Part 2 of 2 of security patch for KDM [CVE-2010-0436]

git-svn-id: svn://anonsvn.kde.org/home/kde/branches/trinity/kdebase@1117056 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
14 years ago · 9885131c3e
parent f6a9a3e7a1
commit 9885131c3e
3 changed files with 75 additions and 10 deletions
--- a/configure.in.in
+++ b/configure.in.in
@ -266,6 +266,8 @@ if test -n "$LIBART_CONFIG"; then
  fi
 fi

+dnl See if the underlying system honors socket permissions for system security purposes
+KDE_CHECK_HONORS_SOCKET_PERMS

 AC_SUBST(LIBART_LIBS)
 AC_SUBST(LIBART_CFLAGS)
--- a/kdm/backend/ctrl.c
+++ b/kdm/backend/ctrl.c
@ -77,8 +77,25 @@ nukeSock( struct cmdsock *cs )
 	free( cs );
 }

-
+#ifdef HONORS_SOCKET_PERMS
 static CtrlRec ctrl = { 0, 0, -1, 0, 0, { -1, 0, 0 } };
+#else
+static CtrlRec ctrl = { 0, 0, 0, -1, 0, 0, { -1, 0, 0 } };
+
+static int mkTempDir( char *dir )
+{
+	int i, l = strlen( dir ) - 6;
+
+	for (i = 0; i < 100; i++) {
+		randomStr( dir + l );
+		if (!mkdir( dir, 0700 ))
+			return True;
+		if (errno != EEXIST)
+			break;
+	}
+	return False;
+}
+#endif

 void
 openCtrl( struct display *d )
@ -140,22 +157,50 @@ openCtrl( struct display *d )
 				if (strlen( cr->path ) >= sizeof(sa.sun_path))
 					LogError( "path %\"s too long; no control sockets will be available\n",
 					          cr->path );
-				else if (mkdir( sockdir, 0755 ) && errno != EEXIST)
+#ifdef HONORS_SOCKET_PERMS
+				else if (mkdir( sockdir, 0700 ) && errno != EEXIST)
 					LogError( "mkdir %\"s failed; no control sockets will be available\n",
 					          sockdir );
+				else if (unlink( cr->path ) && errno != ENOENT)
+					LogError( "unlink %\"s failed: %m; control socket will not be available\n",
+					          cr->path );
 				else {
-					if (!d)
-						chown( sockdir, -1, fifoGroup );
+#else
+				else if (unlink( sockdir ) && errno != ENOENT)
+					LogError( "unlink %\"s failed: %m; control socket will not be available\n",
+					          sockdir );
+				else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0))
+					;
+				else if (!mkTempDir( cr->realdir )) {
+					LogError( "mkdir %\"s failed: %m; control socket will not be available\n",
+					          cr->realdir );
+					free( cr->realdir );
+					cr->realdir = 0;
+				} else if (symlink( cr->realdir, sockdir )) {
+					LogError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n",
+					          sockdir, cr->realdir );
+					rmdir( cr->realdir );
+					free( cr->realdir );
+					cr->realdir = 0;
+				} else {
+					chown( sockdir, 0, d ? 0 : fifoGroup );
 					chmod( sockdir, 0750 );
+#endif
 					if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0)
 						LogError( "Cannot create control socket\n" );
 					else {
-						unlink( cr->path );
 						sa.sun_family = AF_UNIX;
 						strcpy( sa.sun_path, cr->path );
 						if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) {
 							if (!listen( cr->fd, 5 )) {
+#ifdef HONORS_SOCKET_PERMS
+								chmod( cr->path, 0660 );
+								if (!d)
+									chown( cr->path, -1, fifoGroup );
+								chmod( sockdir, 0755 );
+#else
 								chmod( cr->path, 0666 );
+#endif
 								RegisterCloseOnFork( cr->fd );
 								RegisterInput( cr->fd );
 								free( sockdir );
@ -170,6 +215,14 @@ openCtrl( struct display *d )
 						close( cr->fd );
 						cr->fd = -1;
 					}
+#ifdef HONORS_SOCKET_PERMS
+					rmdir( sockdir );
+#else
+					unlink( sockdir );
+					rmdir( cr->realdir );
+					free( cr->realdir );
+					cr->realdir = 0;
+#endif
 				}
 				free( cr->path );
 				cr->path = 0;
@ -190,7 +243,14 @@ closeCtrl( struct display *d )
 		cr->fd = -1;
 		unlink( cr->path );
 		*strrchr( cr->path, '/' ) = 0;
+#ifdef HONORS_SOCKET_PERMS
 		rmdir( cr->path );
+#else
+		unlink( cr->path );
+		rmdir( cr->realdir );
+		free( cr->realdir );
+		cr->realdir = 0;
+#endif
 		free( cr->path );
 		cr->path = 0;
 		while (cr->css) {
@ -218,12 +278,12 @@ chownCtrl( CtrlRec *cr, int uid )
 {
 	if (cr->fpath)
 		chown( cr->fpath, uid, -1 );
-	if (cr->path) {
-		char *ptr = strrchr( cr->path, '/' );
-		*ptr = 0;
+	if (cr->path)
+#ifdef HONORS_SOCKET_PERMS
 		chown( cr->path, uid, -1 );
-		*ptr = '/';
-	}
+#else
+		chown( cr->realdir, uid, -1 );
+#endif
 }

 void
--- a/kdm/backend/dm.h
+++ b/kdm/backend/dm.h
@ -220,6 +220,9 @@ typedef struct {
 	struct cmdsock *css;  /* open connections */

 	char *path;           /* filename of the socket */
+#ifndef HONORS_SOCKET_PERMS
+	char *realdir;        /* real dirname of the socket */
+#endif
 	int fd;               /* fd of the socket */
 	int gid;              /* owner group of the socket */