]>
Commit | Line | Data |
---|---|---|
69af3e9f PS |
1 | --- os/wrapper.c 1970-01-01 01:00:00.000000000 +0100 |
2 | +++ os/wrapper.c 2005-12-22 10:50:53.610963000 +0100 | |
3 | @@ -0,0 +1,304 @@ | |
4 | +/* | |
5 | + * X server wrapper. | |
6 | + * | |
7 | + * This wrapper makes some sanity checks on the command line arguments | |
8 | + * and environment variables when run with euid == 0 && euid != uid. | |
9 | + * If the checks fail, the wrapper exits with a message. | |
10 | + * If they succeed, it exec's the Xserver. | |
11 | + */ | |
12 | + | |
13 | +/* | |
14 | + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved. | |
15 | + * | |
16 | + * Permission is hereby granted, free of charge, to any person obtaining | |
17 | + * a copy of this software and associated documentation files (the | |
18 | + * "Software"), to deal in the Software without restriction, including | |
19 | + * without limitation the rights to use, copy, modify, merge, publish, | |
20 | + * distribute, sublicense, and/or sell copies of the Software, and to | |
21 | + * permit persons to whom the Software is furnished to do so, subject | |
22 | + * to the following conditions: | |
23 | + * | |
24 | + * The above copyright notice and this permission notice shall be included | |
25 | + * in all copies or substantial portions of the Software. | |
26 | + * | |
27 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
28 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
29 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
30 | + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES | |
31 | + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | |
32 | + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | |
33 | + * OR OTHER DEALINGS IN THE SOFTWARE. | |
34 | + * | |
35 | + * Except as contained in this notice, the name of the XFree86 Project | |
36 | + * shall not be used in advertising or otherwise to promote the sale, | |
37 | + * use or other dealings in this Software without prior written | |
38 | + * authorization from the XFree86 Project. | |
39 | + */ | |
40 | + | |
41 | +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */ | |
42 | + | |
43 | +/* This is normally set in the Imakefile */ | |
44 | +#ifndef XSERVER_PATH | |
45 | +#define XSERVER_PATH "/etc/X11/X" | |
46 | +#endif | |
47 | + | |
48 | +#include <stdio.h> | |
49 | +#include <stdlib.h> | |
50 | +#include <string.h> | |
51 | +#include <errno.h> | |
52 | +#include <unistd.h> | |
53 | +#include <sys/types.h> | |
54 | +#ifdef USE_PAM | |
55 | +#include <security/pam_appl.h> | |
56 | +#include <security/pam_misc.h> | |
57 | +#include <pwd.h> | |
58 | +#endif /* USE_PAM */ | |
59 | + | |
60 | +/* Neither of these should be required for XFree86 3.3.2 */ | |
61 | +#ifndef REJECT_CONFIG | |
62 | +#define REJECT_CONFIG 0 | |
63 | +#endif | |
64 | +#ifndef REJECT_XKBDIR | |
65 | +#define REJECT_XKBDIR 0 | |
66 | +#endif | |
67 | + | |
68 | +/* Consider LD* variables insecure ? */ | |
69 | +#ifndef REMOVE_ENV_LD | |
70 | +#define REMOVE_ENV_LD 1 | |
71 | +#endif | |
72 | + | |
73 | +/* Remove long environment variables? */ | |
74 | +#ifndef REMOVE_LONG_ENV | |
75 | +#define REMOVE_LONG_ENV 1 | |
76 | +#endif | |
77 | + | |
78 | +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */ | |
79 | +#ifndef CHECK_EUID | |
80 | +#define CHECK_EUID 1 | |
81 | +#endif | |
82 | + | |
83 | +/* | |
84 | + * Maybe the locale can be faked to make isprint(3) report that everything | |
85 | + * is printable? Avoid it by default. | |
86 | + */ | |
87 | +#ifndef USE_ISPRINT | |
88 | +#define USE_ISPRINT 0 | |
89 | +#endif | |
90 | + | |
91 | +#define MAX_ARG_LENGTH 128 | |
92 | +#define MAX_ENV_LENGTH 256 | |
93 | +#define MAX_ENV_PATH_LENGTH 2048 | |
94 | + | |
95 | +#if USE_ISPRINT | |
96 | +#include <ctype.h> | |
97 | +#define checkPrintable(c) isprint(c) | |
98 | +#else | |
99 | +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f) | |
100 | +#endif | |
101 | + | |
102 | +enum BadCode { | |
103 | + NotBad = 0, | |
104 | + UnsafeArg, | |
105 | + ArgTooLong, | |
106 | + UnprintableArg, | |
107 | + EnvTooLong, | |
108 | + InternalError, | |
109 | +#ifdef USE_PAM | |
110 | + PamFailed, | |
111 | + PamAuthFailed, | |
112 | +#endif /* USE_PAM */ | |
113 | +}; | |
114 | + | |
115 | +#define ARGMSG \ | |
116 | + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \ | |
117 | + "please send details of the arguments and why they are valid to\n" \ | |
118 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
119 | + "the \"super user\" (root).\n" | |
120 | + | |
121 | +#define ENVMSG \ | |
122 | + "\nIf the environment is valid, and have been rejected incorrectly\n" \ | |
123 | + "please send details of the environment and why it is valid to\n" \ | |
124 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
125 | + "the \"super user\" (root).\n" | |
126 | + | |
127 | +#ifdef USE_PAM | |
128 | +static struct pam_conv conv = { | |
129 | + misc_conv, | |
130 | + NULL | |
131 | +}; | |
132 | +#endif /* USE_PAM */ | |
133 | + | |
134 | + | |
135 | +int | |
136 | +main(int argc, char **argv, char **envp) | |
137 | +{ | |
138 | + enum BadCode bad = NotBad; | |
139 | + int i, j; | |
140 | + char *a, *e; | |
141 | +#ifdef USE_PAM | |
142 | + pam_handle_t *pamh = NULL; | |
143 | + struct passwd *pw; | |
144 | + int retval; | |
145 | + | |
146 | + pw = getpwuid(getuid()); | |
147 | + if (pw == NULL) { | |
148 | + bad = InternalError; | |
149 | + } | |
150 | + | |
151 | + if (!bad) { | |
152 | + retval = pam_start("xserver", pw->pw_name, &conv, &pamh); | |
153 | + if (retval != PAM_SUCCESS) | |
154 | + bad = PamFailed; | |
155 | + } | |
156 | + | |
157 | + if (!bad) { | |
158 | + retval = pam_authenticate(pamh, 0); | |
159 | + if (retval != PAM_SUCCESS) { | |
160 | + pam_end(pamh, retval); | |
161 | + bad = PamAuthFailed; | |
162 | + } | |
163 | + } | |
164 | + | |
165 | + if (!bad) { | |
166 | + retval = pam_acct_mgmt(pamh, 0); | |
167 | + if (retval != PAM_SUCCESS) { | |
168 | + pam_end(pamh, retval); | |
169 | + bad = PamAuthFailed; | |
170 | + } | |
171 | + } | |
172 | + | |
173 | + /* this is not a session, so do not do session management */ | |
174 | + | |
175 | + if (!bad) pam_end(pamh, PAM_SUCCESS); | |
176 | +#endif /* USE_PAM */ | |
177 | + | |
178 | +#if CHECK_EUID | |
179 | + if (!bad && geteuid() == 0 && getuid() != geteuid()) { | |
180 | +#else | |
181 | + if (!bad) { | |
182 | +#endif | |
183 | + /* Check each argv[] */ | |
184 | + for (i = 1; i < argc; i++) { | |
185 | + | |
186 | + /* Check for known bad arguments */ | |
187 | +#if REJECT_CONFIG | |
188 | + if (strcmp(argv[i], "-config") == 0) { | |
189 | + bad = UnsafeArg; | |
190 | + break; | |
191 | + } | |
192 | +#endif | |
193 | +#if REJECT_XKBDIR | |
194 | + if (strcmp(argv[i], "-xkbdir") == 0) { | |
195 | + bad = UnsafeArg; | |
196 | + break; | |
197 | + } | |
198 | +#endif | |
199 | + if (strlen(argv[i]) > MAX_ARG_LENGTH) { | |
200 | + bad = ArgTooLong; | |
201 | + break; | |
202 | + } | |
203 | + a = argv[i]; | |
204 | + while (*a) { | |
205 | + if (checkPrintable(*a) == 0) { | |
206 | + bad = UnprintableArg; | |
207 | + break; | |
208 | + } | |
209 | + a++; | |
210 | + } | |
211 | + if (bad) | |
212 | + break; | |
213 | + } | |
214 | + /* Check each envp[] */ | |
215 | + if (!bad) | |
216 | + for (i = 0; envp[i]; i++) { | |
217 | + | |
218 | + /* Check for bad environment variables and values */ | |
219 | +#if REMOVE_ENV_LD | |
220 | + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) { | |
221 | + for (j = i; envp[j]; j++) { | |
222 | + envp[j] = envp[j+1]; | |
223 | + } | |
224 | + } | |
225 | +#endif | |
226 | + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) { | |
227 | +#if REMOVE_LONG_ENV | |
228 | + for (j = i; envp[j]; j++) { | |
229 | + envp[j] = envp[j+1]; | |
230 | + } | |
231 | + i--; | |
232 | +#else | |
233 | + char *eq; | |
234 | + int len; | |
235 | + | |
236 | + eq = strchr(envp[i], '='); | |
237 | + if (!eq) | |
238 | + continue; | |
239 | + len = eq - envp[i]; | |
240 | + e = malloc(len + 1); | |
241 | + if (!e) { | |
242 | + bad = InternalError; | |
243 | + break; | |
244 | + } | |
245 | + strncpy(e, envp[i], len); | |
246 | + e[len] = 0; | |
247 | + if (len >= 4 && | |
248 | + (strcmp(e + len - 4, "PATH") == 0 || | |
249 | + strcmp(e, "TERMCAP") == 0)) { | |
250 | + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) { | |
251 | + bad = EnvTooLong; | |
252 | + break; | |
253 | + } else { | |
254 | + free(e); | |
255 | + } | |
256 | + } else { | |
257 | + bad = EnvTooLong; | |
258 | + break; | |
259 | + } | |
260 | +#endif | |
261 | + } | |
262 | + } | |
263 | + } | |
264 | + switch (bad) { | |
265 | + case NotBad: | |
266 | + execve(XSERVER_PATH, argv, envp); | |
267 | + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH, | |
268 | + errno); | |
269 | + break; | |
270 | + case UnsafeArg: | |
271 | + fprintf(stderr, "Command line argument number %d is unsafe\n", i); | |
272 | + fprintf(stderr, ARGMSG); | |
273 | + break; | |
274 | + case ArgTooLong: | |
275 | + fprintf(stderr, "Command line argument number %d is too long\n", i); | |
276 | + fprintf(stderr, ARGMSG); | |
277 | + break; | |
278 | + case UnprintableArg: | |
279 | + fprintf(stderr, "Command line argument number %d contains unprintable" | |
280 | + " characters\n", i); | |
281 | + fprintf(stderr, ARGMSG); | |
282 | + break; | |
283 | + case EnvTooLong: | |
284 | + fprintf(stderr, "Environment variable `%s' is too long\n", e); | |
285 | + fprintf(stderr, ENVMSG); | |
286 | + break; | |
287 | + case InternalError: | |
288 | + fprintf(stderr, "Internal Error\n"); | |
289 | + break; | |
290 | +#ifdef USE_PAM | |
291 | + case PamFailed: | |
292 | + fprintf(stderr, "Authentication System Failure, " | |
293 | + "missing or mangled PAM configuration file or module?\n"); | |
294 | + break; | |
295 | + case PamAuthFailed: | |
296 | + fprintf(stderr, "PAM authentication failed\n"); | |
297 | + break; | |
298 | +#endif | |
299 | + default: | |
300 | + fprintf(stderr, "Unknown error\n"); | |
301 | + fprintf(stderr, ARGMSG); | |
302 | + fprintf(stderr, ENVMSG); | |
303 | + break; | |
304 | + } | |
305 | + exit(1); | |
306 | +} | |
307 | + | |
7485730a PS |
308 | --- os/Makefile.am 2005-12-06 16:50:35.000000000 +0100 |
309 | +++ os/Makefile.am 2006-02-05 14:36:53.211755250 +0100 | |
a3ebf0f3 | 310 | @@ -24,6 +24,11 @@ |
69af3e9f | 311 | xprintf.c \ |
a3ebf0f3 | 312 | $(XORG_SRCS) |
69af3e9f PS |
313 | |
314 | +bin_PROGRAMS = Xwrapper | |
315 | +Xwrapper_SOURCES = wrapper.c | |
316 | +Xwrapper_CFLAGS = -DUSE_PAM -DXSERVER_PATH=\"/usr/bin/Xorg\" $(AM_CFLAGS) | |
3a45b4a8 | 317 | +Xwrapper_LDADD = -lpam_misc -lpam |
69af3e9f | 318 | + |
a3ebf0f3 AM |
319 | if SECURE_RPC |
320 | libos_la_SOURCES += $(SECURERPC_SRCS) | |
69af3e9f | 321 | endif |