1 diff -urN XFree86-4.0.1.orig/xc/config/cf/Server.tmpl XFree86-4.0.1/xc/config/cf/Server.tmpl
2 --- XFree86-4.0.1.orig/xc/config/cf/Server.tmpl Fri Feb 18 17:23:07 2000
3 +++ XFree86-4.0.1/xc/config/cf/Server.tmpl Mon Jul 10 04:01:04 2000
6 #define MakeDllModules NO
8 +#ifndef XserverNeedsSetUID
9 +#define XserverNeedsSetUID NO
11 +#ifndef UseXserverWrapper
12 +#define UseXserverWrapper XserverNeedsSetUID
14 #ifndef InstallServerSetUID
15 -#define InstallServerSetUID NO
16 +#define InstallServerSetUID (XserverNeedsSetUID && !UseXserverWrapper)
20 diff -urN XFree86-4.0.1.orig/xc/config/cf/xf86site.def XFree86-4.0.1/xc/config/cf/xf86site.def
21 --- XFree86-4.0.1.orig/xc/config/cf/xf86site.def Mon Jul 10 03:59:05 2000
22 +++ XFree86-4.0.1/xc/config/cf/xf86site.def Mon Jul 10 04:01:04 2000
27 - * If you only run the X server under xdm the X servers don't need to be
28 - * installed SetUID, and you may comment out the lines below. If you run
29 - * the servers by hand (with xinit or startx), then they do need to be
30 - * installed SetUID on most OSs.
31 - * Consult your system administrator before making the X server setuid.
32 + * The X servers need to run as root on most OSs. We're now using a
33 + * wrapper in that case, but we still need to make it known that the
34 + * servers need SetUID. When only using xdm, this (and the wrapper)
35 + * are not required. Disabling this automatically disables use of the
38 -#define InstallXserverSetUID NO
39 + * If you're only starting the Xservers with xdm set this to NO
41 +#define XserverNeedsSetUID NO
45 diff -urN XFree86-4.0.1.orig/xc/config/cf/xfree86.cf XFree86-4.0.1/xc/config/cf/xfree86.cf
46 --- XFree86-4.0.1.orig/xc/config/cf/xfree86.cf Mon Jul 10 03:59:05 2000
47 +++ XFree86-4.0.1/xc/config/cf/xfree86.cf Mon Jul 10 04:01:04 2000
52 - * The default is to install the X servers setuid-root on most OSs.
53 - * It the servers are only started by xdm, they should not be setuid-root.
54 + * The X servers need to run as root on most OSs. We're now using a
55 + * wrapper in that case, but we still need to make it known that the
56 + * servers need SetUID. When only using xdm, this (and the wrapper)
57 + * are not required. Disabling this automatically disables use of the
60 #if !defined(i386MachArchitecture) && !defined(OS2Architecture)
61 -# ifndef InstallXserverSetUID
62 -# define InstallXserverSetUID YES
63 +# ifndef XserverNeedsSetUID
64 +# define XserverNeedsSetUID YES
68 diff -urN XFree86-4.0.1.orig/xc/programs/Xserver/Imakefile XFree86-4.0.1/xc/programs/Xserver/Imakefile
69 --- XFree86-4.0.1.orig/xc/programs/Xserver/Imakefile Sat Jun 17 20:42:16 2000
70 +++ XFree86-4.0.1/xc/programs/Xserver/Imakefile Mon Jul 10 04:01:33 2000
73 XCOMM $XFree86: xc/programs/Xserver/Imakefile,v 3.184 2000/06/17 00:03:10 martin Exp $
75 -#ifndef InstallXserverSetUID
76 -#define InstallXserverSetUID NO
78 -#define InstallServerSetUID InstallXserverSetUID
80 #include <Server.tmpl>
84 SYSLIBS = $(ZLIB) MathLibrary Krb5Libraries DBMLibrary $(USB) \
87 + PAMLIBS = -lpam -lpam_misc -ldl
88 CBRT = mi/LibraryTargetName(cbrt)
89 STDDIRS = include dix os mi $(XPDDXDIR) $(EXTDIRS)
91 @@ -1012,6 +1008,11 @@
92 $(XVFBLIBS) $(LOADABLEEXTS) $(LIBCWRAPPER),$(XVFBSYSLIBS))
93 #endif /* XVirtualFramebufferServer */
96 +#if UseXserverWrapper
97 +SetUIDProgramTarget(Xwrapper,os/wrapper.o,NullParameter,$(PAMLIBS),NullParameter)
98 +InstallProgramWithFlags(Xwrapper,$(BINDIR),$(INSTUIDFLAGS))
101 CFBDIRS = $(CFB8DIR) $(CFB16DIR) $(CFB24DIR) $(CFB32DIR)
102 IPLANDIRS = $(IPLAN2P2DIR) $(IPLAN2P4DIR) $(IPLAN2P8DIR)
103 diff -urN XFree86-4.0.1.orig/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c XFree86-4.0.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c
104 --- XFree86-4.0.1.orig/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c Fri Feb 25 19:28:11 2000
105 +++ XFree86-4.0.1/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c Mon Jul 10 04:01:04 2000
107 /* check if we're run with euid==0 */
110 - FatalError("xf86OpenConsole: Server must be suid root\n");
111 + FatalError("xf86OpenConsole: Server must be running with root "
113 + "You should be using Xwrapper to start the server or xdm.\n"
114 + "We strongly advise against making the server SUID root!\n");
118 diff -urN XFree86-4.0.1.orig/xc/programs/Xserver/os/Imakefile XFree86-4.0.1/xc/programs/Xserver/os/Imakefile
119 --- XFree86-4.0.1.orig/xc/programs/Xserver/os/Imakefile Fri May 5 19:47:29 2000
120 +++ XFree86-4.0.1/xc/programs/Xserver/os/Imakefile Mon Jul 10 04:01:33 2000
122 ERROR_DEFINES = ServerErrorDefines
123 DEFINES = -DXSERV_t -DTRANS_SERVER $(CONNECTION_FLAGS) $(MEM_DEFINES) $(XDMAUTHDEFS) $(RPCDEFS) $(SIGNAL_DEFINES) $(OS_DEFINES) $(KRB5_DEFINES) $(RGB_DEFINES)
124 INCLUDES = -I. -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) -I$(TOP)/lib/Xau -I../lbx Krb5Includes
125 + EXTRA_DEFINES = -DUSE_PAM
126 DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) $(TRANS_INCLUDES) $(CONNECTION_FLAGS)
127 LINTLIBS = ../dix/llib-ldix.ln
130 cc -c $(DBM_DEFINES) $(CDEBUGFLAGS) $(ALLDEFINES) $*.c
132 SpecialCObjectRule(oscolor,$(ICONFIGFILES),$(DBM_DEFINES))
135 +#if UseXserverWrapper
136 +AllTarget(wrapper.o)
138 + WRAPPER_DEFINES = -DXSERVER_PATH=\"/etc/X11/X\"
140 +SpecialCObjectRule(wrapper,NullParameter,$(WRAPPER_DEFINES))
144 diff -urN XFree86-4.0.1.orig/xc/programs/Xserver/os/wrapper.c XFree86-4.0.1/xc/programs/Xserver/os/wrapper.c
145 --- XFree86-4.0.1.orig/xc/programs/Xserver/os/wrapper.c Thu Jan 1 01:00:00 1970
146 +++ XFree86-4.0.1/xc/programs/Xserver/os/wrapper.c Mon Jul 10 04:01:33 2000
149 + * X server wrapper.
151 + * This wrapper makes some sanity checks on the command line arguments
152 + * and environment variables when run with euid == 0 && euid != uid.
153 + * If the checks fail, the wrapper exits with a message.
154 + * If they succeed, it exec's the Xserver.
158 + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved.
160 + * Permission is hereby granted, free of charge, to any person obtaining
161 + * a copy of this software and associated documentation files (the
162 + * "Software"), to deal in the Software without restriction, including
163 + * without limitation the rights to use, copy, modify, merge, publish,
164 + * distribute, sublicense, and/or sell copies of the Software, and to
165 + * permit persons to whom the Software is furnished to do so, subject
166 + * to the following conditions:
168 + * The above copyright notice and this permission notice shall be included
169 + * in all copies or substantial portions of the Software.
171 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
172 + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
173 + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
174 + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES
175 + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
176 + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
177 + * OR OTHER DEALINGS IN THE SOFTWARE.
179 + * Except as contained in this notice, the name of the XFree86 Project
180 + * shall not be used in advertising or otherwise to promote the sale,
181 + * use or other dealings in this Software without prior written
182 + * authorization from the XFree86 Project.
185 +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */
187 +/* This is normally set in the Imakefile */
188 +#ifndef XSERVER_PATH
189 +#define XSERVER_PATH "/etc/X11/X"
197 +#include <sys/types.h>
199 +#include <security/pam_appl.h>
200 +#include <security/pam_misc.h>
202 +#endif /* USE_PAM */
204 +/* Neither of these should be required for XFree86 3.3.2 */
205 +#ifndef REJECT_CONFIG
206 +#define REJECT_CONFIG 0
208 +#ifndef REJECT_XKBDIR
209 +#define REJECT_XKBDIR 0
212 +/* Consider LD* variables insecure ? */
213 +#ifndef REMOVE_ENV_LD
214 +#define REMOVE_ENV_LD 1
217 +/* Remove long environment variables? */
218 +#ifndef REMOVE_LONG_ENV
219 +#define REMOVE_LONG_ENV 1
222 +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */
224 +#define CHECK_EUID 1
228 + * Maybe the locale can be faked to make isprint(3) report that everything
229 + * is printable? Avoid it by default.
232 +#define USE_ISPRINT 0
235 +#define MAX_ARG_LENGTH 128
236 +#define MAX_ENV_LENGTH 256
237 +#define MAX_ENV_PATH_LENGTH 2048
241 +#define checkPrintable(c) isprint(c)
243 +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f)
256 +#endif /* USE_PAM */
260 + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \
261 + "please send details of the arguments and why they are valid to\n" \
262 + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \
263 + "the \"super user\" (root).\n"
266 + "\nIf the environment is valid, and have been rejected incorrectly\n" \
267 + "please send details of the environment and why it is valid to\n" \
268 + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \
269 + "the \"super user\" (root).\n"
272 +static struct pam_conv conv = {
276 +#endif /* USE_PAM */
280 +main(int argc, char **argv, char **envp)
282 + enum BadCode bad = NotBad;
286 + pam_handle_t *pamh = NULL;
290 + pw = getpwuid(getuid());
292 + bad = InternalError;
296 + retval = pam_start("xserver", pw->pw_name, &conv, &pamh);
297 + if (retval != PAM_SUCCESS)
302 + retval = pam_authenticate(pamh, 0);
303 + if (retval != PAM_SUCCESS) {
304 + pam_end(pamh, retval);
305 + bad = PamAuthFailed;
310 + retval = pam_acct_mgmt(pamh, 0);
311 + if (retval != PAM_SUCCESS) {
312 + pam_end(pamh, retval);
313 + bad = PamAuthFailed;
317 + /* this is not a session, so do not do session management */
319 + if (!bad) pam_end(pamh, PAM_SUCCESS);
320 +#endif /* USE_PAM */
323 + if (!bad && geteuid() == 0 && getuid() != geteuid()) {
327 + /* Check each argv[] */
328 + for (i = 1; i < argc; i++) {
330 + /* Check for known bad arguments */
332 + if (strcmp(argv[i], "-config") == 0) {
338 + if (strcmp(argv[i], "-xkbdir") == 0) {
343 + if (strlen(argv[i]) > MAX_ARG_LENGTH) {
349 + if (checkPrintable(*a) == 0) {
350 + bad = UnprintableArg;
358 + /* Check each envp[] */
360 + for (i = 0; envp[i]; i++) {
362 + /* Check for bad environment variables and values */
364 + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) {
365 + for (j = i; envp[j]; j++) {
366 + envp[j] = envp[j+1];
370 + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) {
372 + for (j = i; envp[j]; j++) {
373 + envp[j] = envp[j+1];
380 + eq = strchr(envp[i], '=');
383 + len = eq - envp[i];
384 + e = malloc(len + 1);
386 + bad = InternalError;
389 + strncpy(e, envp[i], len);
392 + (strcmp(e + len - 4, "PATH") == 0 ||
393 + strcmp(e, "TERMCAP") == 0)) {
394 + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) {
410 + execve(XSERVER_PATH, argv, envp);
411 + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH,
415 + fprintf(stderr, "Command line argument number %d is unsafe\n", i);
416 + fprintf(stderr, ARGMSG);
419 + fprintf(stderr, "Command line argument number %d is too long\n", i);
420 + fprintf(stderr, ARGMSG);
422 + case UnprintableArg:
423 + fprintf(stderr, "Command line argument number %d contains unprintable"
424 + " characters\n", i);
425 + fprintf(stderr, ARGMSG);
428 + fprintf(stderr, "Environment variable `%s' is too long\n", e);
429 + fprintf(stderr, ENVMSG);
431 + case InternalError:
432 + fprintf(stderr, "Internal Error\n");
436 + fprintf(stderr, "Authentication System Failure, "
437 + "missing or mangled PAM configuration file or module?\n");
439 + case PamAuthFailed:
440 + fprintf(stderr, "PAM authentication failed\n");
444 + fprintf(stderr, "Unknown error\n");
445 + fprintf(stderr, ARGMSG);
446 + fprintf(stderr, ENVMSG);
452 diff -urN XFree86-4.0.1.orig/xc/programs/xinit/xinit.c XFree86-4.0.1/xc/programs/xinit/xinit.c
453 --- XFree86-4.0.1.orig/xc/programs/xinit/xinit.c Wed Apr 5 20:14:08 2000
454 +++ XFree86-4.0.1/xc/programs/xinit/xinit.c Mon Jul 10 04:01:04 2000
459 +char *default_wrapper = BINDIR "/Xwrapper";
460 char *default_server = "X";
461 char *default_display = ":0"; /* choose most efficient */
466 (**argv != '/' && **argv != '.')) {
467 - *sptr++ = default_server;
468 + if (access(default_wrapper, X_OK) == 0)
469 + *sptr++ = default_wrapper;
471 + *sptr++ = default_server;
473 (**argv != '/' && **argv != '\\' && **argv != '.' &&
474 !(isalpha(**argv) && (*argv)[1]==':'))) {