su_ignore_SIGINT

Nicolas, could we also have su ignore SIGQUIT the same way?

Would it be worth implementing upstream (both signal ignored) os is
this too Debian specific?



-- 

Message #25 received at 288827@bugs.debian.org (full text, mbox, reply):

From: Nicolas François <nicolas.francois@centraliens.net>

To: 288827@bugs.debian.org, 288827-submitter@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#288827: su ignores signals inconsistently

Date: Wed, 22 Jun 2005 22:37:47 +0200

tags 288827 pending
thanks

Hello David,

In http://bugs.debian.org/288827 you indicated that su ignored the SIGINT
signal but not SIGQUIT.
We preferred ignoring SIGQUIT, instead of removing the patch done for #52372,
even if the security gain is very minor.
The patch was committed to our repository and should appear in the next
release.


Kind Regards,
-- 
Nekral

Message #35 received at 288827-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 288827-close@bugs.debian.org

Subject: Bug#288827: fixed in shadow 1:4.0.3-36

Date: Tue, 05 Jul 2005 16:02:32 -0400

Source: shadow
Source-Version: 1:4.0.3-36

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-36_i386.deb
  to pool/main/s/shadow/login_4.0.3-36_i386.deb
passwd_4.0.3-36_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-36_i386.deb
shadow_4.0.3-36.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-36.diff.gz
shadow_4.0.3-36.dsc
  to pool/main/s/shadow/shadow_4.0.3-36.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 288827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Jun 2005 23:37:56 +0300
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-36
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 75181 78961 87301 109279 192849 219321 244754 245332 248150 256732 261490 266281 269583 276419 286258 286616 287410 288106 288827 290842 298060 298773 304350 309408 312428 312429 312430 312431 312471 314303 314407 314423 314539 314727 315362 315372 315375 315378 315391 315407 315426 315429 315434 315483 315567 315727 315767 315783 315809 315812 315840 315972 316026
Changes: 
 shadow (1:4.0.3-36) unstable; urgency=low
 .
   * Debian specific programs fixes:
     - Re-enable logging and displaying failures on login when login is
       compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
       faillog file if it does not exist on postinst (as on Woody).
       Closes: #192849
     - do not localize login's syslog messages.
   * Debian packaging fixes:
     - Fix FTBFS with new dpkg 1.13 and use a correct dpkg-architecture
       invocation. Closes: #314407
     - Add a comment about potential sensitive information exposure
       when LOG_UNKFAIL_ENAB is set in login.defs
       Closes: #298773
     - Remove limits.5 and limits.conf.5 man pages which do not
       reflect the way we deal with limits in Debian
       Closes: #288106, #244754
     - debian/login.defs:
       - Make SU_PATH and PATH consistent with the values used in /etc/profile
         Closes: #286616
       - Comment the UMASK setting which is more confusing than useful
         as it only affects console logins. Better use pam_umask instead
         Closes: #314539, #248150
       - Add a comment about "appropriate" values for umask
         Closes: #269583
       - Correct the assertion about the variable defined by QMAIL_DIR
         which is MAILDIR, not MAIL
         Closes: #109279
       - Move the PASS_MAX_LEN variable at the end of login.defs as this
         is obsoleted when using PAM
         Closes: #87301
     - debian/passwd.config:
       - Re-enable the password confirmation question at critical priority
         Closes: #304350
       - Do no prompt again for the login name when the two passwords don't
         match while creating a new user
         Closes: #245332
     - debian/add-shell.sh, debian/remove-shell.sh, debian/shadowconfig.sh,
       debian/passwd.config, debian/passwd.postinst:
       - checked for bashisms, replaced "#!/bin/bash" with "#!/bin/sh",
         Closes: #315767
       - replaced "test XXX -a YYY" XSI:isms with "test XXX && test YYY",
         for rationale see:
         http://www.opengroup.org/onlinepubs/009695399/utilities/test.html
       - replaced all unneeded "egrep"s with basic "grep"s
         Closes: #256732
     - debian/rules:
       Remove the setuid bit on login
       Closes: #298060
     - debian/passwd.templates:
       Templates rewrite to shorten them down a little and make them DTSG
       compliant. Give more details about what the user's full name is used
       for.
       Closes: #287410
     - Updated to Standards: 3.6.2 (checked)
   * Debconf translation updates:
     - Estonian added. Closes: #312471
     - Basque updated. Closes: #314303
     - Malagasy updated. Closes: #290842
     - Punjabi updated. Closes: #315372
     - Danish updated. Closes: #315378
     - Polish updated. Closes: #315391
     - Japanese updated. Closes: #315407
     - Brazilian Portuguese updated. Closes: #315426
     - Czech updated. Closes: #315429
     - Spanish updated. Closes: #315434
     - Lithuanian updated. Closes: #315483
     - Galician updated. Closes: #315362
     - Portuguese updated. Closes: #315375
     - Simplified Chinese updated. Closes: #315567
     - French updated
     - Ukrainian updated. Closes: #315727
     - Welsh updated. Closes: #315809
     - Slovak updated. Closes: #315812
     - Romanian updated. Closes: #315783
     - Finnish updated. Closes: #315972
     - Catalan updated. Closes: #316026
   * Man pages translation updates:
     - Remove the too outdated Korean translation of newgrp.1
       which doesn't even mention sg
       Closes: #261490
   * Man pages correction for Debian specific issues:
     - 402_usermod.8-system-users-range-286258:
       Document the system user range from 0 to 999 in Debian
       Closes: #286258
   * Upstream bugs not fixed in upstream releases or CVS:
     - 423_su_pass_args_without_concatenation
       Thanks to Helmut Waitzmann.
       Closes: #276419
       * pass the argument to the shell or command without concatenation
         before the call to exec.
       * If no command is provided, the arguments after the username are for
         the shell, no -c has to be appended.
     - 008_su_ignore_SIGINT
       * Also ignore SIGQUIT in su to avoid defeating the delay.
         The gain in security is very minor.
         Closes: #288827
     - 424_pwck.8_quiet_option
       pwck(8): document the -q option. Closes: #309408
     - 425_lastlog_8_sparse
       lastlog(8): Document that lastlog is a sparse file, and don't need to be
       rotated. Closes: #219321
     - 426_grpck_group-gshadow_members_consistency
       * (grpck) warn for inconsistencies between members in /etc/group and gshadow
         Closes: #75181
       * (pwck and grpck) warn and propose a fix for entries present in the
         regular /etc/group or /etc/passwd files and not in shadow/gshadow.
     - 427_chage_expiry_0
       Fix chage display in the case of null expiry fields (do not display
       Never, but 01 Jan 1970)
       Closes: #78961
   * Upstream bugs already fixed in upstream releases or CVS:
     - Corrected typos in chfn.1. Closes: #312428
     - Corrected typos in gshadow.5. Closes: #312429
     - Corrected typos in shadow.5. Closes: #312430
     - Corrected typos in grpck.8. Closes: #312431
     - Added patch (356th) for su to propagate SIGSTOP up and SIGCONT down.
       Added similar patch (357th) for newgrp. Both changes only affect
       operation with CLOSE_SESSION set to yes (in /etc/login.defs).
       Closes: #314727
   * Translation updates:
     - debian/patches/010_more-i18ned-messages
       - More messages are translatable. We will deal with the translation
         updates after syncing with upstream.
         Closes: #266281
     - debian/patches/114_eu:
       - Basque translation update. Closes: #314423
     - debian/patches/132_vi.dpatch:
       - Vietnamese translation update. Closes: #315840
Files: 
 2b951dfb5a5258b06dbf4cc9c1c10a9b 843 base required shadow_4.0.3-36.dsc
 c282dd24f1a680566120ef684f5c0386 1405333 base required shadow_4.0.3-36.diff.gz
 c3e579b2641ed0587fa4d8a2fb00e56c 504416 base required passwd_4.0.3-36_i386.deb
 9608524e0d057f7cbe832b35bde32f2e 590616 base required login_4.0.3-36_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCyuJO1OXtrMAUPS0RAh8zAKCdD/46/ukzdT+o7jJwPZYJ/ZnP2QCeImF4
ZIx948C5htLynLJrbekYXn4=
=Mslh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.