]>
Commit | Line | Data |
---|---|---|
69af3e9f PS |
1 | --- hw/xfree86/os-support/linux/lnx_init.c 2005-08-26 09:35:55.000000000 +0200 |
2 | +++ hw/xfree86/os-support/linux/lnx_init.c 2005-12-22 10:52:06.630963000 +0100 | |
3 | @@ -104,8 +104,10 @@ | |
4 | ||
5 | /* when KeepTty check if we're run with euid==0 */ | |
6 | if (KeepTty && geteuid() != 0) | |
7 | - FatalError("xf86OpenConsole:" | |
8 | - " Server must be suid root for option \"KeepTTY\"\n"); | |
9 | + FatalError("xf86OpenConsole: Server must be running with root " | |
10 | + "permissions\n" | |
11 | + "You should be using Xwrapper to start the server or xdm.\n" | |
12 | + "We strongly advise against making the server SUID root!\n"); | |
13 | ||
14 | /* | |
15 | * setup the virtual terminal manager | |
16 | --- os/wrapper.c 1970-01-01 01:00:00.000000000 +0100 | |
17 | +++ os/wrapper.c 2005-12-22 10:50:53.610963000 +0100 | |
18 | @@ -0,0 +1,304 @@ | |
19 | +/* | |
20 | + * X server wrapper. | |
21 | + * | |
22 | + * This wrapper makes some sanity checks on the command line arguments | |
23 | + * and environment variables when run with euid == 0 && euid != uid. | |
24 | + * If the checks fail, the wrapper exits with a message. | |
25 | + * If they succeed, it exec's the Xserver. | |
26 | + */ | |
27 | + | |
28 | +/* | |
29 | + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved. | |
30 | + * | |
31 | + * Permission is hereby granted, free of charge, to any person obtaining | |
32 | + * a copy of this software and associated documentation files (the | |
33 | + * "Software"), to deal in the Software without restriction, including | |
34 | + * without limitation the rights to use, copy, modify, merge, publish, | |
35 | + * distribute, sublicense, and/or sell copies of the Software, and to | |
36 | + * permit persons to whom the Software is furnished to do so, subject | |
37 | + * to the following conditions: | |
38 | + * | |
39 | + * The above copyright notice and this permission notice shall be included | |
40 | + * in all copies or substantial portions of the Software. | |
41 | + * | |
42 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
43 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
44 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
45 | + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES | |
46 | + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | |
47 | + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | |
48 | + * OR OTHER DEALINGS IN THE SOFTWARE. | |
49 | + * | |
50 | + * Except as contained in this notice, the name of the XFree86 Project | |
51 | + * shall not be used in advertising or otherwise to promote the sale, | |
52 | + * use or other dealings in this Software without prior written | |
53 | + * authorization from the XFree86 Project. | |
54 | + */ | |
55 | + | |
56 | +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */ | |
57 | + | |
58 | +/* This is normally set in the Imakefile */ | |
59 | +#ifndef XSERVER_PATH | |
60 | +#define XSERVER_PATH "/etc/X11/X" | |
61 | +#endif | |
62 | + | |
63 | +#include <stdio.h> | |
64 | +#include <stdlib.h> | |
65 | +#include <string.h> | |
66 | +#include <errno.h> | |
67 | +#include <unistd.h> | |
68 | +#include <sys/types.h> | |
69 | +#ifdef USE_PAM | |
70 | +#include <security/pam_appl.h> | |
71 | +#include <security/pam_misc.h> | |
72 | +#include <pwd.h> | |
73 | +#endif /* USE_PAM */ | |
74 | + | |
75 | +/* Neither of these should be required for XFree86 3.3.2 */ | |
76 | +#ifndef REJECT_CONFIG | |
77 | +#define REJECT_CONFIG 0 | |
78 | +#endif | |
79 | +#ifndef REJECT_XKBDIR | |
80 | +#define REJECT_XKBDIR 0 | |
81 | +#endif | |
82 | + | |
83 | +/* Consider LD* variables insecure ? */ | |
84 | +#ifndef REMOVE_ENV_LD | |
85 | +#define REMOVE_ENV_LD 1 | |
86 | +#endif | |
87 | + | |
88 | +/* Remove long environment variables? */ | |
89 | +#ifndef REMOVE_LONG_ENV | |
90 | +#define REMOVE_LONG_ENV 1 | |
91 | +#endif | |
92 | + | |
93 | +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */ | |
94 | +#ifndef CHECK_EUID | |
95 | +#define CHECK_EUID 1 | |
96 | +#endif | |
97 | + | |
98 | +/* | |
99 | + * Maybe the locale can be faked to make isprint(3) report that everything | |
100 | + * is printable? Avoid it by default. | |
101 | + */ | |
102 | +#ifndef USE_ISPRINT | |
103 | +#define USE_ISPRINT 0 | |
104 | +#endif | |
105 | + | |
106 | +#define MAX_ARG_LENGTH 128 | |
107 | +#define MAX_ENV_LENGTH 256 | |
108 | +#define MAX_ENV_PATH_LENGTH 2048 | |
109 | + | |
110 | +#if USE_ISPRINT | |
111 | +#include <ctype.h> | |
112 | +#define checkPrintable(c) isprint(c) | |
113 | +#else | |
114 | +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f) | |
115 | +#endif | |
116 | + | |
117 | +enum BadCode { | |
118 | + NotBad = 0, | |
119 | + UnsafeArg, | |
120 | + ArgTooLong, | |
121 | + UnprintableArg, | |
122 | + EnvTooLong, | |
123 | + InternalError, | |
124 | +#ifdef USE_PAM | |
125 | + PamFailed, | |
126 | + PamAuthFailed, | |
127 | +#endif /* USE_PAM */ | |
128 | +}; | |
129 | + | |
130 | +#define ARGMSG \ | |
131 | + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \ | |
132 | + "please send details of the arguments and why they are valid to\n" \ | |
133 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
134 | + "the \"super user\" (root).\n" | |
135 | + | |
136 | +#define ENVMSG \ | |
137 | + "\nIf the environment is valid, and have been rejected incorrectly\n" \ | |
138 | + "please send details of the environment and why it is valid to\n" \ | |
139 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
140 | + "the \"super user\" (root).\n" | |
141 | + | |
142 | +#ifdef USE_PAM | |
143 | +static struct pam_conv conv = { | |
144 | + misc_conv, | |
145 | + NULL | |
146 | +}; | |
147 | +#endif /* USE_PAM */ | |
148 | + | |
149 | + | |
150 | +int | |
151 | +main(int argc, char **argv, char **envp) | |
152 | +{ | |
153 | + enum BadCode bad = NotBad; | |
154 | + int i, j; | |
155 | + char *a, *e; | |
156 | +#ifdef USE_PAM | |
157 | + pam_handle_t *pamh = NULL; | |
158 | + struct passwd *pw; | |
159 | + int retval; | |
160 | + | |
161 | + pw = getpwuid(getuid()); | |
162 | + if (pw == NULL) { | |
163 | + bad = InternalError; | |
164 | + } | |
165 | + | |
166 | + if (!bad) { | |
167 | + retval = pam_start("xserver", pw->pw_name, &conv, &pamh); | |
168 | + if (retval != PAM_SUCCESS) | |
169 | + bad = PamFailed; | |
170 | + } | |
171 | + | |
172 | + if (!bad) { | |
173 | + retval = pam_authenticate(pamh, 0); | |
174 | + if (retval != PAM_SUCCESS) { | |
175 | + pam_end(pamh, retval); | |
176 | + bad = PamAuthFailed; | |
177 | + } | |
178 | + } | |
179 | + | |
180 | + if (!bad) { | |
181 | + retval = pam_acct_mgmt(pamh, 0); | |
182 | + if (retval != PAM_SUCCESS) { | |
183 | + pam_end(pamh, retval); | |
184 | + bad = PamAuthFailed; | |
185 | + } | |
186 | + } | |
187 | + | |
188 | + /* this is not a session, so do not do session management */ | |
189 | + | |
190 | + if (!bad) pam_end(pamh, PAM_SUCCESS); | |
191 | +#endif /* USE_PAM */ | |
192 | + | |
193 | +#if CHECK_EUID | |
194 | + if (!bad && geteuid() == 0 && getuid() != geteuid()) { | |
195 | +#else | |
196 | + if (!bad) { | |
197 | +#endif | |
198 | + /* Check each argv[] */ | |
199 | + for (i = 1; i < argc; i++) { | |
200 | + | |
201 | + /* Check for known bad arguments */ | |
202 | +#if REJECT_CONFIG | |
203 | + if (strcmp(argv[i], "-config") == 0) { | |
204 | + bad = UnsafeArg; | |
205 | + break; | |
206 | + } | |
207 | +#endif | |
208 | +#if REJECT_XKBDIR | |
209 | + if (strcmp(argv[i], "-xkbdir") == 0) { | |
210 | + bad = UnsafeArg; | |
211 | + break; | |
212 | + } | |
213 | +#endif | |
214 | + if (strlen(argv[i]) > MAX_ARG_LENGTH) { | |
215 | + bad = ArgTooLong; | |
216 | + break; | |
217 | + } | |
218 | + a = argv[i]; | |
219 | + while (*a) { | |
220 | + if (checkPrintable(*a) == 0) { | |
221 | + bad = UnprintableArg; | |
222 | + break; | |
223 | + } | |
224 | + a++; | |
225 | + } | |
226 | + if (bad) | |
227 | + break; | |
228 | + } | |
229 | + /* Check each envp[] */ | |
230 | + if (!bad) | |
231 | + for (i = 0; envp[i]; i++) { | |
232 | + | |
233 | + /* Check for bad environment variables and values */ | |
234 | +#if REMOVE_ENV_LD | |
235 | + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) { | |
236 | + for (j = i; envp[j]; j++) { | |
237 | + envp[j] = envp[j+1]; | |
238 | + } | |
239 | + } | |
240 | +#endif | |
241 | + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) { | |
242 | +#if REMOVE_LONG_ENV | |
243 | + for (j = i; envp[j]; j++) { | |
244 | + envp[j] = envp[j+1]; | |
245 | + } | |
246 | + i--; | |
247 | +#else | |
248 | + char *eq; | |
249 | + int len; | |
250 | + | |
251 | + eq = strchr(envp[i], '='); | |
252 | + if (!eq) | |
253 | + continue; | |
254 | + len = eq - envp[i]; | |
255 | + e = malloc(len + 1); | |
256 | + if (!e) { | |
257 | + bad = InternalError; | |
258 | + break; | |
259 | + } | |
260 | + strncpy(e, envp[i], len); | |
261 | + e[len] = 0; | |
262 | + if (len >= 4 && | |
263 | + (strcmp(e + len - 4, "PATH") == 0 || | |
264 | + strcmp(e, "TERMCAP") == 0)) { | |
265 | + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) { | |
266 | + bad = EnvTooLong; | |
267 | + break; | |
268 | + } else { | |
269 | + free(e); | |
270 | + } | |
271 | + } else { | |
272 | + bad = EnvTooLong; | |
273 | + break; | |
274 | + } | |
275 | +#endif | |
276 | + } | |
277 | + } | |
278 | + } | |
279 | + switch (bad) { | |
280 | + case NotBad: | |
281 | + execve(XSERVER_PATH, argv, envp); | |
282 | + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH, | |
283 | + errno); | |
284 | + break; | |
285 | + case UnsafeArg: | |
286 | + fprintf(stderr, "Command line argument number %d is unsafe\n", i); | |
287 | + fprintf(stderr, ARGMSG); | |
288 | + break; | |
289 | + case ArgTooLong: | |
290 | + fprintf(stderr, "Command line argument number %d is too long\n", i); | |
291 | + fprintf(stderr, ARGMSG); | |
292 | + break; | |
293 | + case UnprintableArg: | |
294 | + fprintf(stderr, "Command line argument number %d contains unprintable" | |
295 | + " characters\n", i); | |
296 | + fprintf(stderr, ARGMSG); | |
297 | + break; | |
298 | + case EnvTooLong: | |
299 | + fprintf(stderr, "Environment variable `%s' is too long\n", e); | |
300 | + fprintf(stderr, ENVMSG); | |
301 | + break; | |
302 | + case InternalError: | |
303 | + fprintf(stderr, "Internal Error\n"); | |
304 | + break; | |
305 | +#ifdef USE_PAM | |
306 | + case PamFailed: | |
307 | + fprintf(stderr, "Authentication System Failure, " | |
308 | + "missing or mangled PAM configuration file or module?\n"); | |
309 | + break; | |
310 | + case PamAuthFailed: | |
311 | + fprintf(stderr, "PAM authentication failed\n"); | |
312 | + break; | |
313 | +#endif | |
314 | + default: | |
315 | + fprintf(stderr, "Unknown error\n"); | |
316 | + fprintf(stderr, ARGMSG); | |
317 | + fprintf(stderr, ENVMSG); | |
318 | + break; | |
319 | + } | |
320 | + exit(1); | |
321 | +} | |
322 | + | |
7485730a PS |
323 | --- os/Makefile.am 2005-12-06 16:50:35.000000000 +0100 |
324 | +++ os/Makefile.am 2006-02-05 14:36:53.211755250 +0100 | |
a3ebf0f3 | 325 | @@ -24,6 +24,11 @@ |
69af3e9f | 326 | xprintf.c \ |
a3ebf0f3 | 327 | $(XORG_SRCS) |
69af3e9f PS |
328 | |
329 | +bin_PROGRAMS = Xwrapper | |
330 | +Xwrapper_SOURCES = wrapper.c | |
331 | +Xwrapper_CFLAGS = -DUSE_PAM -DXSERVER_PATH=\"/usr/bin/Xorg\" $(AM_CFLAGS) | |
332 | +Xwrapper_LDADD = -lpam_misc | |
333 | + | |
a3ebf0f3 AM |
334 | if SECURE_RPC |
335 | libos_la_SOURCES += $(SECURERPC_SRCS) | |
69af3e9f | 336 | endif |