]>
Commit | Line | Data |
---|---|---|
2452d5b7 | 1 | diff -urN xc.orig/config/cf/Server.tmpl xc/config/cf/Server.tmpl |
2 | --- xc.orig/config/cf/Server.tmpl Mon Dec 30 15:52:30 2002 | |
3 | +++ xc/config/cf/Server.tmpl Mon Dec 30 17:31:51 2002 | |
4 | @@ -25,8 +25,14 @@ | |
5 | #ifndef DoThreadedServer | |
6 | #define DoThreadedServer NO | |
e2d64aaf JR |
7 | #endif |
8 | +#ifndef XserverNeedsSetUID | |
9 | +#define XserverNeedsSetUID NO | |
10 | +#endif | |
11 | +#ifndef UseXserverWrapper | |
12 | +#define UseXserverWrapper XserverNeedsSetUID | |
13 | +#endif | |
14 | #ifndef InstallServerSetUID | |
15 | -#define InstallServerSetUID NO | |
16 | +#define InstallServerSetUID (XserverNeedsSetUID && !UseXserverWrapper) | |
17 | #endif | |
18 | ||
2452d5b7 | 19 | #ifdef CrossCompileDir |
20 | diff -urN xc.orig/config/cf/xf86site.def xc/config/cf/xf86site.def | |
21 | --- xc.orig/config/cf/xf86site.def Mon Dec 30 15:52:31 2002 | |
22 | +++ xc/config/cf/xf86site.def Mon Dec 30 17:37:06 2002 | |
23 | @@ -69,14 +69,15 @@ | |
e2d64aaf JR |
24 | */ |
25 | ||
26 | /* | |
27 | - * If you only run the X server under xdm the X servers don't need to be | |
28 | - * installed SetUID, and you may comment out the lines below. If you run | |
29 | - * the servers by hand (with xinit or startx), then they do need to be | |
2452d5b7 | 30 | - * installed SetUID on most platforms. |
e2d64aaf JR |
31 | + * The X servers need to run as root on most OSs. We're now using a |
32 | + * wrapper in that case, but we still need to make it known that the | |
33 | + * servers need SetUID. When only using xdm, this (and the wrapper) | |
34 | + * are not required. Disabling this automatically disables use of the | |
35 | + * wrapper. | |
36 | * | |
2452d5b7 | 37 | - * Consult your system administrator before making the X server setuid. |
e2d64aaf | 38 | + * If you're only starting the Xservers with xdm set this to NO |
2452d5b7 | 39 | * |
40 | -#define InstallXserverSetUID NO | |
41 | +#define XserverNeedsSetUID NO | |
e2d64aaf JR |
42 | */ |
43 | ||
2452d5b7 | 44 | |
45 | diff -urN xc.orig/config/cf/xfree86.cf xc/config/cf/xfree86.cf | |
46 | --- xc.orig/config/cf/xfree86.cf Mon Dec 30 15:52:31 2002 | |
47 | +++ xc/config/cf/xfree86.cf Mon Dec 30 17:31:51 2002 | |
48 | @@ -1104,12 +1104,15 @@ | |
e2d64aaf JR |
49 | #endif |
50 | ||
51 | /* | |
52 | - * The default is to install the X servers setuid-root on most OSs. | |
53 | - * It the servers are only started by xdm, they should not be setuid-root. | |
54 | + * The X servers need to run as root on most OSs. We're now using a | |
55 | + * wrapper in that case, but we still need to make it known that the | |
56 | + * servers need SetUID. When only using xdm, this (and the wrapper) | |
57 | + * are not required. Disabling this automatically disables use of the | |
58 | + * wrapper. | |
59 | */ | |
60 | #if !defined(i386MachArchitecture) && !defined(OS2Architecture) | |
61 | -# ifndef InstallXserverSetUID | |
62 | -# define InstallXserverSetUID YES | |
63 | +# ifndef XserverNeedsSetUID | |
64 | +# define XserverNeedsSetUID YES | |
65 | # endif | |
66 | #endif | |
67 | ||
2452d5b7 | 68 | diff -urN xc.orig/programs/Xserver/Imakefile xc/programs/Xserver/Imakefile |
69 | --- xc.orig/programs/Xserver/Imakefile Mon Dec 30 15:53:22 2002 | |
70 | +++ xc/programs/Xserver/Imakefile Mon Dec 30 17:31:51 2002 | |
e2d64aaf JR |
71 | @@ -4,11 +4,6 @@ |
72 | */ | |
2452d5b7 | 73 | XCOMM $XFree86: xc/programs/Xserver/Imakefile,v 3.275 2002/12/21 00:19:11 torrey Exp $ |
e2d64aaf JR |
74 | |
75 | -#ifndef InstallXserverSetUID | |
76 | -#define InstallXserverSetUID NO | |
77 | -#endif | |
78 | -#define InstallServerSetUID InstallXserverSetUID | |
79 | - | |
80 | #include <Server.tmpl> | |
81 | ||
82 | #ifdef XFree86Version | |
2452d5b7 | 83 | @@ -1146,6 +1141,11 @@ |
b19d4d8b | 84 | #endif /* XnestServer */ |
e2d64aaf | 85 | |
2452d5b7 | 86 | |
e2d64aaf JR |
87 | +#if UseXserverWrapper |
88 | +SetUIDProgramTarget(Xwrapper,os/wrapper.o,NullParameter,$(PAMLIBS),NullParameter) | |
89 | +InstallProgramWithFlags(Xwrapper,$(BINDIR),$(INSTUIDFLAGS)) | |
90 | +#endif | |
2452d5b7 | 91 | + |
92 | #if defined(XnonServer) && XnonServer | |
b19d4d8b | 93 | XCOMM |
2452d5b7 | 94 | XCOMM non server, just compile sources for build test |
95 | diff -urN xc.orig/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c | |
96 | --- xc.orig/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c Mon Dec 30 15:53:52 2002 | |
97 | +++ xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c Mon Dec 30 17:31:51 2002 | |
b19d4d8b | 98 | @@ -66,7 +66,10 @@ |
e2d64aaf JR |
99 | /* check if we're run with euid==0 */ |
100 | if (geteuid() != 0) | |
101 | { | |
102 | - FatalError("xf86OpenConsole: Server must be suid root\n"); | |
103 | + FatalError("xf86OpenConsole: Server must be running with root " | |
104 | + "permissions\n" | |
105 | + "You should be using Xwrapper to start the server or xdm.\n" | |
106 | + "We strongly advise against making the server SUID root!\n"); | |
107 | } | |
108 | ||
109 | /* | |
2452d5b7 | 110 | diff -urN xc.orig/programs/Xserver/os/Imakefile xc/programs/Xserver/os/Imakefile |
111 | --- xc.orig/programs/Xserver/os/Imakefile Mon Dec 30 15:53:58 2002 | |
112 | +++ xc/programs/Xserver/os/Imakefile Mon Dec 30 17:31:52 2002 | |
113 | @@ -120,6 +120,7 @@ | |
ea1f593a | 114 | INCLUDES = -I. -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) \ |
2452d5b7 | 115 | -I$(SERVERSRC)/Xext -I$(FONTINCSRC) -I$(SERVERSRC)/render \ |
ea1f593a | 116 | -I$(TOP)/lib/Xau -I../lbx Krb5Includes |
31df3500 | 117 | + EXTRA_DEFINES = -DUSE_PAM |
ea1f593a | 118 | DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) \ |
119 | $(TRANS_INCLUDES) $(CONNECTION_FLAGS) DependDefines | |
e2d64aaf | 120 | LINTLIBS = ../dix/llib-ldix.ln |
2452d5b7 | 121 | @@ -166,6 +167,14 @@ |
e2d64aaf | 122 | SpecialCObjectRule(oscolor,$(ICONFIGFILES),$(DBM_DEFINES)) |
2452d5b7 | 123 | #endif |
124 | ||
e2d64aaf JR |
125 | +#if UseXserverWrapper |
126 | +AllTarget(wrapper.o) | |
127 | + | |
128 | + WRAPPER_DEFINES = -DXSERVER_PATH=\"/etc/X11/X\" | |
129 | + | |
130 | +SpecialCObjectRule(wrapper,NullParameter,$(WRAPPER_DEFINES)) | |
2452d5b7 | 131 | +#endif |
132 | + | |
e2d64aaf | 133 | #if HasKrb5 |
2452d5b7 | 134 | LinkSourceFile(k5encode.c,$(XAUTHSRC)) |
135 | #endif | |
136 | diff -urN xc.orig/programs/Xserver/os/wrapper.c xc/programs/Xserver/os/wrapper.c | |
137 | --- xc.orig/programs/Xserver/os/wrapper.c Thu Jan 1 01:00:00 1970 | |
138 | +++ xc/programs/Xserver/os/wrapper.c Mon Dec 30 17:31:52 2002 | |
e2d64aaf JR |
139 | @@ -0,0 +1,304 @@ |
140 | +/* | |
141 | + * X server wrapper. | |
142 | + * | |
143 | + * This wrapper makes some sanity checks on the command line arguments | |
144 | + * and environment variables when run with euid == 0 && euid != uid. | |
145 | + * If the checks fail, the wrapper exits with a message. | |
146 | + * If they succeed, it exec's the Xserver. | |
147 | + */ | |
148 | + | |
149 | +/* | |
150 | + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved. | |
151 | + * | |
152 | + * Permission is hereby granted, free of charge, to any person obtaining | |
153 | + * a copy of this software and associated documentation files (the | |
154 | + * "Software"), to deal in the Software without restriction, including | |
155 | + * without limitation the rights to use, copy, modify, merge, publish, | |
156 | + * distribute, sublicense, and/or sell copies of the Software, and to | |
157 | + * permit persons to whom the Software is furnished to do so, subject | |
158 | + * to the following conditions: | |
159 | + * | |
160 | + * The above copyright notice and this permission notice shall be included | |
161 | + * in all copies or substantial portions of the Software. | |
162 | + * | |
163 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
164 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
165 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
166 | + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES | |
167 | + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | |
168 | + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | |
169 | + * OR OTHER DEALINGS IN THE SOFTWARE. | |
170 | + * | |
171 | + * Except as contained in this notice, the name of the XFree86 Project | |
172 | + * shall not be used in advertising or otherwise to promote the sale, | |
173 | + * use or other dealings in this Software without prior written | |
174 | + * authorization from the XFree86 Project. | |
175 | + */ | |
176 | + | |
177 | +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */ | |
178 | + | |
179 | +/* This is normally set in the Imakefile */ | |
180 | +#ifndef XSERVER_PATH | |
181 | +#define XSERVER_PATH "/etc/X11/X" | |
182 | +#endif | |
183 | + | |
184 | +#include <stdio.h> | |
185 | +#include <stdlib.h> | |
186 | +#include <string.h> | |
187 | +#include <errno.h> | |
188 | +#include <unistd.h> | |
189 | +#include <sys/types.h> | |
190 | +#ifdef USE_PAM | |
191 | +#include <security/pam_appl.h> | |
192 | +#include <security/pam_misc.h> | |
193 | +#include <pwd.h> | |
194 | +#endif /* USE_PAM */ | |
195 | + | |
196 | +/* Neither of these should be required for XFree86 3.3.2 */ | |
197 | +#ifndef REJECT_CONFIG | |
198 | +#define REJECT_CONFIG 0 | |
199 | +#endif | |
200 | +#ifndef REJECT_XKBDIR | |
201 | +#define REJECT_XKBDIR 0 | |
202 | +#endif | |
203 | + | |
204 | +/* Consider LD* variables insecure ? */ | |
205 | +#ifndef REMOVE_ENV_LD | |
206 | +#define REMOVE_ENV_LD 1 | |
207 | +#endif | |
208 | + | |
209 | +/* Remove long environment variables? */ | |
210 | +#ifndef REMOVE_LONG_ENV | |
211 | +#define REMOVE_LONG_ENV 1 | |
212 | +#endif | |
213 | + | |
214 | +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */ | |
215 | +#ifndef CHECK_EUID | |
216 | +#define CHECK_EUID 1 | |
217 | +#endif | |
218 | + | |
219 | +/* | |
220 | + * Maybe the locale can be faked to make isprint(3) report that everything | |
221 | + * is printable? Avoid it by default. | |
222 | + */ | |
223 | +#ifndef USE_ISPRINT | |
224 | +#define USE_ISPRINT 0 | |
225 | +#endif | |
226 | + | |
227 | +#define MAX_ARG_LENGTH 128 | |
228 | +#define MAX_ENV_LENGTH 256 | |
229 | +#define MAX_ENV_PATH_LENGTH 2048 | |
230 | + | |
231 | +#if USE_ISPRINT | |
232 | +#include <ctype.h> | |
233 | +#define checkPrintable(c) isprint(c) | |
234 | +#else | |
235 | +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f) | |
236 | +#endif | |
237 | + | |
238 | +enum BadCode { | |
239 | + NotBad = 0, | |
240 | + UnsafeArg, | |
241 | + ArgTooLong, | |
242 | + UnprintableArg, | |
243 | + EnvTooLong, | |
244 | + InternalError, | |
245 | +#ifdef USE_PAM | |
246 | + PamFailed, | |
247 | + PamAuthFailed, | |
248 | +#endif /* USE_PAM */ | |
249 | +}; | |
250 | + | |
251 | +#define ARGMSG \ | |
252 | + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \ | |
253 | + "please send details of the arguments and why they are valid to\n" \ | |
254 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
255 | + "the \"super user\" (root).\n" | |
256 | + | |
257 | +#define ENVMSG \ | |
258 | + "\nIf the environment is valid, and have been rejected incorrectly\n" \ | |
259 | + "please send details of the environment and why it is valid to\n" \ | |
260 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
261 | + "the \"super user\" (root).\n" | |
262 | + | |
263 | +#ifdef USE_PAM | |
264 | +static struct pam_conv conv = { | |
265 | + misc_conv, | |
266 | + NULL | |
267 | +}; | |
268 | +#endif /* USE_PAM */ | |
269 | + | |
270 | + | |
271 | +int | |
272 | +main(int argc, char **argv, char **envp) | |
273 | +{ | |
274 | + enum BadCode bad = NotBad; | |
275 | + int i, j; | |
276 | + char *a, *e; | |
277 | +#ifdef USE_PAM | |
278 | + pam_handle_t *pamh = NULL; | |
279 | + struct passwd *pw; | |
280 | + int retval; | |
281 | + | |
282 | + pw = getpwuid(getuid()); | |
283 | + if (pw == NULL) { | |
284 | + bad = InternalError; | |
285 | + } | |
286 | + | |
287 | + if (!bad) { | |
288 | + retval = pam_start("xserver", pw->pw_name, &conv, &pamh); | |
289 | + if (retval != PAM_SUCCESS) | |
290 | + bad = PamFailed; | |
291 | + } | |
292 | + | |
293 | + if (!bad) { | |
294 | + retval = pam_authenticate(pamh, 0); | |
295 | + if (retval != PAM_SUCCESS) { | |
296 | + pam_end(pamh, retval); | |
297 | + bad = PamAuthFailed; | |
298 | + } | |
299 | + } | |
300 | + | |
301 | + if (!bad) { | |
302 | + retval = pam_acct_mgmt(pamh, 0); | |
303 | + if (retval != PAM_SUCCESS) { | |
304 | + pam_end(pamh, retval); | |
305 | + bad = PamAuthFailed; | |
306 | + } | |
307 | + } | |
308 | + | |
309 | + /* this is not a session, so do not do session management */ | |
310 | + | |
311 | + if (!bad) pam_end(pamh, PAM_SUCCESS); | |
312 | +#endif /* USE_PAM */ | |
313 | + | |
314 | +#if CHECK_EUID | |
315 | + if (!bad && geteuid() == 0 && getuid() != geteuid()) { | |
316 | +#else | |
317 | + if (!bad) { | |
318 | +#endif | |
319 | + /* Check each argv[] */ | |
320 | + for (i = 1; i < argc; i++) { | |
321 | + | |
322 | + /* Check for known bad arguments */ | |
323 | +#if REJECT_CONFIG | |
324 | + if (strcmp(argv[i], "-config") == 0) { | |
325 | + bad = UnsafeArg; | |
326 | + break; | |
327 | + } | |
328 | +#endif | |
329 | +#if REJECT_XKBDIR | |
330 | + if (strcmp(argv[i], "-xkbdir") == 0) { | |
331 | + bad = UnsafeArg; | |
332 | + break; | |
333 | + } | |
334 | +#endif | |
335 | + if (strlen(argv[i]) > MAX_ARG_LENGTH) { | |
336 | + bad = ArgTooLong; | |
337 | + break; | |
338 | + } | |
339 | + a = argv[i]; | |
340 | + while (*a) { | |
341 | + if (checkPrintable(*a) == 0) { | |
342 | + bad = UnprintableArg; | |
343 | + break; | |
344 | + } | |
345 | + a++; | |
346 | + } | |
347 | + if (bad) | |
348 | + break; | |
349 | + } | |
350 | + /* Check each envp[] */ | |
351 | + if (!bad) | |
352 | + for (i = 0; envp[i]; i++) { | |
353 | + | |
354 | + /* Check for bad environment variables and values */ | |
355 | +#if REMOVE_ENV_LD | |
356 | + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) { | |
357 | + for (j = i; envp[j]; j++) { | |
358 | + envp[j] = envp[j+1]; | |
359 | + } | |
360 | + } | |
361 | +#endif | |
362 | + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) { | |
363 | +#if REMOVE_LONG_ENV | |
364 | + for (j = i; envp[j]; j++) { | |
365 | + envp[j] = envp[j+1]; | |
366 | + } | |
367 | + i--; | |
368 | +#else | |
369 | + char *eq; | |
370 | + int len; | |
371 | + | |
372 | + eq = strchr(envp[i], '='); | |
373 | + if (!eq) | |
374 | + continue; | |
375 | + len = eq - envp[i]; | |
376 | + e = malloc(len + 1); | |
377 | + if (!e) { | |
378 | + bad = InternalError; | |
379 | + break; | |
380 | + } | |
381 | + strncpy(e, envp[i], len); | |
382 | + e[len] = 0; | |
383 | + if (len >= 4 && | |
384 | + (strcmp(e + len - 4, "PATH") == 0 || | |
385 | + strcmp(e, "TERMCAP") == 0)) { | |
386 | + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) { | |
387 | + bad = EnvTooLong; | |
388 | + break; | |
389 | + } else { | |
390 | + free(e); | |
391 | + } | |
392 | + } else { | |
393 | + bad = EnvTooLong; | |
394 | + break; | |
395 | + } | |
396 | +#endif | |
397 | + } | |
398 | + } | |
399 | + } | |
400 | + switch (bad) { | |
401 | + case NotBad: | |
402 | + execve(XSERVER_PATH, argv, envp); | |
403 | + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH, | |
404 | + errno); | |
405 | + break; | |
406 | + case UnsafeArg: | |
407 | + fprintf(stderr, "Command line argument number %d is unsafe\n", i); | |
408 | + fprintf(stderr, ARGMSG); | |
409 | + break; | |
410 | + case ArgTooLong: | |
411 | + fprintf(stderr, "Command line argument number %d is too long\n", i); | |
412 | + fprintf(stderr, ARGMSG); | |
413 | + break; | |
414 | + case UnprintableArg: | |
415 | + fprintf(stderr, "Command line argument number %d contains unprintable" | |
416 | + " characters\n", i); | |
417 | + fprintf(stderr, ARGMSG); | |
418 | + break; | |
419 | + case EnvTooLong: | |
420 | + fprintf(stderr, "Environment variable `%s' is too long\n", e); | |
421 | + fprintf(stderr, ENVMSG); | |
422 | + break; | |
423 | + case InternalError: | |
424 | + fprintf(stderr, "Internal Error\n"); | |
425 | + break; | |
426 | +#ifdef USE_PAM | |
427 | + case PamFailed: | |
428 | + fprintf(stderr, "Authentication System Failure, " | |
429 | + "missing or mangled PAM configuration file or module?\n"); | |
430 | + break; | |
431 | + case PamAuthFailed: | |
432 | + fprintf(stderr, "PAM authentication failed\n"); | |
433 | + break; | |
434 | +#endif | |
435 | + default: | |
436 | + fprintf(stderr, "Unknown error\n"); | |
437 | + fprintf(stderr, ARGMSG); | |
438 | + fprintf(stderr, ENVMSG); | |
439 | + break; | |
440 | + } | |
441 | + exit(1); | |
442 | +} | |
443 | + | |
2452d5b7 | 444 | diff -urN xc.orig/programs/xinit/startx.cpp xc/programs/xinit/startx.cpp |
445 | --- xc.orig/programs/xinit/startx.cpp Mon Dec 30 15:54:10 2002 | |
446 | +++ xc/programs/xinit/startx.cpp Mon Dec 30 17:31:52 2002 | |
447 | @@ -53,7 +53,7 @@ | |
448 | sysclientrc=XINITDIR/xinitrc | |
449 | sysserverrc=XINITDIR/xserverrc | |
450 | defaultclient=BINDIR/xterm | |
451 | -defaultserver=BINDIR/X | |
452 | +defaultserver=BINDIR/Xwrapper | |
453 | defaultclientargs="" | |
454 | defaultserverargs="" | |
455 | clientargs="" | |
456 | diff -urN xc.orig/programs/xinit/xinit.c xc/programs/xinit/xinit.c | |
457 | --- xc.orig/programs/xinit/xinit.c Mon Dec 30 15:54:10 2002 | |
458 | +++ xc/programs/xinit/xinit.c Mon Dec 30 17:31:52 2002 | |
459 | @@ -146,6 +146,7 @@ | |
e2d64aaf JR |
460 | #define OK_EXIT 0 |
461 | #define ERR_EXIT 1 | |
462 | ||
463 | +char *default_wrapper = BINDIR "/Xwrapper"; | |
464 | char *default_server = "X"; | |
465 | char *default_display = ":0"; /* choose most efficient */ | |
2452d5b7 | 466 | char *default_client[] = {"xterm", "-geometry", "+1+1", "-n", "login", NULL}; |
467 | @@ -332,7 +333,10 @@ | |
e2d64aaf | 468 | if (argc == 0 || |
2452d5b7 | 469 | #ifndef __UNIXOS2__ |
e2d64aaf JR |
470 | (**argv != '/' && **argv != '.')) { |
471 | - *sptr++ = default_server; | |
472 | + if (access(default_wrapper, X_OK) == 0) | |
473 | + *sptr++ = default_wrapper; | |
474 | + else | |
475 | + *sptr++ = default_server; | |
476 | #else | |
477 | (**argv != '/' && **argv != '\\' && **argv != '.' && | |
478 | !(isalpha(**argv) && (*argv)[1]==':'))) { |