Attachment #30776 for bug #51632

View | Details | Raw Unified | Return to bug 51632
Collapse All | Expand All




Index: programs/luit/Imakefile
===================================================================
RCS file: /home/ncvs/xfree/xc/programs/luit/Imakefile,v
retrieving revision 1.2
retrieving revision 1.4
diff -u -u -r1.2 -r1.4
--- programs/luit/Imakefile	17 Oct 2002 01:06:09 -0000	1.2
+++ programs/luit/Imakefile	28 May 2003 16:02:35 -0000	1.4
@@ -1,19 +1,19 @@
-XCOMM $XFree86: xc/programs/luit/Imakefile,v 1.2 2002/10/17 01:06:09 dawes Exp $
+XCOMM $XFree86: xc/programs/luit/Imakefile,v 1.3tsi Exp $
 
 #ifndef LocaleAliasFile
-#define LocaleAliasFile \
-          $(XLOCALEDIR)/locale.alias
+#define LocaleAliasFile $(XLOCALEDIR)/locale.alias
 #endif
 
+LOCALEALIASFILE = LocaleAliasFile
 LOCAL_LIBRARIES = $(XFONTENCLIB)
 DEPLIBS = $(DEPXFONTENCLIB)
 
-SYS_LIBRARIES = MathLibrary GzipLibrary
+SYS_LIBRARIES = GzipLibrary
 
 SRCS = luit.c iso2022.c charset.c parser.c sys.c other.c
 
 OBJS = luit.o iso2022.o charset.o parser.o sys.o other.o
 
-DEFINES = -DLOCALE_ALIAS_FILE=\"LocaleAliasFile\"
+DEFINES = -DLOCALE_ALIAS_FILE=\"$(LOCALEALIASFILE)\"
 
 ComplexProgramTarget(luit)
Index: programs/luit/luit.c
===================================================================
RCS file: /home/ncvs/xfree/xc/programs/luit/luit.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -u -r1.10 -r1.11
--- programs/luit/luit.c	24 Feb 2003 01:10:25 -0000	1.10
+++ programs/luit/luit.c	8 Sep 2003 14:25:30 -0000	1.11
@@ -545,6 +545,10 @@
 #endif
     installHandler(SIGCHLD, sigchldHandler);
 
+    rc = copyTermios(0, pty);
+    if(rc < 0)
+        FatalError("Couldn't copy terminal settings\n");
+
     rc = setRawTermios();
     if(rc < 0)
         FatalError("Couldn't set terminal to raw\n");
Index: programs/luit/luit.man
===================================================================
RCS file: /home/ncvs/xfree/xc/programs/luit/luit.man,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -u -r1.7 -r1.8
--- programs/luit/luit.man	24 Feb 2003 01:10:25 -0000	1.7
+++ programs/luit/luit.man	3 Apr 2003 16:44:36 -0000	1.8
@@ -202,8 +202,8 @@
 takes no responsibility for any resulting security issues.
 
 .B Luit
-will refuse to run if it is installed setuid and the underlying system
-does not have POSIX saved ids.
+will refuse to run if it is installed setuid and cannot safely drop
+privileges.
 .SH BUGS
 None of this complexity should be necessary.  Stateless UTF-8
 throughout the system is the way to go.
Index: programs/luit/sys.c
===================================================================
RCS file: /home/ncvs/xfree/xc/programs/luit/sys.c,v
retrieving revision 1.7
retrieving revision 1.10
diff -u -u -r1.7 -r1.10
--- programs/luit/sys.c	7 Jan 2002 20:38:30 -0000	1.7
+++ programs/luit/sys.c	8 Sep 2003 14:25:30 -0000	1.10
@@ -68,6 +68,10 @@
 #include <stropts.h>
 #endif
 
+#if (defined(__unix__) || defined(unix)) && !defined(USG)
+#include <sys/param.h>
+#endif
+
 #include "sys.h"
 
 static int saved_tio_valid = 0;
@@ -211,6 +215,23 @@
 }
 
 int
+copyTermios(int sfd, int dfd)
+{
+    struct termios tio;
+    int rc;
+
+    rc = tcgetattr(sfd, &tio);
+    if(rc < 0)
+        return -1;
+
+    rc = tcsetattr(dfd, TCSAFLUSH, &tio);
+    if(rc < 0)
+        return -1;
+
+    return 0;
+}
+
+int
 saveTermios(void)
 {
     int rc;
@@ -311,7 +332,8 @@
 {
     char name[12], *line = NULL;
     int pty = -1;
-    char *name1 = "pqrstuvwxyzPQRST", *name2 = "0123456789abcdef";
+    char *name1 = "pqrstuvwxyzPQRST", 
+        *name2 = "0123456789abcdefghijklmnopqrstuv";
     char *p1, *p2;
+    int tty;
 
 #ifdef HAVE_GRANTPT
@@ -363,17 +385,16 @@
             pty = open(name, O_RDWR);
             if(pty >= 0)
                 goto found;
 
-    strcpy(name, "/dev/pty??");
-    for(p1 = name1; *p1; p1++) {
-        name[8] = *p1;
-        for(p2 = name2; *p2; p2++) {
-            name[9] = *p2;
-            pty = open(name, O_RDWR);
-            if(pty >= 0)
-                goto found;
-            if(errno == ENOENT)
-                goto bail;
-            else
-                continue;
+            /* Systems derived from 4.4BSD differ in their pty names,
+               so ENOENT doesn't necessarily imply we're done. */
+            continue;
         }
     }
 
     goto bail;
 
   found:
-    line = malloc(strlen(name));
+    if (openpty(&pty, &tty, name, NULL, NULL) == -1)
+        goto bail;
+    close(tty);
+    line = malloc(strlen(name) + 1);
     strcpy(line, name);
     line[5] = 't';
     fix_pty_perms(line);
@@ -429,7 +450,10 @@
     return -1;
 }
 
-#ifdef _POSIX_SAVED_IDS
+/* Post-4.4 BSD systems have POSIX semantics (_POSIX_SAVED_IDS
+   or not, depending on the version).  4.3BSD and Minix do not have
+   saved IDs at all, so there's no issue. */
+#if (defined(BSD) && !defined(_POSIX_SAVED_IDS)) || defined(_MINIX)
 int
 droppriv()
 {
@@ -438,6 +462,25 @@
     if(rc < 0)
         return rc;
     return setgid(getgid());
+}
+#elif defined(_POSIX_SAVED_IDS)
+int
+droppriv()
+{
+    int uid = getuid();
+    int euid = geteuid();
+    int gid = getgid();
+    int egid = getegid();
+    int rc;
+
+    if((uid != euid || gid != egid) && euid != 0) {
+        errno = ENOSYS;
+        return -1;
+    }
+    rc = setuid(uid);
+    if(rc < 0)
+        return rc;
+    return setgid(gid);
 }
 #else
 int
Index: programs/luit/sys.h
===================================================================
RCS file: /home/ncvs/xfree/xc/programs/luit/sys.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -u -r1.1 -r1.2
--- programs/luit/sys.h	2 Nov 2001 03:06:43 -0000	1.1
+++ programs/luit/sys.h	8 Sep 2003 14:25:30 -0000	1.2
@@ -24,6 +24,7 @@
 int waitForInput(int fd1, int fd2);
 int setWindowSize(int sfd, int dfd);
 int installHandler(int signum, void (*handler)(int));
+int copyTermios(int sfd, int dfd);
 int saveTermios(void);
 int restoreTermios(void);
 int setRawTermios(void);

Lines 7-13 Link Here

(-)XFree86-4-clients/Makefile (-1 / +5 lines)
7		7
8	PORTNAME= clients	8	PORTNAME= clients
9	PORTVERSION= 4.3.0	9	PORTVERSION= 4.3.0
10	PORTREVISION= 3	10	PORTREVISION= 4
11	CATEGORIES= x11	11	CATEGORIES= x11
12	MASTER_SITES= ${MASTER_SITE_XFREE}	12	MASTER_SITES= ${MASTER_SITE_XFREE}
13	MASTER_SITE_SUBDIR= 4.3.0	13	MASTER_SITE_SUBDIR= 4.3.0
Lines 51-56 Link Here
51	InstallXdmConfig?= DEFAULT	51	InstallXdmConfig?= DEFAULT
52	InstallXinitConfig?= DEFAULT	52	InstallXinitConfig?= DEFAULT
53	InstallAppDefFiles?= DEFAULT	53	InstallAppDefFiles?= DEFAULT
		54
		55	post-install:
		56	${CHOWN} root:wheel ${PREFIX}/bin/luit
		57	${CHMOD} 04711 ${PREFIX}/bin/luit
54		58
55	.include "${.CURDIR}/../../x11/XFree86-4-libraries/Makefile.inc"	59	.include "${.CURDIR}/../../x11/XFree86-4-libraries/Makefile.inc"
56	.include <bsd.port.pre.mk>	60	.include <bsd.port.pre.mk>

Return to bug 51632

Lines 1-61 Link Here

(-)XFree86-4-libraries/files/patch-luit (-42 / +181 lines)
1	--- programs/luit/Imakefile.orig Wed Oct 16 18:06:09 2002	1	Index: programs/luit/Imakefile
2	+++ programs/luit/Imakefile Tue Mar 11 14:57:02 2003	2	===================================================================
3	@@ -8,7 +8,7 @@	3	RCS file: /home/ncvs/xfree/xc/programs/luit/Imakefile,v
		4	retrieving revision 1.2
		5	retrieving revision 1.4
		6	diff -u -u -r1.2 -r1.4
		7	--- programs/luit/Imakefile 17 Oct 2002 01:06:09 -0000 1.2
		8	+++ programs/luit/Imakefile 28 May 2003 16:02:35 -0000 1.4
		9	@@ -1,19 +1,19 @@
		10	-XCOMM $XFree86: xc/programs/luit/Imakefile,v 1.2 2002/10/17 01:06:09 dawes Exp $
		11	+XCOMM $XFree86: xc/programs/luit/Imakefile,v 1.3tsi Exp $
		12
		13	#ifndef LocaleAliasFile
		14	-#define LocaleAliasFile \
		15	- $(XLOCALEDIR)/locale.alias
		16	+#define LocaleAliasFile $(XLOCALEDIR)/locale.alias
		17	#endif
		18
		19	+LOCALEALIASFILE = LocaleAliasFile
4	LOCAL_LIBRARIES = $(XFONTENCLIB)	20	LOCAL_LIBRARIES = $(XFONTENCLIB)
5	DEPLIBS = $(DEPXFONTENCLIB)	21	DEPLIBS = $(DEPXFONTENCLIB)
6		22
7	-SYS_LIBRARIES = MathLibrary GzipLibrary	23	-SYS_LIBRARIES = MathLibrary GzipLibrary
8	+SYS_LIBRARIES = MathLibrary GzipLibrary -lutil	24	+SYS_LIBRARIES = GzipLibrary
9		25
10	SRCS = luit.c iso2022.c charset.c parser.c sys.c other.c	26	SRCS = luit.c iso2022.c charset.c parser.c sys.c other.c
11		27
12	--- programs/luit/sys.c.orig Mon Jan 7 12:38:30 2002	28	OBJS = luit.o iso2022.o charset.o parser.o sys.o other.o
13	+++ programs/luit/sys.c Tue Mar 11 14:57:02 2003	29
14	@@ -33,6 +33,7 @@	30	-DEFINES = -DLOCALE_ALIAS_FILE=\"LocaleAliasFile\"
15	#include <termios.h>	31	+DEFINES = -DLOCALE_ALIAS_FILE=\"$(LOCALEALIASFILE)\"
16	#include <signal.h>	32
17	#include <errno.h>	33	ComplexProgramTarget(luit)
18	+#include <libutil.h>	34	Index: programs/luit/luit.c
19		35	===================================================================
20	#ifdef SVR4	36	RCS file: /home/ncvs/xfree/xc/programs/luit/luit.c,v
21	#define HAVE_POLL	37	retrieving revision 1.10
22	@@ -313,6 +314,7 @@	38	retrieving revision 1.11
		39	diff -u -u -r1.10 -r1.11
		40	--- programs/luit/luit.c 24 Feb 2003 01:10:25 -0000 1.10
		41	+++ programs/luit/luit.c 8 Sep 2003 14:25:30 -0000 1.11
		42	@@ -545,6 +545,10 @@
		43	#endif
		44	installHandler(SIGCHLD, sigchldHandler);
		45
		46	+ rc = copyTermios(0, pty);
		47	+ if(rc < 0)
		48	+ FatalError("Couldn't copy terminal settings\n");
		49	+
		50	rc = setRawTermios();
		51	if(rc < 0)
		52	FatalError("Couldn't set terminal to raw\n");
		53	Index: programs/luit/luit.man
		54	===================================================================
		55	RCS file: /home/ncvs/xfree/xc/programs/luit/luit.man,v
		56	retrieving revision 1.7
		57	retrieving revision 1.8
		58	diff -u -u -r1.7 -r1.8
		59	--- programs/luit/luit.man 24 Feb 2003 01:10:25 -0000 1.7
		60	+++ programs/luit/luit.man 3 Apr 2003 16:44:36 -0000 1.8
		61	@@ -202,8 +202,8 @@
		62	takes no responsibility for any resulting security issues.
		63
		64	.B Luit
		65	-will refuse to run if it is installed setuid and the underlying system
		66	-does not have POSIX saved ids.
		67	+will refuse to run if it is installed setuid and cannot safely drop
		68	+privileges.
		69	.SH BUGS
		70	None of this complexity should be necessary. Stateless UTF-8
		71	throughout the system is the way to go.
		72	Index: programs/luit/sys.c
		73	===================================================================
		74	RCS file: /home/ncvs/xfree/xc/programs/luit/sys.c,v
		75	retrieving revision 1.7
		76	retrieving revision 1.10
		77	diff -u -u -r1.7 -r1.10
		78	--- programs/luit/sys.c 7 Jan 2002 20:38:30 -0000 1.7
		79	+++ programs/luit/sys.c 8 Sep 2003 14:25:30 -0000 1.10
		80	@@ -68,6 +68,10 @@
		81	#include <stropts.h>
		82	#endif
		83
		84	+#if (defined(__unix__) \|\| defined(unix)) && !defined(USG)
		85	+#include <sys/param.h>
		86	+#endif
		87	+
		88	#include "sys.h"
		89
		90	static int saved_tio_valid = 0;
		91	@@ -211,6 +215,23 @@
		92	}
		93
		94	int
		95	+copyTermios(int sfd, int dfd)
		96	+{
		97	+ struct termios tio;
		98	+ int rc;
		99	+
		100	+ rc = tcgetattr(sfd, &tio);
		101	+ if(rc < 0)
		102	+ return -1;
103	+
104	+ rc = tcsetattr(dfd, TCSAFLUSH, &tio);
105	+ if(rc < 0)
106	+ return -1;
107	+
108	+ return 0;
109	+}
110	+
111	+int
112	saveTermios(void)
113	{
114	int rc;
115	@@ -311,7 +332,8 @@
116	{
117	char name[12], *line = NULL;
23	int pty = -1;	118	int pty = -1;
24	char name1 = "pqrstuvwxyzPQRST", name2 = "0123456789abcdef";	119	- char name1 = "pqrstuvwxyzPQRST", name2 = "0123456789abcdef";
		120	+ char *name1 = "pqrstuvwxyzPQRST",
		121	+ *name2 = "0123456789abcdefghijklmnopqrstuv";
25	char p1, p2;	122	char p1, p2;
26	+ int tty;
27		123
28	#ifdef HAVE_GRANTPT	124	#ifdef HAVE_GRANTPT
29	char *temp_line;	125	@@ -363,17 +385,16 @@
30	@@ -355,27 +357,11 @@	126	pty = open(name, O_RDWR);
31	bsd:	127	if(pty >= 0)
32	#endif /* HAVE_GRANTPT */	128	goto found;
33
34	- strcpy(name, "/dev/pty??");
35	- for(p1 = name1; *p1; p1++) {
36	- name[8] = *p1;
37	- for(p2 = name2; *p2; p2++) {
38	- name[9] = *p2;
39	- pty = open(name, O_RDWR);
40	- if(pty >= 0)
41	- goto found;
42	- if(errno == ENOENT)	129	- if(errno == ENOENT)
43	- goto bail;	130	- goto bail;
44	- else	131	- else
45	- continue;	132	- continue;
46	- }	133	+ /* Systems derived from 4.4BSD differ in their pty names,
47	- }	134	+ so ENOENT doesn't necessarily imply we're done. */
48	-	135	+ continue;
49	- goto bail;	136	}
50	-	137	}
51	- found:	138
		139	goto bail;
		140
		141	found:
52	- line = malloc(strlen(name));	142	- line = malloc(strlen(name));
53	+ if (openpty(&pty, &tty, name, NULL, NULL) == -1)
54	+ goto bail;
55	+ close(tty);
56	+ line = malloc(strlen(name) + 1);	143	+ line = malloc(strlen(name) + 1);
57	strcpy(line, name);	144	strcpy(line, name);
58	- line[5] = 't';	145	line[5] = 't';
59	fix_pty_perms(line);	146	fix_pty_perms(line);
60	*pty_return = pty;	147	@@ -429,7 +450,10 @@
61	*line_return = line;	148	return -1;
		149	}
		150
		151	-#ifdef _POSIX_SAVED_IDS
		152	+/* Post-4.4 BSD systems have POSIX semantics (_POSIX_SAVED_IDS
		153	+ or not, depending on the version). 4.3BSD and Minix do not have
		154	+ saved IDs at all, so there's no issue. */
		155	+#if (defined(BSD) && !defined(_POSIX_SAVED_IDS)) \|\| defined(_MINIX)
		156	int
		157	droppriv()
		158	{
		159	@@ -438,6 +462,25 @@
		160	if(rc < 0)
		161	return rc;
		162	return setgid(getgid());
		163	+}
		164	+#elif defined(_POSIX_SAVED_IDS)
		165	+int
		166	+droppriv()
		167	+{
		168	+ int uid = getuid();
		169	+ int euid = geteuid();
		170	+ int gid = getgid();
		171	+ int egid = getegid();
		172	+ int rc;
		173	+
		174	+ if((uid != euid \|\| gid != egid) && euid != 0) {
		175	+ errno = ENOSYS;
		176	+ return -1;
		177	+ }
		178	+ rc = setuid(uid);
		179	+ if(rc < 0)
		180	+ return rc;
		181	+ return setgid(gid);
		182	}
		183	#else
		184	int
		185	Index: programs/luit/sys.h
		186	===================================================================
		187	RCS file: /home/ncvs/xfree/xc/programs/luit/sys.h,v
		188	retrieving revision 1.1
		189	retrieving revision 1.2
		190	diff -u -u -r1.1 -r1.2
		191	--- programs/luit/sys.h 2 Nov 2001 03:06:43 -0000 1.1
		192	+++ programs/luit/sys.h 8 Sep 2003 14:25:30 -0000 1.2
		193	@@ -24,6 +24,7 @@
		194	int waitForInput(int fd1, int fd2);
		195	int setWindowSize(int sfd, int dfd);
		196	int installHandler(int signum, void (*handler)(int));
		197	+int copyTermios(int sfd, int dfd);
		198	int saveTermios(void);
		199	int restoreTermios(void);
		200	int setRawTermios(void);