From owner-freebsd-ports  Sat Oct 18 18:30:05 1997
Return-Path: <owner-freebsd-ports>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA14154
          for ports-outgoing; Sat, 18 Oct 1997 18:30:05 -0700 (PDT)
          (envelope-from owner-freebsd-ports)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA14145;
          Sat, 18 Oct 1997 18:30:01 -0700 (PDT)
          (envelope-from gnats)
Resent-Date: Sat, 18 Oct 1997 18:30:01 -0700 (PDT)
Resent-Message-Id: <199710190130.SAA14145@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-ports
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, sanpei@yy.cs.keio.ac.jp
Received: from kogwy.cc.keio.ac.jp (kogwy.cc.keio.ac.jp [131.113.1.1])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA13961
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 18 Oct 1997 18:26:13 -0700 (PDT)
          (envelope-from sanpei@yy.cs.keio.ac.jp)
Received: from fumi.yy.cs.keio.ac.jp (sanpei.user.towntv.co.jp [203.140.33.133])
	by kogwy.cc.keio.ac.jp (8.8.7/3.6Wbeta6) with ESMTP id KAA19085
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 19 Oct 1997 10:26:02 +0900 (JST)
Received: (from sanpei@localhost)
	by fumi.yy.cs.keio.ac.jp (8.8.7/3.6Wbeta4) id KAA00580;
	Sun, 19 Oct 1997 10:26:13 +0900 (JST)
Message-Id: <199710190126.KAA00580@fumi.yy.cs.keio.ac.jp>
Date: Sun, 19 Oct 1997 10:26:13 +0900 (JST)
From: sanpei@yy.cs.keio.ac.jp
Reply-To: sanpei@yy.cs.keio.ac.jp
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: ports/4798: setuid-root Xserver problem
Sender: owner-freebsd-ports@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         4798
>Category:       ports
>Synopsis:       setuid-root Xserver problem
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 18 18:30:00 PDT 1997
>Last-Modified:
>Originator:     MIHIRA Yoshiro
>Organization:
Keio Univ.
>Release:        FreeBSD 2.2.5-971015-BETA i386
>Environment:

	2.2.2-RELEASE and 2.2.5-BETA

>Description:

	   xterm and kterm(kanji term) had setuid-root problem.
	They were fixed by original source(xterm) and `ports/4789'(kterm).

	   But I think Xserver of XFree86 3.2 and later also and still 
	has same setuid-root problem.

	   I fix it as below patch.

Yoshiro MIHIRA

>How-To-Repeat:

o HOME directory NFS server, run xterm(2.2.2-RELEASE):
  /etc/exports
  /usr/home	nfs-client

o NFS client, Xserver(2.2.5-BETA):
  % mount -t nfs nfs-server:/usr/home /mnt

o user home directory is in /mnt.

o setting up xauth.

o start Xserver on NFS client.
  % xinit -- -auth $HOME/.Xauthority

o run xterm on NFS server to Xserver
  on NFS server
  % setenv DISPLAY  nfs-client:0.0
  % xterm
  Xlib: connection to "nfs-client:0.0" refused by server
  Xlib: Invalid MIT-MAGIC-COOKIE-1 key
  Error: Can't open display: nfs-client:0.0

>Fix:

patch for XFree86
--- xc/programs/Xserver/os/auth.c.org	Sun Dec 22 12:33:21 1996
+++ xc/programs/Xserver/os/auth.c	Sun Oct 19 10:08:34 1997
@@ -51,6 +51,21 @@
 #include "Xw32defs.h"
 #endif
 
+#if !defined(MINIX) && !defined(WIN32)
+#include <sys/param.h>  /* for NOFILE */
+#endif
+
+#if (BSD >= 199103)
+#define USE_POSIX_WAIT
+#define HAS_POSIX_SAVED_IDS
+#endif
+
+#ifdef HAS_POSIX_SAVED_IDS
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+#endif /* HAS_POSIX_SAVED_IDS */
+
 struct protocol {
     unsigned short   name_length;
     char    *name;
@@ -169,10 +184,28 @@
     Xauth   *auth;
     int	    i;
     int	    count = 0;
+#ifdef HAS_POSIX_SAVED_IDS
+    uid_t euid = geteuid();
+    gid_t egid = getegid();
+    uid_t ruid = getuid();
+    gid_t rgid = getgid();
+#endif /* HAS_POSIX_SAVED_IDS */
 
     ShouldLoadAuth = FALSE;
+
     if (!authorization_file)
 	return 0;
+
+#ifdef HAS_POSIX_SAVED_IDS
+            if (setegid(rgid) == -1)
+                (void) fprintf(stderr, "setegid(%d): %s\n",
+                               (int) rgid, strerror(errno));
+
+            if (seteuid(ruid) == -1)
+                (void) fprintf(stderr, "seteuid(%d): %s\n",
+                               (int) ruid, strerror(errno));
+#endif /* HAS_POSIX_SAVED_IDS */
+
     f = fopen (authorization_file, "r");
     if (!f)
 	return 0;
@@ -190,6 +223,16 @@
 	XauDisposeAuth (auth);
     }
     fclose (f);
+#ifdef HAS_POSIX_SAVED_IDS
+    if (seteuid(euid) == -1)
+        (void) fprintf(stderr, "seteuid(%d): %s\n",
+		(int) euid, strerror(errno));
+
+    if (setegid(egid) == -1)
+	(void) fprintf(stderr, "setegid(%d): %s\n",
+		(int) egid, strerror(errno));
+#endif
+
     return count;
 }
 
>Audit-Trail:
>Unformatted: