Exploit:

 **** Problem with su on HP/UX 9.00 ****

 When the shell calling "su" is killed,
 the user is logged out, but in-between
 login prompts, a user can still enter
 commands as root.

 Affected Sites:
 Any HP system running HP/UX 9.00.

 Problem:

 When a user su's to root and goes idle,
 the other system administrator wants to
 kill the login shell for obvious purposes.
 Normally, doing this logs the user out and
 kills and shells or programs that have been
 run from this shell, but this isn't quite
 the case.

 What happens is this: It will appear as if
 the user has logged out of his/her dumb
 terminal, however there is quite a surprise
 (or present) for the next user of tha
 terminal:

 HP/UX 9.00

 login: myusername
 # ksh: myusername not found
 password:
 #

 login: uptime
 9:28PM  up 1 day, 58 mins, 6 users, etc..
 password:

 --------------------------------------------

 When the other sysadmin does a 'kill -9'
 or whatever of the *parent shell*, this
 is failing to propagate a SIGHUP to the
 shell spawned by the su command (which
 makes sense, as it is probablyin a
 different process group for job control
 purposes).  The login shell exits, the
 su-shell keeps running. init notices the
 login shell exiting, and re-spawns a
 getty.  You then get a getty/login and
 a su-shell fighting in a race condition
 for any given line of terminal input.

 The problem is probably exacerbated by a
 lack of a revoke() call in HP/UX 9.0,
 which was designed to close exactly this
 hole - getty can revoke() on the /dev/tty
 and be *sure* that no other processes are
 still reading.  (And yes, I *know* about
 the funky race conditions in many Unixoid
 kernels that allow a blocked open() to
 slip past a revoke() call.  But revoke()
 is better than nothing ;)

 Work-around:  Make sure to kill the su-shell
 first, and THEN the login shell.  If this is
 too hard to remember, create a shell or perl
 script called 'nuke-admin' ;)

 --------------------------------------------

 In regards to having "open()" slide past
 "revoke()" I have heard a lot of reports
 from friends of mine that when they logout
 they jam and pound on their keyboards, and
 between the time their login shell dies and
 getty is supposed to re-spawn, they get a
 nice root prompt to play with. This is on
 HP/UX 9.00 and 10.00, BTW.

 --------------------------------------------