* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to

gaining ownership or changing mode of arbitrary files.

ChangeLog

@@ -1,3 +1,8 @@
+2008-11-23  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to
+	gaining ownership or changing mode of arbitrary files.
+
 2008-10-11  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* man/gshadow.5.xml, man/shadow.5.xml, man/passwd.5.xml,

NEWS

@@ -1,6 +1,6 @@
 $Id$
 
-shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
+shadow-4.1.2.2 -> shadow-4.1.3						UNRELEASED
 
 *** general:
 - packaging
@@ -59,6 +59,12 @@ shadow-4.1.2.1 -> shadow-4.1.3						UNRELEASED
   * Allow adding LDAP users (or any user not present in the local passwd
     file) to local groups
 
+shadow-4.1.2.1 -> shadow-4.1.2.2					23-11-2008
+
+*** security
+- Fix a race condition in login that could lead to gaining ownership or
+  changing mode of arbitrary files.
+
 shadow-4.1.2 -> shadow-4.1.2.1						26-06-2008
 
 *** security

libmisc/chowntty.c

@@ -109,14 +109,14 @@ void chown_tty (const char *tty, const struct passwd *info)
 		exit (1);
 	}
 
-	if (   (chown (tty, info->pw_uid, gid) != 0)
+	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
-	    || (chmod (tty, getdef_num ("TTYPERM", 0600)) != 0)) {
+	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
 		int err = errno;
 
-		snprintf (buf, sizeof buf, _("Unable to change tty %s"), tty);
+		snprintf (buf, sizeof buf, _("Unable to change tty stdin"));
 		perror (buf);
 		SYSLOG ((LOG_WARN,
-			 "unable to change tty `%s' for user `%s'\n", tty,
+			 "unable to change tty stdin for user `%s'\n",
 			 info->pw_name));
 		closelog ();