Exploit: **** Problem with su on HP/UX 9.00 **** When the shell calling "su" is killed, the user is logged out, but in-between login prompts, a user can still enter commands as root. Affected Sites: Any HP system running HP/UX 9.00. Problem: When a user su's to root and goes idle, the other system administrator wants to kill the login shell for obvious purposes. Normally, doing this logs the user out and kills and shells or programs that have been run from this shell, but this isn't quite the case. What happens is this: It will appear as if the user has logged out of his/her dumb terminal, however there is quite a surprise (or present) for the next user of tha terminal: HP/UX 9.00 login: myusername # ksh: myusername not found password: # login: uptime 9:28PM up 1 day, 58 mins, 6 users, etc.. password: -------------------------------------------- When the other sysadmin does a 'kill -9' or whatever of the *parent shell*, this is failing to propagate a SIGHUP to the shell spawned by the su command (which makes sense, as it is probablyin a different process group for job control purposes). The login shell exits, the su-shell keeps running. init notices the login shell exiting, and re-spawns a getty. You then get a getty/login and a su-shell fighting in a race condition for any given line of terminal input. The problem is probably exacerbated by a lack of a revoke() call in HP/UX 9.0, which was designed to close exactly this hole - getty can revoke() on the /dev/tty and be *sure* that no other processes are still reading. (And yes, I *know* about the funky race conditions in many Unixoid kernels that allow a blocked open() to slip past a revoke() call. But revoke() is better than nothing ;) Work-around: Make sure to kill the su-shell first, and THEN the login shell. If this is too hard to remember, create a shell or perl script called 'nuke-admin' ;) -------------------------------------------- In regards to having "open()" slide past "revoke()" I have heard a lot of reports from friends of mine that when they logout they jam and pound on their keyboards, and between the time their login shell dies and getty is supposed to re-spawn, they get a nice root prompt to play with. This is on HP/UX 9.00 and 10.00, BTW. --------------------------------------------