************** Corinne Posse Security Notice  **************
Issue Number 5: 970717
 **************  http://corinne.mac.edu/posse  **************

**** Problem with su on HP/UX 9.00 VIA a dumb-terminal ****

When the shell calling "su" is killed, the user is logged out,
but in-between login prompts, a user can still enter commands as
root.

Affected Sites:
Any HP system running HP/UX 9.00.

Problem:
When a user su's to root and goes idle, the other system administrator
wants to kill the login shell for obvious purposes. Normally, doing
this logs the user out and kills and shells or programs that have been
run from this shell, but this isn't quite the case.

What happens is this: It will appear as if the user has logged out
of his/her dumb-terminal, however there is quite a surprise (or
present) for the next user of tha terminal:

HP/UX 9.00

login: myusername
# ksh: myusername not found
password:
#

login: uptime
9:28PM  up 1 day, 58 mins, 6 users, load averages: 0.10, 0.17, 0.21
password:



----------------------------------------------------------------------



When the other sysadmin does a 'kill -9' or whatever of the *parent shell*,
this is failing to propagate a SIGHUP to the shell spawned by the su command
(which makes sense, as it is probablyin a different process group for job
control purposes).  The login shell exits, the su-shell keeps running.
init notices the login shell exiting, and re-spawns a getty.  You then
get a getty/login and a su-shell fighting in a race condition for any
given line of terminal input.

The problem is probably exacerbated by a lack of a revoke() call in HP/UX 9.0,
which was designed to close exactly this hole - getty can revoke() on the /dev/tty
and be *sure* that no other processes are still reading.  (And yes, I *know*
about the funky race conditions in many Unixoid kernels that allow a blocked
open() to slip past a revoke() call.  But revoke() is better than nothing ;)

Work-around:  Make sure to kill the su-shell first, and THEN the login
shell.  If this is too hard to remember, create a shell or perl script
called 'nuke-admin' ;)



-----------------------------------------------------------------------



In regards to having "open()" slide past "revoke()" I have heard a
lot of reports from friends of mine that when they logout they
jam and pound on their keyboards, and between the time their login
shell dies and getty is supposed to re-spawn, they get a nice
root prompt to play with. This is on HP/UX 9.00 and 10.00, BTW.



-----------------------------------------------------------------------