From 4d469002853923b3a51f2438c2f0c890d9a664ce Mon Sep 17 00:00:00 2001 From: root Date: Tue, 17 Jan 2006 15:41:32 +0000 Subject: [PATCH] *** empty log message *** --- configure | 30 +++++++++++------------------- configure.ac | 1 + src/main.C | 36 ++++++++++++++++++++++++++++++++---- src/ptytty.C | 25 ++++++++----------------- src/rxvtd.C | 4 ++-- 5 files changed, 54 insertions(+), 42 deletions(-) diff --git a/configure b/configure index 6bfda158..a2406ec1 100755 --- a/configure +++ b/configure @@ -10132,14 +10132,6 @@ _ACEOF -case "$host_alias" in - *ultrix) ac_cv_func_setsid='no' ;; - *) break;; -esac - - - - @@ -10158,15 +10150,12 @@ esac for ac_func in \ - atexit \ revoke \ unsetenv \ setutent \ seteuid \ + setresuid \ setreuid \ - setsid \ - setpgrp \ - setpgid \ _getpty \ getpt \ posix_openpt \ @@ -11900,6 +11889,10 @@ cat >>confdefs.h <<\_ACEOF #define HAVE_UNIX_FDPASS 1 _ACEOF +else + { { echo "$as_me:$LINENO: error: urxvt requires unix-compliant filehandle passing ability" >&5 +echo "$as_me: error: urxvt requires unix-compliant filehandle passing ability" >&2;} + { (exit 1); exit 1; }; } fi echo "$as_me:$LINENO: checking for broken XIM callback" >&5 @@ -12871,15 +12864,14 @@ _ACEOF PERLLIB="`$PERL -MExtUtils::Embed -e ldopts`" PERLPRIVLIBEXP="`$PERL -MConfig -e 'print $Config{privlibexp}'`" else - support_perl=no - echo "$as_me:$LINENO: result: no, unable to link" >&5 -echo "${ECHO_T}no, unable to link" >&6 + { { echo "$as_me:$LINENO: error: no, unable to link" >&5 +echo "$as_me: error: no, unable to link" >&2;} + { (exit 1); exit 1; }; } fi else - { { echo "$as_me:$LINENO: error: no working perl found" >&5 -echo "$as_me: error: no working perl found" >&2;} - { (exit or perl not version >= 5.8); exit or perl not version >= 5.8; }; } - support_perl=no + { { echo "$as_me:$LINENO: error: no working perl found, or perl not version >= 5.8" >&5 +echo "$as_me: error: no working perl found, or perl not version >= 5.8" >&2;} + { (exit 1); exit 1; }; } fi fi diff --git a/configure.ac b/configure.ac index d2662e25..2692ceac 100644 --- a/configure.ac +++ b/configure.ac @@ -716,6 +716,7 @@ AC_CHECK_FUNCS( \ unsetenv \ setutent \ seteuid \ + setresuid \ setreuid \ _getpty \ getpt \ diff --git a/src/main.C b/src/main.C index e65fd233..f8fd9795 100644 --- a/src/main.C +++ b/src/main.C @@ -211,10 +211,6 @@ void rxvt_term::emergency_cleanup () if (cmd_pid) kill (-cmd_pid, SIGHUP); -#ifdef UTMP_SUPPORT - privileged_utmp (RESTORE); -#endif - delete pty; pty = 0; } @@ -602,6 +598,38 @@ char **rxvt_environ; // startup environment void rxvt_init () { + uid_t uid = getuid (); + gid_t gid = getgid (); + + // before doing anything else, check for setuid/setgid operation, + // start the helper process and drop privileges + if (uid != geteuid () + || 1 //D + || gid != getegid ()) + { +#if PTYTTY_HELPER + rxvt_ptytty_server (); +#else + rxvt_warn ("running setuid/setgid without pty helper compiled in, continuing unprivileged.\n"); +#endif + + // drop privileges +#if HAVE_SETRESUID + setresgid (gid, gid, gid); + setresuid (uid, uid, uid); +#elif HAVE_SETREUID + setregid (gid, gid); + setreuid (uid, uid); +#elif HAVE_SETUID + setgid (gid); + setuid (uid); +#endif + + if (uid != geteuid () + || gid != getegid ()) + rxvt_fatal ("unable to drop privileges, aborting.\n"); + } + rxvt_environ = environ; /* diff --git a/src/ptytty.C b/src/ptytty.C index 9f4740d6..bfe3ae4c 100644 --- a/src/ptytty.C +++ b/src/ptytty.C @@ -74,9 +74,7 @@ get_pty (int *fd_tty, char **ttydev) #ifdef PTYS_ARE_OPENPTY char tty_name[sizeof "/dev/pts/????\0"]; - rxvt_privileges(RESTORE); int res = openpty (&pfd, fd_tty, tty_name, NULL, NULL); - rxvt_privileges(IGNORE); if (res != -1) { @@ -346,8 +344,6 @@ rxvt_ptytty_unix::privileges (rxvt_privaction action) if (!name || !*name) return; - rxvt_privileges (RESTORE); - if (action == SAVE) { # ifndef RESET_TTY_TO_COMMON_DEFAULTS @@ -379,8 +375,6 @@ rxvt_ptytty_unix::privileges (rxvt_privaction action) # endif } - - rxvt_privileges (IGNORE); } #endif @@ -463,7 +457,6 @@ struct rxvt_ptytty_proxy : zero_initialized, rxvt_ptytty { rxvt_ptytty *id; - rxvt_ptytty_proxy (); ~rxvt_ptytty_proxy (); bool get (); @@ -551,7 +544,6 @@ void serve () cmd.hostname[sizeof (cmd.hostname) - 1] = 0; cmd.id->login (cmd.cmd_pid, cmd.login_shell, cmd.hostname); } - else printf ("xxx hiya login no match %p\n", cmd.id); } else if (cmd.type == command::destroy) { @@ -562,7 +554,6 @@ void serve () ptys.erase (pty); delete *pty; } - else printf ("xxx hiya destroy no match %p\n", cmd.id); } else break; @@ -594,13 +585,15 @@ void rxvt_ptytty_server () } else { + setgid (getegid ()); + setuid (geteuid ()); + // server, pty-helper sock_fd = sv[1]; - close (sv[0]);//D -// for (int fd = 0; fd < 1023; fd++) -// if (fd != sock_fd) -// close (fd); + for (int fd = 0; fd < 1023; fd++) + if (fd != sock_fd) + close (fd); serve (); _exit (EXIT_SUCCESS); @@ -614,10 +607,8 @@ rxvt_new_ptytty () { #if PTYTTY_HELPER if (pid > 0) - { - // use helper process - return new rxvt_ptytty_proxy; - } + // use helper process + return new rxvt_ptytty_proxy; else #endif return new rxvt_ptytty_unix; diff --git a/src/rxvtd.C b/src/rxvtd.C index b79c70f8..f55ce910 100644 --- a/src/rxvtd.C +++ b/src/rxvtd.C @@ -224,6 +224,8 @@ int opt_fork, opt_opendisplay, opt_quiet; int main (int argc, const char *const *argv) { + rxvt_init (); + for (int i = 1; i < argc; i++) { if (!strcmp (argv [i], "-f") || !strcmp (argv [i], "--fork")) @@ -239,8 +241,6 @@ main (int argc, const char *const *argv) } } - rxvt_init (); - chdir ("/"); if (opt_opendisplay) -- 2.34.1