From 72a6327581015d452eb1ec3549394e47e6311aaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Sat, 27 Dec 2014 11:34:30 +0100
Subject: [PATCH] Fix verification of the TDM control socket This resolves Bug
 2269
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
---
 tdm/kfrontend/kgreeter.cpp | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/tdm/kfrontend/kgreeter.cpp b/tdm/kfrontend/kgreeter.cpp
index e6073da50..74e04bf31 100644
--- a/tdm/kfrontend/kgreeter.cpp
+++ b/tdm/kfrontend/kgreeter.cpp
@@ -1275,7 +1275,7 @@ void ControlPipeHandlerObject::run(void) {
 			TQApplication::eventLoop()->exit(-1);
 			return;
 		}
-	
+
 		if ((mKGreeterParent && (mKGreeterParent->isShown())) || (mSAKDlgParent && (mSAKDlgParent->isShown()))) {
 			char readbuf[2048];
 			int displayNumber;
@@ -1291,7 +1291,7 @@ void ControlPipeHandlerObject::run(void) {
 				mPipeFilename = TQString(FIFO_SAK_FILE).arg(displayNumber);
 				::unlink((TQString(FIFO_FILE).arg(displayNumber)).ascii());
 			}
-		
+
 			/* Create the FIFOs if they do not exist */
 			umask(0);
 			struct stat buffer;
@@ -1305,21 +1305,36 @@ void ControlPipeHandlerObject::run(void) {
 			}
 			free(fifo_dir);
 			status = stat(FIFO_DIR, &buffer);
+			if (status == 0) {
+				int dir_mode = ((buffer.st_mode & S_IRWXU) >> 6) * 100;
+				dir_mode = dir_mode + ((buffer.st_mode & S_IRWXG) >> 3) * 10;
+				dir_mode = dir_mode + ((buffer.st_mode & S_IRWXO) >> 0) * 1;
+				if ((dir_mode != 700 && dir_mode != 600) || (buffer.st_uid != 0) || (buffer.st_gid != 0)) {
+					printf("[WARNING] Possible security breach!  Please check permissions on " FIFO_DIR " (must be 700 and owned by root/root, got %d %d/%d).  Not listening for login credentials on remote control socket.\n", dir_mode, buffer.st_uid, buffer.st_gid); fflush(stdout);
+					TQApplication::eventLoop()->exit(-1);
+					return;
+				}
+			}
+			else {
+				mkdir(FIFO_DIR, 0700);
+			}
+			status = stat(mPipeFilename.ascii(), &buffer);
 			if (status == 0) {
 				int file_mode = ((buffer.st_mode & S_IRWXU) >> 6) * 100;
 				file_mode = file_mode + ((buffer.st_mode & S_IRWXG) >> 3) * 10;
 				file_mode = file_mode + ((buffer.st_mode & S_IRWXO) >> 0) * 1;
 				if ((file_mode != 600) || (buffer.st_uid != 0) || (buffer.st_gid != 0)) {
 					::unlink(mPipeFilename.ascii());
-					printf("[WARNING] Possible security breach!  Please check permissions on " FIFO_DIR " (must be 600 and owned by root/root, got %d %d/%d).  Not listening for login credentials on remote control socket.\n", file_mode, buffer.st_uid, buffer.st_gid); fflush(stdout);
+					printf("[WARNING] Possible security breach!  Please check permissions on %s (must be 600 and owned by root/root, got %d %d/%d).  Not listening for login credentials on remote control socket.\n", mPipeFilename.ascii(), file_mode, buffer.st_uid, buffer.st_gid); fflush(stdout);
 					TQApplication::eventLoop()->exit(-1);
 					return;
 				}
 			}
-			mkdir(FIFO_DIR,0700);
-			mknod(mPipeFilename.ascii(), S_IFIFO|0600, 0);
-			chmod(mPipeFilename.ascii(), 0600);
-		
+			else {
+				mknod(mPipeFilename.ascii(), S_IFIFO|0600, 0);
+				chmod(mPipeFilename.ascii(), 0600);
+			}
+
 			mPipe_fd = ::open(mPipeFilename.ascii(), O_RDONLY | O_NONBLOCK);
 			int numread;
 			int retval;