aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOrion Poplawski <orion@cora.nwra.com>2015-02-13 13:32:17 +0100
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-13 13:32:17 +0100
commit415b20b6fbf562d4132fca90a00b6c32d94040ed (patch)
treeaf19b2e816b60b3d56ea9c9d69d6cc61c78d8e45
parent456f887d95ca34974c1192a477dfca117827457f (diff)
downloadnx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.tar.gz
nx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.tar.bz2
nx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.zip
Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges (602_nx-X11_initgroups.full.patch).
The Fedora review of NX (redistributed) caught the following rpmlint issue: This executable is calling setuid and setgid without setgroups or initgroups. There is a high probability this mean it didn't relinquish all groups, and this would be a potential security issue to be fixed. Seek POS36-C on the web for details about the problem. Ref POS36-C: https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges This patch adds initgroups() calls to the code to initialize the supplemental group list.
-rw-r--r--debian/patches/602_nx-X11_initgroups.full.patch67
-rw-r--r--debian/patches/series1
-rw-r--r--nx-X11/programs/Xserver/os/utils.c7
-rw-r--r--nxcomp/Pipe.cpp3
4 files changed, 10 insertions, 68 deletions
diff --git a/debian/patches/602_nx-X11_initgroups.full.patch b/debian/patches/602_nx-X11_initgroups.full.patch
deleted file mode 100644
index 182b378dc..000000000
--- a/debian/patches/602_nx-X11_initgroups.full.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-Description: Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges
-Author: Orion Poplawski <orion@cora.nwra.com>
-Abstract:
- The Fedora review of NX (redistributed) caught the following rpmlint issue:
- .
- This executable is calling setuid and setgid without setgroups or initgroups.
- There is a high probability this mean it didn't relinquish all groups, and this
- would be a potential security issue to be fixed. Seek POS36-C on the web for
- details about the problem.
- .
- Ref POS36-C:
- https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
- .
- This patch adds initgroups() calls to the code to initialize the supplemental group list.
-diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c
-index 7e62654..9b2431a 100644
---- a/nx-X11/programs/Xserver/os/utils.c
-+++ b/nx-X11/programs/Xserver/os/utils.c
-@@ -112,6 +112,9 @@ OR PERFORMANCE OF THIS SOFTWARE.
- #include <sys/stat.h>
- #include <ctype.h> /* for isspace */
- #include <stdarg.h>
-+#include <sys/types.h>
-+#include <grp.h>
-+#include <pwd.h>
-
- #if defined(DGUX)
- #include <sys/resource.h>
-@@ -1770,6 +1773,7 @@ System(char *command)
- void (*csig)(int);
- #endif
- int status;
-+ struct passwd *pwent;
-
- if (!command)
- return(1);
-@@ -1791,6 +1795,9 @@ System(char *command)
- case -1: /* error */
- p = -1;
- case 0: /* child */
-+ pwent = getpwuid(getuid());
-+ if (initgroups(pwent->pw_name,getgid()) == -1)
-+ _exit(127);
- if (setgid(getgid()) == -1)
- _exit(127);
- if (setuid(getuid()) == -1)
-diff --git a/nxcomp/Pipe.cpp b/nxcomp/Pipe.cpp
-index 7238d0c..aacbbae 100644
---- a/nxcomp/Pipe.cpp
-+++ b/nxcomp/Pipe.cpp
-@@ -21,6 +21,7 @@
- #include <pwd.h>
- #include <sys/types.h>
- #include <sys/wait.h>
-+#include <grp.h>
-
- #include "Pipe.h"
- #include "Misc.h"
-@@ -234,6 +235,8 @@ FILE *Popen(char * const parameters[], const char *type)
- // Child.
- //
-
-+ struct passwd *pwent = getpwuid(getuid());
-+ if (pwent) initgroups(pwent->pw_name,getgid());
- setgid(getgid());
- setuid(getuid());
-
diff --git a/debian/patches/series b/debian/patches/series
index 21cf21d53..c80570682 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,5 +1,4 @@
#401_nxcomp_bigrequests-and-genericevent-extensions.full+lite.patch
-602_nx-X11_initgroups.full.patch
603_nx-X11_compilation_warnings.full.patch
605_nxcomp_Types.h-dont-use-STL-internals-on-libc++.full+lite.patch
606_nx-X11_build-on-aarch64.full.patch
diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c
index 7e626542e..9b2431af7 100644
--- a/nx-X11/programs/Xserver/os/utils.c
+++ b/nx-X11/programs/Xserver/os/utils.c
@@ -112,6 +112,9 @@ OR PERFORMANCE OF THIS SOFTWARE.
#include <sys/stat.h>
#include <ctype.h> /* for isspace */
#include <stdarg.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <pwd.h>
#if defined(DGUX)
#include <sys/resource.h>
@@ -1770,6 +1773,7 @@ System(char *command)
void (*csig)(int);
#endif
int status;
+ struct passwd *pwent;
if (!command)
return(1);
@@ -1791,6 +1795,9 @@ System(char *command)
case -1: /* error */
p = -1;
case 0: /* child */
+ pwent = getpwuid(getuid());
+ if (initgroups(pwent->pw_name,getgid()) == -1)
+ _exit(127);
if (setgid(getgid()) == -1)
_exit(127);
if (setuid(getuid()) == -1)
diff --git a/nxcomp/Pipe.cpp b/nxcomp/Pipe.cpp
index 7238d0c73..aacbbaeb3 100644
--- a/nxcomp/Pipe.cpp
+++ b/nxcomp/Pipe.cpp
@@ -21,6 +21,7 @@
#include <pwd.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <grp.h>
#include "Pipe.h"
#include "Misc.h"
@@ -234,6 +235,8 @@ FILE *Popen(char * const parameters[], const char *type)
// Child.
//
+ struct passwd *pwent = getpwuid(getuid());
+ if (pwent) initgroups(pwent->pw_name,getgid());
setgid(getgid());
setuid(getuid());