Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Oct 1997 10:26:13 +0900 (JST)
From:      sanpei@yy.cs.keio.ac.jp
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   ports/4798: setuid-root Xserver problem
Message-ID:  <199710190126.KAA00580@fumi.yy.cs.keio.ac.jp>
Resent-Message-ID: <199710190130.SAA14145@hub.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         4798
>Category:       ports
>Synopsis:       setuid-root Xserver problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 18 18:30:00 PDT 1997
>Last-Modified:
>Originator:     MIHIRA Yoshiro
>Organization:
Keio Univ.
>Release:        FreeBSD 2.2.5-971015-BETA i386
>Environment:

	2.2.2-RELEASE and 2.2.5-BETA

>Description:

	   xterm and kterm(kanji term) had setuid-root problem.
	They were fixed by original source(xterm) and `ports/4789'(kterm).

	   But I think Xserver of XFree86 3.2 and later also and still 
	has same setuid-root problem.

	   I fix it as below patch.

Yoshiro MIHIRA

>How-To-Repeat:

o HOME directory NFS server, run xterm(2.2.2-RELEASE):
  /etc/exports
  /usr/home	nfs-client

o NFS client, Xserver(2.2.5-BETA):
  % mount -t nfs nfs-server:/usr/home /mnt

o user home directory is in /mnt.

o setting up xauth.

o start Xserver on NFS client.
  % xinit -- -auth $HOME/.Xauthority

o run xterm on NFS server to Xserver
  on NFS server
  % setenv DISPLAY  nfs-client:0.0
  % xterm
  Xlib: connection to "nfs-client:0.0" refused by server
  Xlib: Invalid MIT-MAGIC-COOKIE-1 key
  Error: Can't open display: nfs-client:0.0

>Fix:

patch for XFree86
--- xc/programs/Xserver/os/auth.c.org	Sun Dec 22 12:33:21 1996
+++ xc/programs/Xserver/os/auth.c	Sun Oct 19 10:08:34 1997
@@ -51,6 +51,21 @@
 #include "Xw32defs.h"
 #endif
 
+#if !defined(MINIX) && !defined(WIN32)
+#include <sys/param.h>  /* for NOFILE */
+#endif
+
+#if (BSD >= 199103)
+#define USE_POSIX_WAIT
+#define HAS_POSIX_SAVED_IDS
+#endif
+
+#ifdef HAS_POSIX_SAVED_IDS
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+#endif /* HAS_POSIX_SAVED_IDS */
+
 struct protocol {
     unsigned short   name_length;
     char    *name;
@@ -169,10 +184,28 @@
     Xauth   *auth;
     int	    i;
     int	    count = 0;
+#ifdef HAS_POSIX_SAVED_IDS
+    uid_t euid = geteuid();
+    gid_t egid = getegid();
+    uid_t ruid = getuid();
+    gid_t rgid = getgid();
+#endif /* HAS_POSIX_SAVED_IDS */
 
     ShouldLoadAuth = FALSE;
+
     if (!authorization_file)
 	return 0;
+
+#ifdef HAS_POSIX_SAVED_IDS
+            if (setegid(rgid) == -1)
+                (void) fprintf(stderr, "setegid(%d): %s\n",
+                               (int) rgid, strerror(errno));
+
+            if (seteuid(ruid) == -1)
+                (void) fprintf(stderr, "seteuid(%d): %s\n",
+                               (int) ruid, strerror(errno));
+#endif /* HAS_POSIX_SAVED_IDS */
+
     f = fopen (authorization_file, "r");
     if (!f)
 	return 0;
@@ -190,6 +223,16 @@
 	XauDisposeAuth (auth);
     }
     fclose (f);
+#ifdef HAS_POSIX_SAVED_IDS
+    if (seteuid(euid) == -1)
+        (void) fprintf(stderr, "seteuid(%d): %s\n",
+		(int) euid, strerror(errno));
+
+    if (setegid(egid) == -1)
+	(void) fprintf(stderr, "setegid(%d): %s\n",
+		(int) egid, strerror(errno));
+#endif
+
     return count;
 }
 
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710190126.KAA00580>