diff options
author | tpearson <tpearson@283d02a7-25f6-0310-bc7c-ecb5cbfe19da> | 2010-04-21 02:05:59 +0000 |
---|---|---|
committer | tpearson <tpearson@283d02a7-25f6-0310-bc7c-ecb5cbfe19da> | 2010-04-21 02:05:59 +0000 |
commit | 9885131c3e220b351fa05ff9fdee265b7f83549e (patch) | |
tree | ceac5f756ed489cca5bd54351eaca40562c272ba /kdm/backend/ctrl.c | |
parent | f6a9a3e7a1e71d41ab945b55b928a04850e4a6fd (diff) | |
download | tdebase-9885131c3e220b351fa05ff9fdee265b7f83549e.tar.gz tdebase-9885131c3e220b351fa05ff9fdee265b7f83549e.zip |
Part 2 of 2 of security patch for KDM [CVE-2010-0436]
git-svn-id: svn://anonsvn.kde.org/home/kde/branches/trinity/kdebase@1117056 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
Diffstat (limited to 'kdm/backend/ctrl.c')
-rw-r--r-- | kdm/backend/ctrl.c | 80 |
1 files changed, 70 insertions, 10 deletions
diff --git a/kdm/backend/ctrl.c b/kdm/backend/ctrl.c index d813af0f2..add46241a 100644 --- a/kdm/backend/ctrl.c +++ b/kdm/backend/ctrl.c @@ -77,8 +77,25 @@ nukeSock( struct cmdsock *cs ) free( cs ); } - +#ifdef HONORS_SOCKET_PERMS static CtrlRec ctrl = { 0, 0, -1, 0, 0, { -1, 0, 0 } }; +#else +static CtrlRec ctrl = { 0, 0, 0, -1, 0, 0, { -1, 0, 0 } }; + +static int mkTempDir( char *dir ) +{ + int i, l = strlen( dir ) - 6; + + for (i = 0; i < 100; i++) { + randomStr( dir + l ); + if (!mkdir( dir, 0700 )) + return True; + if (errno != EEXIST) + break; + } + return False; +} +#endif void openCtrl( struct display *d ) @@ -140,22 +157,50 @@ openCtrl( struct display *d ) if (strlen( cr->path ) >= sizeof(sa.sun_path)) LogError( "path %\"s too long; no control sockets will be available\n", cr->path ); - else if (mkdir( sockdir, 0755 ) && errno != EEXIST) +#ifdef HONORS_SOCKET_PERMS + else if (mkdir( sockdir, 0700 ) && errno != EEXIST) LogError( "mkdir %\"s failed; no control sockets will be available\n", sockdir ); + else if (unlink( cr->path ) && errno != ENOENT) + LogError( "unlink %\"s failed: %m; control socket will not be available\n", + cr->path ); else { - if (!d) - chown( sockdir, -1, fifoGroup ); +#else + else if (unlink( sockdir ) && errno != ENOENT) + LogError( "unlink %\"s failed: %m; control socket will not be available\n", + sockdir ); + else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0)) + ; + else if (!mkTempDir( cr->realdir )) { + LogError( "mkdir %\"s failed: %m; control socket will not be available\n", + cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; + } else if (symlink( cr->realdir, sockdir )) { + LogError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n", + sockdir, cr->realdir ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; + } else { + chown( sockdir, 0, d ? 0 : fifoGroup ); chmod( sockdir, 0750 ); +#endif if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0) LogError( "Cannot create control socket\n" ); else { - unlink( cr->path ); sa.sun_family = AF_UNIX; strcpy( sa.sun_path, cr->path ); if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) { if (!listen( cr->fd, 5 )) { +#ifdef HONORS_SOCKET_PERMS + chmod( cr->path, 0660 ); + if (!d) + chown( cr->path, -1, fifoGroup ); + chmod( sockdir, 0755 ); +#else chmod( cr->path, 0666 ); +#endif RegisterCloseOnFork( cr->fd ); RegisterInput( cr->fd ); free( sockdir ); @@ -170,6 +215,14 @@ openCtrl( struct display *d ) close( cr->fd ); cr->fd = -1; } +#ifdef HONORS_SOCKET_PERMS + rmdir( sockdir ); +#else + unlink( sockdir ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; +#endif } free( cr->path ); cr->path = 0; @@ -190,7 +243,14 @@ closeCtrl( struct display *d ) cr->fd = -1; unlink( cr->path ); *strrchr( cr->path, '/' ) = 0; +#ifdef HONORS_SOCKET_PERMS rmdir( cr->path ); +#else + unlink( cr->path ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; +#endif free( cr->path ); cr->path = 0; while (cr->css) { @@ -218,12 +278,12 @@ chownCtrl( CtrlRec *cr, int uid ) { if (cr->fpath) chown( cr->fpath, uid, -1 ); - if (cr->path) { - char *ptr = strrchr( cr->path, '/' ); - *ptr = 0; + if (cr->path) +#ifdef HONORS_SOCKET_PERMS chown( cr->path, uid, -1 ); - *ptr = '/'; - } +#else + chown( cr->realdir, uid, -1 ); +#endif } void |