[gdm/gnome-2-30] This commit changes to a user before copying user files to prevent a possible symlink local root exp

[Brian Cameron <bcameron src gnome org>]

commit c0b6ee89fd01088b54932e9bd4454602adf55740
Author: Brian Cameron <brian cameron oracle com>
Date:   Thu Apr 7 11:46:46 2011 -0500

    This commit changes to a user before copying user files to prevent
    a possible symlink local root exploit attack.

 daemon/gdm-session-worker.c |   33 +++++++++++++++++++--------------
 1 files changed, 19 insertions(+), 14 deletions(-)
---
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 35a6bfe..9470824 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -1030,22 +1030,11 @@ gdm_cache_copy_file (GdmSessionWorker *worker,
                                     NULL,
                                     &error);
 
-                 if (! res) {
+                if (! res) {
                         g_warning ("Could not copy file to cache: %s",
                                    error->message);
                         g_error_free (error);
-                 } else {
-                         int res;
-
-                         res = chown (cachefilename,
-                                      worker->priv->uid,
-                                      worker->priv->gid);
-                         if (res == -1) {
-                                 g_warning ("GdmSessionWorker: Error setting owner of cache file: %s",
-                                            g_strerror (errno));
-                         }
-
-                        g_chmod (cachefilename, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+                } else {
                         g_debug ("Copy successful");
                 }
 
@@ -1183,7 +1172,23 @@ gdm_session_worker_uninitialize_pam (GdmSessionWorker *worker,
                 return;
 
         if (worker->priv->state >= GDM_SESSION_WORKER_STATE_SESSION_OPENED) {
-                gdm_session_worker_cache_userfiles (worker);
+                pid_t pid;
+
+                pid = fork ();
+
+                if (pid == 0) {
+                        if (setuid (worker->priv->uid) < 0) {
+                                g_debug ("GdmSessionWorker: could not reset uid: %s", g_strerror (errno));
+                                _exit (1);
+                        }
+
+                        gdm_session_worker_cache_userfiles (worker);
+                        _exit (0);
+                }
+
+                if (pid > 0) {
+                        gdm_wait_on_pid (pid);
+                }
                 pam_close_session (worker->priv->pam_handle, 0);
                 gdm_session_auditor_report_logout (worker->priv->auditor);