]>
Commit | Line | Data |
---|---|---|
756a6f4b AM |
1 | --- xc.orig/config/cf/Server.tmpl 2004-08-08 14:23:13.000000000 +0200 |
2 | +++ xc/config/cf/Server.tmpl 2004-08-08 14:39:45.673849000 +0200 | |
0c801e26 AM |
3 | @@ -25,8 +25,14 @@ |
4 | #ifndef DoThreadedServer | |
5 | #define DoThreadedServer NO | |
6 | #endif | |
7 | +#ifndef XserverNeedsSetUID | |
8 | +#define XserverNeedsSetUID NO | |
9 | +#endif | |
10 | +#ifndef UseXserverWrapper | |
11 | +#define UseXserverWrapper XserverNeedsSetUID | |
12 | +#endif | |
13 | #ifndef InstallServerSetUID | |
14 | -#define InstallServerSetUID NO | |
15 | +#define InstallServerSetUID (XserverNeedsSetUID && !UseXserverWrapper) | |
16 | #endif | |
17 | ||
18 | #ifdef CrossCompileDir | |
756a6f4b AM |
19 | --- xc.orig/config/cf/xorgsite.def 2004-08-08 14:31:29.000000000 +0200 |
20 | +++ xc/config/cf/xorgsite.def 2004-08-08 14:39:45.727840792 +0200 | |
21 | @@ -75,14 +75,15 @@ | |
0c801e26 AM |
22 | */ |
23 | ||
24 | /* | |
25 | - * If you only run the X server under xdm the X servers don't need to be | |
26 | - * installed SetUID, and you may comment out the lines below. If you run | |
27 | - * the servers by hand (with xinit or startx), then they do need to be | |
28 | - * installed SetUID on most platforms. | |
29 | + * The X servers need to run as root on most OSs. We're now using a | |
30 | + * wrapper in that case, but we still need to make it known that the | |
31 | + * servers need SetUID. When only using xdm, this (and the wrapper) | |
32 | + * are not required. Disabling this automatically disables use of the | |
33 | + * wrapper. | |
34 | * | |
35 | - * Consult your system administrator before making the X server setuid. | |
36 | + * If you're only starting the Xservers with xdm set this to NO | |
37 | * | |
38 | -#define InstallXserverSetUID NO | |
39 | +#define XserverNeedsSetUID NO | |
40 | */ | |
41 | ||
42 | ||
756a6f4b AM |
43 | --- xc.orig/config/cf/xorg.cf 2004-08-08 14:31:29.000000000 +0200 |
44 | +++ xc/config/cf/xorg.cf 2004-08-08 14:39:45.744838208 +0200 | |
45 | @@ -710,12 +710,15 @@ | |
0c801e26 AM |
46 | #endif |
47 | ||
48 | /* | |
49 | - * The default is to install the X servers setuid-root on most OSs. | |
50 | - * It the servers are only started by xdm, they should not be setuid-root. | |
51 | + * The X servers need to run as root on most OSs. We're now using a | |
52 | + * wrapper in that case, but we still need to make it known that the | |
53 | + * servers need SetUID. When only using xdm, this (and the wrapper) | |
54 | + * are not required. Disabling this automatically disables use of the | |
55 | + * wrapper. | |
56 | */ | |
57 | #if !defined(i386MachArchitecture) && !defined(OS2Architecture) | |
58 | -# ifndef InstallXserverSetUID | |
59 | -# define InstallXserverSetUID YES | |
60 | +# ifndef XserverNeedsSetUID | |
61 | +# define XserverNeedsSetUID YES | |
62 | # endif | |
63 | #endif | |
64 | ||
756a6f4b AM |
65 | --- xc.orig/programs/Xserver/Imakefile 2004-08-08 14:22:53.000000000 +0200 |
66 | +++ xc/programs/Xserver/Imakefile 2004-08-08 14:39:45.765835016 +0200 | |
67 | @@ -5,11 +5,6 @@ | |
0c801e26 | 68 | */ |
756a6f4b | 69 | XCOMM $XFree86: xc/programs/Xserver/Imakefile,v 3.296 2003/11/23 06:47:00 torrey Exp $ |
0c801e26 AM |
70 | |
71 | -#ifndef InstallXserverSetUID | |
72 | -#define InstallXserverSetUID NO | |
73 | -#endif | |
74 | -#define InstallServerSetUID InstallXserverSetUID | |
75 | - | |
76 | #include <Server.tmpl> | |
77 | ||
756a6f4b AM |
78 | #if (defined (XFree86Version) || defined(XorgVersion)) |
79 | @@ -877,6 +872,11 @@ | |
0c801e26 AM |
80 | #endif /* XnestServer */ |
81 | ||
82 | ||
83 | +#if UseXserverWrapper | |
84 | +SetUIDProgramTarget(Xwrapper,os/wrapper.o,NullParameter,$(PAMLIBS),NullParameter) | |
85 | +InstallProgramWithFlags(Xwrapper,$(BINDIR),$(INSTUIDFLAGS)) | |
86 | +#endif | |
87 | + | |
88 | #if defined(XnonServer) && XnonServer | |
89 | XCOMM | |
90 | XCOMM non server, just compile sources for build test | |
756a6f4b AM |
91 | --- xc.orig/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c 2004-08-08 14:22:46.000000000 +0200 |
92 | +++ xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c 2004-08-08 14:39:45.793830760 +0200 | |
93 | @@ -100,7 +100,10 @@ | |
0c801e26 AM |
94 | /* check if we're run with euid==0 */ |
95 | if (geteuid() != 0) | |
96 | { | |
97 | - FatalError("xf86OpenConsole: Server must be suid root\n"); | |
98 | + FatalError("xf86OpenConsole: Server must be running with root " | |
99 | + "permissions\n" | |
100 | + "You should be using Xwrapper to start the server or xdm.\n" | |
101 | + "We strongly advise against making the server SUID root!\n"); | |
102 | } | |
103 | ||
104 | /* | |
756a6f4b AM |
105 | --- xc.orig/programs/Xserver/os/Imakefile 2004-08-08 14:22:51.000000000 +0200 |
106 | +++ xc/programs/Xserver/os/Imakefile 2004-08-08 14:39:45.844823008 +0200 | |
107 | @@ -137,6 +137,7 @@ | |
0c801e26 AM |
108 | INCLUDES = -I. -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) \ |
109 | -I$(SERVERSRC)/Xext -I$(FONTINCSRC) -I$(SERVERSRC)/render \ | |
110 | -I$(TOP)/lib/Xau -I../lbx Krb5Includes | |
111 | + EXTRA_DEFINES = -DUSE_PAM | |
112 | DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) \ | |
756a6f4b AM |
113 | $(TRANS_INCLUDES) $(CONNECTION_FLAGS) $(GETPEER_DEFINES) \ |
114 | DependDefines | |
115 | @@ -184,6 +185,14 @@ | |
0c801e26 AM |
116 | SpecialCObjectRule(oscolor,$(ICONFIGFILES),$(DBM_DEFINES)) |
117 | #endif | |
118 | ||
119 | +#if UseXserverWrapper | |
120 | +AllTarget(wrapper.o) | |
121 | + | |
122 | + WRAPPER_DEFINES = -DXSERVER_PATH=\"/etc/X11/X\" | |
123 | + | |
124 | +SpecialCObjectRule(wrapper,NullParameter,$(WRAPPER_DEFINES)) | |
125 | +#endif | |
126 | + | |
127 | #if HasKrb5 | |
128 | LinkSourceFile(k5encode.c,$(XAUTHSRC)) | |
129 | #endif | |
756a6f4b AM |
130 | --- xc.orig/programs/Xserver/os/wrapper.c 1970-01-01 01:00:00.000000000 +0100 |
131 | +++ xc/programs/Xserver/os/wrapper.c 2004-08-08 14:39:45.845822856 +0200 | |
0c801e26 AM |
132 | @@ -0,0 +1,304 @@ |
133 | +/* | |
134 | + * X server wrapper. | |
135 | + * | |
136 | + * This wrapper makes some sanity checks on the command line arguments | |
137 | + * and environment variables when run with euid == 0 && euid != uid. | |
138 | + * If the checks fail, the wrapper exits with a message. | |
139 | + * If they succeed, it exec's the Xserver. | |
140 | + */ | |
141 | + | |
142 | +/* | |
143 | + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved. | |
144 | + * | |
145 | + * Permission is hereby granted, free of charge, to any person obtaining | |
146 | + * a copy of this software and associated documentation files (the | |
147 | + * "Software"), to deal in the Software without restriction, including | |
148 | + * without limitation the rights to use, copy, modify, merge, publish, | |
149 | + * distribute, sublicense, and/or sell copies of the Software, and to | |
150 | + * permit persons to whom the Software is furnished to do so, subject | |
151 | + * to the following conditions: | |
152 | + * | |
153 | + * The above copyright notice and this permission notice shall be included | |
154 | + * in all copies or substantial portions of the Software. | |
155 | + * | |
156 | + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | |
157 | + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | |
158 | + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. | |
159 | + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES | |
160 | + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, | |
161 | + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE | |
162 | + * OR OTHER DEALINGS IN THE SOFTWARE. | |
163 | + * | |
164 | + * Except as contained in this notice, the name of the XFree86 Project | |
165 | + * shall not be used in advertising or otherwise to promote the sale, | |
166 | + * use or other dealings in this Software without prior written | |
167 | + * authorization from the XFree86 Project. | |
168 | + */ | |
169 | + | |
170 | +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */ | |
171 | + | |
172 | +/* This is normally set in the Imakefile */ | |
173 | +#ifndef XSERVER_PATH | |
174 | +#define XSERVER_PATH "/etc/X11/X" | |
175 | +#endif | |
176 | + | |
177 | +#include <stdio.h> | |
178 | +#include <stdlib.h> | |
179 | +#include <string.h> | |
180 | +#include <errno.h> | |
181 | +#include <unistd.h> | |
182 | +#include <sys/types.h> | |
183 | +#ifdef USE_PAM | |
184 | +#include <security/pam_appl.h> | |
185 | +#include <security/pam_misc.h> | |
186 | +#include <pwd.h> | |
187 | +#endif /* USE_PAM */ | |
188 | + | |
189 | +/* Neither of these should be required for XFree86 3.3.2 */ | |
190 | +#ifndef REJECT_CONFIG | |
191 | +#define REJECT_CONFIG 0 | |
192 | +#endif | |
193 | +#ifndef REJECT_XKBDIR | |
194 | +#define REJECT_XKBDIR 0 | |
195 | +#endif | |
196 | + | |
197 | +/* Consider LD* variables insecure ? */ | |
198 | +#ifndef REMOVE_ENV_LD | |
199 | +#define REMOVE_ENV_LD 1 | |
200 | +#endif | |
201 | + | |
202 | +/* Remove long environment variables? */ | |
203 | +#ifndef REMOVE_LONG_ENV | |
204 | +#define REMOVE_LONG_ENV 1 | |
205 | +#endif | |
206 | + | |
207 | +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */ | |
208 | +#ifndef CHECK_EUID | |
209 | +#define CHECK_EUID 1 | |
210 | +#endif | |
211 | + | |
212 | +/* | |
213 | + * Maybe the locale can be faked to make isprint(3) report that everything | |
214 | + * is printable? Avoid it by default. | |
215 | + */ | |
216 | +#ifndef USE_ISPRINT | |
217 | +#define USE_ISPRINT 0 | |
218 | +#endif | |
219 | + | |
220 | +#define MAX_ARG_LENGTH 128 | |
221 | +#define MAX_ENV_LENGTH 256 | |
222 | +#define MAX_ENV_PATH_LENGTH 2048 | |
223 | + | |
224 | +#if USE_ISPRINT | |
225 | +#include <ctype.h> | |
226 | +#define checkPrintable(c) isprint(c) | |
227 | +#else | |
228 | +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f) | |
229 | +#endif | |
230 | + | |
231 | +enum BadCode { | |
232 | + NotBad = 0, | |
233 | + UnsafeArg, | |
234 | + ArgTooLong, | |
235 | + UnprintableArg, | |
236 | + EnvTooLong, | |
237 | + InternalError, | |
238 | +#ifdef USE_PAM | |
239 | + PamFailed, | |
240 | + PamAuthFailed, | |
241 | +#endif /* USE_PAM */ | |
242 | +}; | |
243 | + | |
244 | +#define ARGMSG \ | |
245 | + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \ | |
246 | + "please send details of the arguments and why they are valid to\n" \ | |
247 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
248 | + "the \"super user\" (root).\n" | |
249 | + | |
250 | +#define ENVMSG \ | |
251 | + "\nIf the environment is valid, and have been rejected incorrectly\n" \ | |
252 | + "please send details of the environment and why it is valid to\n" \ | |
253 | + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \ | |
254 | + "the \"super user\" (root).\n" | |
255 | + | |
256 | +#ifdef USE_PAM | |
257 | +static struct pam_conv conv = { | |
258 | + misc_conv, | |
259 | + NULL | |
260 | +}; | |
261 | +#endif /* USE_PAM */ | |
262 | + | |
263 | + | |
264 | +int | |
265 | +main(int argc, char **argv, char **envp) | |
266 | +{ | |
267 | + enum BadCode bad = NotBad; | |
268 | + int i, j; | |
269 | + char *a, *e; | |
270 | +#ifdef USE_PAM | |
271 | + pam_handle_t *pamh = NULL; | |
272 | + struct passwd *pw; | |
273 | + int retval; | |
274 | + | |
275 | + pw = getpwuid(getuid()); | |
276 | + if (pw == NULL) { | |
277 | + bad = InternalError; | |
278 | + } | |
279 | + | |
280 | + if (!bad) { | |
281 | + retval = pam_start("xserver", pw->pw_name, &conv, &pamh); | |
282 | + if (retval != PAM_SUCCESS) | |
283 | + bad = PamFailed; | |
284 | + } | |
285 | + | |
286 | + if (!bad) { | |
287 | + retval = pam_authenticate(pamh, 0); | |
288 | + if (retval != PAM_SUCCESS) { | |
289 | + pam_end(pamh, retval); | |
290 | + bad = PamAuthFailed; | |
291 | + } | |
292 | + } | |
293 | + | |
294 | + if (!bad) { | |
295 | + retval = pam_acct_mgmt(pamh, 0); | |
296 | + if (retval != PAM_SUCCESS) { | |
297 | + pam_end(pamh, retval); | |
298 | + bad = PamAuthFailed; | |
299 | + } | |
300 | + } | |
301 | + | |
302 | + /* this is not a session, so do not do session management */ | |
303 | + | |
304 | + if (!bad) pam_end(pamh, PAM_SUCCESS); | |
305 | +#endif /* USE_PAM */ | |
306 | + | |
307 | +#if CHECK_EUID | |
308 | + if (!bad && geteuid() == 0 && getuid() != geteuid()) { | |
309 | +#else | |
310 | + if (!bad) { | |
311 | +#endif | |
312 | + /* Check each argv[] */ | |
313 | + for (i = 1; i < argc; i++) { | |
314 | + | |
315 | + /* Check for known bad arguments */ | |
316 | +#if REJECT_CONFIG | |
317 | + if (strcmp(argv[i], "-config") == 0) { | |
318 | + bad = UnsafeArg; | |
319 | + break; | |
320 | + } | |
321 | +#endif | |
322 | +#if REJECT_XKBDIR | |
323 | + if (strcmp(argv[i], "-xkbdir") == 0) { | |
324 | + bad = UnsafeArg; | |
325 | + break; | |
326 | + } | |
327 | +#endif | |
328 | + if (strlen(argv[i]) > MAX_ARG_LENGTH) { | |
329 | + bad = ArgTooLong; | |
330 | + break; | |
331 | + } | |
332 | + a = argv[i]; | |
333 | + while (*a) { | |
334 | + if (checkPrintable(*a) == 0) { | |
335 | + bad = UnprintableArg; | |
336 | + break; | |
337 | + } | |
338 | + a++; | |
339 | + } | |
340 | + if (bad) | |
341 | + break; | |
342 | + } | |
343 | + /* Check each envp[] */ | |
344 | + if (!bad) | |
345 | + for (i = 0; envp[i]; i++) { | |
346 | + | |
347 | + /* Check for bad environment variables and values */ | |
348 | +#if REMOVE_ENV_LD | |
349 | + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) { | |
350 | + for (j = i; envp[j]; j++) { | |
351 | + envp[j] = envp[j+1]; | |
352 | + } | |
353 | + } | |
354 | +#endif | |
355 | + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) { | |
356 | +#if REMOVE_LONG_ENV | |
357 | + for (j = i; envp[j]; j++) { | |
358 | + envp[j] = envp[j+1]; | |
359 | + } | |
360 | + i--; | |
361 | +#else | |
362 | + char *eq; | |
363 | + int len; | |
364 | + | |
365 | + eq = strchr(envp[i], '='); | |
366 | + if (!eq) | |
367 | + continue; | |
368 | + len = eq - envp[i]; | |
369 | + e = malloc(len + 1); | |
370 | + if (!e) { | |
371 | + bad = InternalError; | |
372 | + break; | |
373 | + } | |
374 | + strncpy(e, envp[i], len); | |
375 | + e[len] = 0; | |
376 | + if (len >= 4 && | |
377 | + (strcmp(e + len - 4, "PATH") == 0 || | |
378 | + strcmp(e, "TERMCAP") == 0)) { | |
379 | + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) { | |
380 | + bad = EnvTooLong; | |
381 | + break; | |
382 | + } else { | |
383 | + free(e); | |
384 | + } | |
385 | + } else { | |
386 | + bad = EnvTooLong; | |
387 | + break; | |
388 | + } | |
389 | +#endif | |
390 | + } | |
391 | + } | |
392 | + } | |
393 | + switch (bad) { | |
394 | + case NotBad: | |
395 | + execve(XSERVER_PATH, argv, envp); | |
396 | + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH, | |
397 | + errno); | |
398 | + break; | |
399 | + case UnsafeArg: | |
400 | + fprintf(stderr, "Command line argument number %d is unsafe\n", i); | |
401 | + fprintf(stderr, ARGMSG); | |
402 | + break; | |
403 | + case ArgTooLong: | |
404 | + fprintf(stderr, "Command line argument number %d is too long\n", i); | |
405 | + fprintf(stderr, ARGMSG); | |
406 | + break; | |
407 | + case UnprintableArg: | |
408 | + fprintf(stderr, "Command line argument number %d contains unprintable" | |
409 | + " characters\n", i); | |
410 | + fprintf(stderr, ARGMSG); | |
411 | + break; | |
412 | + case EnvTooLong: | |
413 | + fprintf(stderr, "Environment variable `%s' is too long\n", e); | |
414 | + fprintf(stderr, ENVMSG); | |
415 | + break; | |
416 | + case InternalError: | |
417 | + fprintf(stderr, "Internal Error\n"); | |
418 | + break; | |
419 | +#ifdef USE_PAM | |
420 | + case PamFailed: | |
421 | + fprintf(stderr, "Authentication System Failure, " | |
422 | + "missing or mangled PAM configuration file or module?\n"); | |
423 | + break; | |
424 | + case PamAuthFailed: | |
425 | + fprintf(stderr, "PAM authentication failed\n"); | |
426 | + break; | |
427 | +#endif | |
428 | + default: | |
429 | + fprintf(stderr, "Unknown error\n"); | |
430 | + fprintf(stderr, ARGMSG); | |
431 | + fprintf(stderr, ENVMSG); | |
432 | + break; | |
433 | + } | |
434 | + exit(1); | |
435 | +} | |
436 | + | |
756a6f4b AM |
437 | --- xc.orig/programs/xinit/startx.cpp 2004-08-08 14:22:55.000000000 +0200 |
438 | +++ xc/programs/xinit/startx.cpp 2004-08-08 14:39:45.874818448 +0200 | |
0c801e26 AM |
439 | @@ -53,7 +53,7 @@ |
440 | sysclientrc=XINITDIR/xinitrc | |
441 | sysserverrc=XINITDIR/xserverrc | |
442 | defaultclient=BINDIR/xterm | |
443 | -defaultserver=BINDIR/X | |
444 | +defaultserver=BINDIR/Xwrapper | |
445 | defaultclientargs="" | |
446 | defaultserverargs="" | |
447 | clientargs="" | |
756a6f4b AM |
448 | --- xc.orig/programs/xinit/xinit.c 2004-08-08 14:22:55.000000000 +0200 |
449 | +++ xc/programs/xinit/xinit.c 2004-08-08 14:39:45.900814496 +0200 | |
450 | @@ -149,6 +149,7 @@ | |
0c801e26 AM |
451 | #define OK_EXIT 0 |
452 | #define ERR_EXIT 1 | |
453 | ||
454 | +char *default_wrapper = BINDIR "/Xwrapper"; | |
455 | char *default_server = "X"; | |
456 | char *default_display = ":0"; /* choose most efficient */ | |
457 | char *default_client[] = {"xterm", "-geometry", "+1+1", "-n", "login", NULL}; | |
756a6f4b | 458 | @@ -335,7 +336,10 @@ |
0c801e26 AM |
459 | if (argc == 0 || |
460 | #ifndef __UNIXOS2__ | |
461 | (**argv != '/' && **argv != '.')) { | |
462 | - *sptr++ = default_server; | |
463 | + if (access(default_wrapper, X_OK) == 0) | |
464 | + *sptr++ = default_wrapper; | |
465 | + else | |
466 | + *sptr++ = default_server; | |
467 | #else | |
468 | (**argv != '/' && **argv != '\\' && **argv != '.' && | |
469 | !(isalpha(**argv) && (*argv)[1]==':'))) { |