1 diff -urN X11-6.9.0.org/xc/config/cf/Server.tmpl X11-6.9.0/xc/config/cf/Server.tmpl
2 --- X11-6.9.0.org/xc/config/cf/Server.tmpl 2004-04-23 20:41:58.000000000 +0200
3 +++ X11-6.9.0/xc/config/cf/Server.tmpl 2005-12-22 10:50:30.350963000 +0100
5 #ifndef DoThreadedServer
6 #define DoThreadedServer NO
8 +#ifndef XserverNeedsSetUID
9 +#define XserverNeedsSetUID NO
11 +#ifndef UseXserverWrapper
12 +#define UseXserverWrapper XserverNeedsSetUID
14 #ifndef InstallServerSetUID
15 -#define InstallServerSetUID NO
16 +#define InstallServerSetUID (XserverNeedsSetUID && !UseXserverWrapper)
19 #ifdef CrossCompileDir
20 diff -urN X11-6.9.0.org/xc/config/cf/xorg.cf X11-6.9.0/xc/config/cf/xorg.cf
21 --- X11-6.9.0.org/xc/config/cf/xorg.cf 2005-12-22 10:49:00.730963000 +0100
22 +++ X11-6.9.0/xc/config/cf/xorg.cf 2005-12-22 10:50:53.520963000 +0100
27 - * The default is to install the X servers setuid-root on most OSs.
28 - * It the servers are only started by xdm, they should not be setuid-root.
29 + * The X servers need to run as root on most OSs. We're now using a
30 + * wrapper in that case, but we still need to make it known that the
31 + * servers need SetUID. When only using xdm, this (and the wrapper)
32 + * are not required. Disabling this automatically disables use of the
35 #if !defined(i386MachArchitecture) && !defined(OS2Architecture)
36 -# ifndef InstallXserverSetUID
37 -# define InstallXserverSetUID YES
38 +# ifndef XserverNeedsSetUID
39 +# define XserverNeedsSetUID YES
43 diff -urN X11-6.9.0.org/xc/config/cf/xorgsite.def X11-6.9.0/xc/config/cf/xorgsite.def
44 --- X11-6.9.0.org/xc/config/cf/xorgsite.def 2005-12-22 10:49:00.730963000 +0100
45 +++ X11-6.9.0/xc/config/cf/xorgsite.def 2005-12-22 10:50:53.510963000 +0100
50 - * If you only run the X server under xdm the X servers don't need to be
51 - * installed SetUID, and you may comment out the lines below. If you run
52 - * the servers by hand (with xinit or startx), then they do need to be
53 - * installed SetUID on most platforms.
54 + * The X servers need to run as root on most OSs. We're now using a
55 + * wrapper in that case, but we still need to make it known that the
56 + * servers need SetUID. When only using xdm, this (and the wrapper)
57 + * are not required. Disabling this automatically disables use of the
60 - * Consult your system administrator before making the X server setuid.
61 + * If you're only starting the Xservers with xdm set this to NO
63 -#define InstallXserverSetUID NO
64 +#define XserverNeedsSetUID NO
68 diff -urN X11-6.9.0.org/xc/programs/xinit/startx.cpp X11-6.9.0/xc/programs/xinit/startx.cpp
69 --- X11-6.9.0.org/xc/programs/xinit/startx.cpp 2005-11-15 05:03:10.000000000 +0100
70 +++ X11-6.9.0/xc/programs/xinit/startx.cpp 2005-12-22 10:53:22.620963000 +0100
72 userserverrc=$HOME/.xserverrc
73 sysserverrc=XINITDIR/xserverrc
75 -defaultserver=XSERVER
76 +defaultserver=BINDIR/Xwrapper
80 diff -urN X11-6.9.0.org/xc/programs/xinit/xinit.c X11-6.9.0/xc/programs/xinit/xinit.c
81 --- X11-6.9.0.org/xc/programs/xinit/xinit.c 2005-10-04 03:27:34.000000000 +0200
82 +++ X11-6.9.0/xc/programs/xinit/xinit.c 2005-12-22 10:50:53.630963000 +0100
87 +char *default_wrapper = BINDIR "/Xwrapper";
88 char *default_server = "X";
89 char *default_display = ":0"; /* choose most efficient */
90 char *default_client[] = {"xterm", "-geometry", "+1+1", "-n", "login", NULL};
94 (**argv != '/' && **argv != '.')) {
95 - *sptr++ = default_server;
96 + if (access(default_wrapper, X_OK) == 0)
97 + *sptr++ = default_wrapper;
99 + *sptr++ = default_server;
101 (**argv != '/' && **argv != '\\' && **argv != '.' &&
102 !(isalpha(**argv) && (*argv)[1]==':'))) {
103 diff -urN X11-6.9.0.org/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c X11-6.9.0/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c
104 --- X11-6.9.0.org/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c 2005-08-26 09:35:55.000000000 +0200
105 +++ X11-6.9.0/xc/programs/Xserver/hw/xfree86/os-support/linux/lnx_init.c 2005-12-22 10:52:06.630963000 +0100
108 /* when KeepTty check if we're run with euid==0 */
109 if (KeepTty && geteuid() != 0)
110 - FatalError("xf86OpenConsole:"
111 - " Server must be suid root for option \"KeepTTY\"\n");
112 + FatalError("xf86OpenConsole: Server must be running with root "
114 + "You should be using Xwrapper to start the server or xdm.\n"
115 + "We strongly advise against making the server SUID root!\n");
118 * setup the virtual terminal manager
119 diff -urN X11-6.9.0.org/xc/programs/Xserver/Imakefile X11-6.9.0/xc/programs/Xserver/Imakefile
120 --- X11-6.9.0.org/xc/programs/Xserver/Imakefile 2005-11-18 19:15:23.000000000 +0100
121 +++ X11-6.9.0/xc/programs/Xserver/Imakefile 2005-12-22 10:50:53.540963000 +0100
124 XCOMM $XFree86: xc/programs/Xserver/Imakefile,v 3.296 2003/11/23 06:47:00 torrey Exp $
126 -#ifndef InstallXserverSetUID
127 -#define InstallXserverSetUID NO
129 -#define InstallServerSetUID InstallXserverSetUID
131 #include <Server.tmpl>
133 /* On most systems the linker requires the libraries in dependency order.
135 #endif /* XnestServer */
138 +#if UseXserverWrapper
139 +SetUIDProgramTarget(Xwrapper,os/wrapper.o,NullParameter,$(PAMLIBS),NullParameter)
140 +InstallProgramWithFlags(Xwrapper,$(BINDIR),$(INSTUIDFLAGS))
143 #if defined(XnonServer) && XnonServer
145 XCOMM non server, just compile sources for build test
146 diff -urN X11-6.9.0.org/xc/programs/Xserver/os/Imakefile X11-6.9.0/xc/programs/Xserver/os/Imakefile
147 --- X11-6.9.0.org/xc/programs/Xserver/os/Imakefile 2005-03-23 20:58:45.000000000 +0100
148 +++ X11-6.9.0/xc/programs/Xserver/os/Imakefile 2005-12-22 10:52:36.410963000 +0100
150 INCLUDES = -I. -I../include -I$(XINCLUDESRC) -I$(EXTINCSRC) \
151 -I$(SERVERSRC)/Xext -I$(FONTINCSRC) -I$(SERVERSRC)/render \
152 -I$(TOP)/lib/Xau -I../lbx -I../Xprint Krb5Includes
153 + EXTRA_DEFINES = -DUSE_PAM
154 DEPEND_DEFINES = $(DBM_DEFINES) $(XDMCP_DEFINES) $(EXT_DEFINES) \
155 $(TRANS_INCLUDES) $(CONNECTION_FLAGS) $(GETPEER_DEFINES) \
158 SpecialCObjectRule(oscolor,$(ICONFIGFILES),$(DBM_DEFINES))
161 +#if UseXserverWrapper
162 +AllTarget(wrapper.o)
164 + WRAPPER_DEFINES = -DXSERVER_PATH=\"/etc/X11/X\"
166 +SpecialCObjectRule(wrapper,NullParameter,$(WRAPPER_DEFINES))
170 LinkSourceFile(k5encode.c,$(XAUTHSRC))
172 diff -urN X11-6.9.0.org/xc/programs/Xserver/os/wrapper.c X11-6.9.0/xc/programs/Xserver/os/wrapper.c
173 --- X11-6.9.0.org/xc/programs/Xserver/os/wrapper.c 1970-01-01 01:00:00.000000000 +0100
174 +++ X11-6.9.0/xc/programs/Xserver/os/wrapper.c 2005-12-22 10:50:53.610963000 +0100
177 + * X server wrapper.
179 + * This wrapper makes some sanity checks on the command line arguments
180 + * and environment variables when run with euid == 0 && euid != uid.
181 + * If the checks fail, the wrapper exits with a message.
182 + * If they succeed, it exec's the Xserver.
186 + * Copyright (c) 1998 by The XFree86 Project, Inc. All Rights Reserved.
188 + * Permission is hereby granted, free of charge, to any person obtaining
189 + * a copy of this software and associated documentation files (the
190 + * "Software"), to deal in the Software without restriction, including
191 + * without limitation the rights to use, copy, modify, merge, publish,
192 + * distribute, sublicense, and/or sell copies of the Software, and to
193 + * permit persons to whom the Software is furnished to do so, subject
194 + * to the following conditions:
196 + * The above copyright notice and this permission notice shall be included
197 + * in all copies or substantial portions of the Software.
199 + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
200 + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
201 + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
202 + * IN NO EVENT SHALL THE XFREE86 PROJECT BE LIABLE FOR ANY CLAIM, DAMAGES
203 + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
204 + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
205 + * OR OTHER DEALINGS IN THE SOFTWARE.
207 + * Except as contained in this notice, the name of the XFree86 Project
208 + * shall not be used in advertising or otherwise to promote the sale,
209 + * use or other dealings in this Software without prior written
210 + * authorization from the XFree86 Project.
213 +/* $XFree86: xc/programs/Xserver/os/wrapper.c,v 1.1.2.5 1998/02/27 15:28:59 dawes Exp $ */
215 +/* This is normally set in the Imakefile */
216 +#ifndef XSERVER_PATH
217 +#define XSERVER_PATH "/etc/X11/X"
225 +#include <sys/types.h>
227 +#include <security/pam_appl.h>
228 +#include <security/pam_misc.h>
230 +#endif /* USE_PAM */
232 +/* Neither of these should be required for XFree86 3.3.2 */
233 +#ifndef REJECT_CONFIG
234 +#define REJECT_CONFIG 0
236 +#ifndef REJECT_XKBDIR
237 +#define REJECT_XKBDIR 0
240 +/* Consider LD* variables insecure ? */
241 +#ifndef REMOVE_ENV_LD
242 +#define REMOVE_ENV_LD 1
245 +/* Remove long environment variables? */
246 +#ifndef REMOVE_LONG_ENV
247 +#define REMOVE_LONG_ENV 1
250 +/* Check args and env only if running setuid (euid == 0 && euid != uid) ? */
252 +#define CHECK_EUID 1
256 + * Maybe the locale can be faked to make isprint(3) report that everything
257 + * is printable? Avoid it by default.
260 +#define USE_ISPRINT 0
263 +#define MAX_ARG_LENGTH 128
264 +#define MAX_ENV_LENGTH 256
265 +#define MAX_ENV_PATH_LENGTH 2048
269 +#define checkPrintable(c) isprint(c)
271 +#define checkPrintable(c) (((c) & 0x7f) >= 0x20 && ((c) & 0x7f) != 0x7f)
284 +#endif /* USE_PAM */
288 + "\nIf the arguments used are valid, and have been rejected incorrectly\n" \
289 + "please send details of the arguments and why they are valid to\n" \
290 + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \
291 + "the \"super user\" (root).\n"
294 + "\nIf the environment is valid, and have been rejected incorrectly\n" \
295 + "please send details of the environment and why it is valid to\n" \
296 + "XFree86@XFree86.org. In the meantime, you can start the Xserver as\n" \
297 + "the \"super user\" (root).\n"
300 +static struct pam_conv conv = {
304 +#endif /* USE_PAM */
308 +main(int argc, char **argv, char **envp)
310 + enum BadCode bad = NotBad;
314 + pam_handle_t *pamh = NULL;
318 + pw = getpwuid(getuid());
320 + bad = InternalError;
324 + retval = pam_start("xserver", pw->pw_name, &conv, &pamh);
325 + if (retval != PAM_SUCCESS)
330 + retval = pam_authenticate(pamh, 0);
331 + if (retval != PAM_SUCCESS) {
332 + pam_end(pamh, retval);
333 + bad = PamAuthFailed;
338 + retval = pam_acct_mgmt(pamh, 0);
339 + if (retval != PAM_SUCCESS) {
340 + pam_end(pamh, retval);
341 + bad = PamAuthFailed;
345 + /* this is not a session, so do not do session management */
347 + if (!bad) pam_end(pamh, PAM_SUCCESS);
348 +#endif /* USE_PAM */
351 + if (!bad && geteuid() == 0 && getuid() != geteuid()) {
355 + /* Check each argv[] */
356 + for (i = 1; i < argc; i++) {
358 + /* Check for known bad arguments */
360 + if (strcmp(argv[i], "-config") == 0) {
366 + if (strcmp(argv[i], "-xkbdir") == 0) {
371 + if (strlen(argv[i]) > MAX_ARG_LENGTH) {
377 + if (checkPrintable(*a) == 0) {
378 + bad = UnprintableArg;
386 + /* Check each envp[] */
388 + for (i = 0; envp[i]; i++) {
390 + /* Check for bad environment variables and values */
392 + while (envp[i] && (strncmp(envp[i], "LD", 2) == 0)) {
393 + for (j = i; envp[j]; j++) {
394 + envp[j] = envp[j+1];
398 + if (envp[i] && (strlen(envp[i]) > MAX_ENV_LENGTH)) {
400 + for (j = i; envp[j]; j++) {
401 + envp[j] = envp[j+1];
408 + eq = strchr(envp[i], '=');
411 + len = eq - envp[i];
412 + e = malloc(len + 1);
414 + bad = InternalError;
417 + strncpy(e, envp[i], len);
420 + (strcmp(e + len - 4, "PATH") == 0 ||
421 + strcmp(e, "TERMCAP") == 0)) {
422 + if (strlen(envp[i]) > MAX_ENV_PATH_LENGTH) {
438 + execve(XSERVER_PATH, argv, envp);
439 + fprintf(stderr, "execve failed for %s (errno %d)\n", XSERVER_PATH,
443 + fprintf(stderr, "Command line argument number %d is unsafe\n", i);
444 + fprintf(stderr, ARGMSG);
447 + fprintf(stderr, "Command line argument number %d is too long\n", i);
448 + fprintf(stderr, ARGMSG);
450 + case UnprintableArg:
451 + fprintf(stderr, "Command line argument number %d contains unprintable"
452 + " characters\n", i);
453 + fprintf(stderr, ARGMSG);
456 + fprintf(stderr, "Environment variable `%s' is too long\n", e);
457 + fprintf(stderr, ENVMSG);
459 + case InternalError:
460 + fprintf(stderr, "Internal Error\n");
464 + fprintf(stderr, "Authentication System Failure, "
465 + "missing or mangled PAM configuration file or module?\n");
467 + case PamAuthFailed:
468 + fprintf(stderr, "PAM authentication failed\n");
472 + fprintf(stderr, "Unknown error\n");
473 + fprintf(stderr, ARGMSG);
474 + fprintf(stderr, ENVMSG);