diff options
author | Orion Poplawski <orion@cora.nwra.com> | 2015-02-13 13:32:17 +0100 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-13 13:32:17 +0100 |
commit | 415b20b6fbf562d4132fca90a00b6c32d94040ed (patch) | |
tree | af19b2e816b60b3d56ea9c9d69d6cc61c78d8e45 | |
parent | 456f887d95ca34974c1192a477dfca117827457f (diff) | |
download | nx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.tar.gz nx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.tar.bz2 nx-libs-415b20b6fbf562d4132fca90a00b6c32d94040ed.zip |
Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges (602_nx-X11_initgroups.full.patch).
The Fedora review of NX (redistributed) caught the following rpmlint issue:
This executable is calling setuid and setgid without setgroups or initgroups.
There is a high probability this mean it didn't relinquish all groups, and this
would be a potential security issue to be fixed. Seek POS36-C on the web for
details about the problem.
Ref POS36-C:
https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges
This patch adds initgroups() calls to the code to initialize the supplemental group list.
-rw-r--r-- | debian/patches/602_nx-X11_initgroups.full.patch | 67 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/os/utils.c | 7 | ||||
-rw-r--r-- | nxcomp/Pipe.cpp | 3 |
4 files changed, 10 insertions, 68 deletions
diff --git a/debian/patches/602_nx-X11_initgroups.full.patch b/debian/patches/602_nx-X11_initgroups.full.patch deleted file mode 100644 index 182b378dc..000000000 --- a/debian/patches/602_nx-X11_initgroups.full.patch +++ /dev/null @@ -1,67 +0,0 @@ -Description: Be compliant with POS36-C: Observe correct revocation order while relinquishing privileges -Author: Orion Poplawski <orion@cora.nwra.com> -Abstract: - The Fedora review of NX (redistributed) caught the following rpmlint issue: - . - This executable is calling setuid and setgid without setgroups or initgroups. - There is a high probability this mean it didn't relinquish all groups, and this - would be a potential security issue to be fixed. Seek POS36-C on the web for - details about the problem. - . - Ref POS36-C: - https://www.securecoding.cert.org/confluence/display/seccode/POS36-C.+Observe+correct+revocation+order+while+relinquishing+privileges - . - This patch adds initgroups() calls to the code to initialize the supplemental group list. -diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c -index 7e62654..9b2431a 100644 ---- a/nx-X11/programs/Xserver/os/utils.c -+++ b/nx-X11/programs/Xserver/os/utils.c -@@ -112,6 +112,9 @@ OR PERFORMANCE OF THIS SOFTWARE. - #include <sys/stat.h> - #include <ctype.h> /* for isspace */ - #include <stdarg.h> -+#include <sys/types.h> -+#include <grp.h> -+#include <pwd.h> - - #if defined(DGUX) - #include <sys/resource.h> -@@ -1770,6 +1773,7 @@ System(char *command) - void (*csig)(int); - #endif - int status; -+ struct passwd *pwent; - - if (!command) - return(1); -@@ -1791,6 +1795,9 @@ System(char *command) - case -1: /* error */ - p = -1; - case 0: /* child */ -+ pwent = getpwuid(getuid()); -+ if (initgroups(pwent->pw_name,getgid()) == -1) -+ _exit(127); - if (setgid(getgid()) == -1) - _exit(127); - if (setuid(getuid()) == -1) -diff --git a/nxcomp/Pipe.cpp b/nxcomp/Pipe.cpp -index 7238d0c..aacbbae 100644 ---- a/nxcomp/Pipe.cpp -+++ b/nxcomp/Pipe.cpp -@@ -21,6 +21,7 @@ - #include <pwd.h> - #include <sys/types.h> - #include <sys/wait.h> -+#include <grp.h> - - #include "Pipe.h" - #include "Misc.h" -@@ -234,6 +235,8 @@ FILE *Popen(char * const parameters[], const char *type) - // Child. - // - -+ struct passwd *pwent = getpwuid(getuid()); -+ if (pwent) initgroups(pwent->pw_name,getgid()); - setgid(getgid()); - setuid(getuid()); - diff --git a/debian/patches/series b/debian/patches/series index 21cf21d53..c80570682 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,4 @@ #401_nxcomp_bigrequests-and-genericevent-extensions.full+lite.patch -602_nx-X11_initgroups.full.patch 603_nx-X11_compilation_warnings.full.patch 605_nxcomp_Types.h-dont-use-STL-internals-on-libc++.full+lite.patch 606_nx-X11_build-on-aarch64.full.patch diff --git a/nx-X11/programs/Xserver/os/utils.c b/nx-X11/programs/Xserver/os/utils.c index 7e626542e..9b2431af7 100644 --- a/nx-X11/programs/Xserver/os/utils.c +++ b/nx-X11/programs/Xserver/os/utils.c @@ -112,6 +112,9 @@ OR PERFORMANCE OF THIS SOFTWARE. #include <sys/stat.h> #include <ctype.h> /* for isspace */ #include <stdarg.h> +#include <sys/types.h> +#include <grp.h> +#include <pwd.h> #if defined(DGUX) #include <sys/resource.h> @@ -1770,6 +1773,7 @@ System(char *command) void (*csig)(int); #endif int status; + struct passwd *pwent; if (!command) return(1); @@ -1791,6 +1795,9 @@ System(char *command) case -1: /* error */ p = -1; case 0: /* child */ + pwent = getpwuid(getuid()); + if (initgroups(pwent->pw_name,getgid()) == -1) + _exit(127); if (setgid(getgid()) == -1) _exit(127); if (setuid(getuid()) == -1) diff --git a/nxcomp/Pipe.cpp b/nxcomp/Pipe.cpp index 7238d0c73..aacbbaeb3 100644 --- a/nxcomp/Pipe.cpp +++ b/nxcomp/Pipe.cpp @@ -21,6 +21,7 @@ #include <pwd.h> #include <sys/types.h> #include <sys/wait.h> +#include <grp.h> #include "Pipe.h" #include "Misc.h" @@ -234,6 +235,8 @@ FILE *Popen(char * const parameters[], const char *type) // Child. // + struct passwd *pwent = getpwuid(getuid()); + if (pwent) initgroups(pwent->pw_name,getgid()); setgid(getgid()); setuid(getuid()); |