Attachment #150638 for bug #218933

View | Details | Raw Unified | Return to bug 218933
Collapse All | Expand All




++ kinit/start_kdeinit.c

 not have this protection, kdeinit will after forking send the new
 PID using the pipe and wait for a signal. This parent will reset the protection
 and SIGUSR1 the process to continue.
 returns 1 if pid is valid
*/

static int set_protection( pid_t pid, int enable )
{
   char buf[ 1024 ];
   int procfile;

          belongs to this user. */
       struct stat st;
       if( lstat( buf, &st ) < 0 || st.st_uid != getuid())
           return 0;
   }
   procfile = open( buf, O_WRONLY );
   if( procfile >= 0 ) {

         write( procfile, "0", sizeof( "0" ));
      close( procfile );
   }
   return 1;
}

int main(int argc, char **argv)

   int new_argc;
   const char** new_argv;
   char helper_num[ 1024 ];
   unsigned i;
   char** orig_environ = NULL;
   char header[ 7 ];
   if( pipe( pipes ) < 0 ) {
      perror( "pipe()" );
      return 1;
   }
   if( argc < 0 || argc > 1000 )
       abort(); /* paranoid */
   set_protection( getpid(), 1 );
   switch( fork()) {

         perror( "fork()" );
         return 1;
      default: /* parent, drop privileges and exec */
         if (setgid(getgid())) {
             perror("setgid()");
             return 1;
         }
         if (setuid(getuid()) || geteuid() != getuid()) {
         if (geteuid() != getuid()) {
            perror("setuid()");
            return 1;
         }
         close( pipes[ 0 ] );
         /* read original environment passed by start_kdeinit_wrapper */
         if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {
             unsigned count;
             if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned )
                 && count && count < (1<<16)) {
                 char** env = malloc(( count + 1 ) * sizeof( char* ));
                 int ok = 1;
                 for( i = 0;
                      i < count && ok;
                      ++i ) {
                     unsigned len;
                     if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned )
                         && len && len < (1<<12)) {
                         env[ i ] = malloc( len + 1 );
                         if( (unsigned) read( 0, env[ i ], len ) == len ) {
                             env[ i ][ len ] = '\0';
                         } else {
                             ok = 0;

         sprintf( helper_num, "%d", pipes[ 1 ] );
         new_argv[ 2 ] = helper_num;
         for( i = 1;
              i <= (unsigned) argc;
              ++i )
             new_argv[ i + 2 ] = argv[ i ];
         if( orig_environ )

            if( ret < 0 && errno == EINTR )
               continue;
            if( ret <= 0 ) /* pipe closed or error, exit */
               _exit(0);
            if( pid != 0 ) {
                if (set_protection( pid, 0 ))
                    kill( pid, SIGUSR1 );
            }
         }
   }

Return to bug 218933

Line Link Here

(-)file_not_specified_in_diff (-20 / +23 lines)
0	-- kinit/start_kdeinit.c	0	++ kinit/start_kdeinit.c
Lines 37-45 Link Here
37	not have this protection, kdeinit will after forking send the new	37	not have this protection, kdeinit will after forking send the new
38	PID using the pipe and wait for a signal. This parent will reset the protection	38	PID using the pipe and wait for a signal. This parent will reset the protection
39	and SIGUSR1 the process to continue.	39	and SIGUSR1 the process to continue.
		40	returns 1 if pid is valid
40	*/	41	*/
41		42
42	static void set_protection( pid_t pid, int enable )	43	static int set_protection( pid_t pid, int enable )
43	{	44	{
44	char buf[ 1024 ];	45	char buf[ 1024 ];
45	int procfile;	46	int procfile;
Lines 49-55 static void set_protection( pid_t pid, i Link Here
49	belongs to this user. */	50	belongs to this user. */
50	struct stat st;	51	struct stat st;
51	if( lstat( buf, &st ) < 0 \|\| st.st_uid != getuid())	52	if( lstat( buf, &st ) < 0 \|\| st.st_uid != getuid())
52	return;	53	return 0;
53	}	54	}
54	procfile = open( buf, O_WRONLY );	55	procfile = open( buf, O_WRONLY );
55	if( procfile >= 0 ) {	56	if( procfile >= 0 ) {
Lines 59-64 static void set_protection( pid_t pid, i Link Here
59	write( procfile, "0", sizeof( "0" ));	60	write( procfile, "0", sizeof( "0" ));
60	close( procfile );	61	close( procfile );
61	}	62	}
		63	return 1;
62	}	64	}
63		65
64	int main(int argc, char **argv)	66	int main(int argc, char **argv)
Lines 67-80 int main(int argc, char **argv) Link Here
67	int new_argc;	69	int new_argc;
68	const char** new_argv;	70	const char** new_argv;
69	char helper_num[ 1024 ];	71	char helper_num[ 1024 ];
70	int i;	72	unsigned i;
71	char** orig_environ = NULL;	73	char** orig_environ = NULL;
72	char header[ 7 ];	74	char header[ 7 ];
73	if( pipe( pipes ) < 0 ) {	75	if( pipe( pipes ) < 0 ) {
74	perror( "pipe()" );	76	perror( "pipe()" );
75	return 1;	77	return 1;
76	}	78	}
77	if( argc > 1000 )	79	if( argc < 0 \|\| argc > 1000 )
78	abort(); /* paranoid */	80	abort(); /* paranoid */
79	set_protection( getpid(), 1 );	81	set_protection( getpid(), 1 );
80	switch( fork()) {	82	switch( fork()) {
Lines 82-110 int main(int argc, char **argv) Link Here
82	perror( "fork()" );	84	perror( "fork()" );
83	return 1;	85	return 1;
84	default: /* parent, drop privileges and exec */	86	default: /* parent, drop privileges and exec */
85	#if defined (HAVE_SETEUID) && !defined (HAVE_SETEUID_FAKE)	87	if (setgid(getgid())) {
86	seteuid(getuid());	88	perror("setgid()");
87	#else	89	return 1;
88	setreuid(-1, getuid());	90	}
89	#endif	91	if (setuid(getuid()) \|\| geteuid() != getuid()) {
90	if (geteuid() != getuid()) {
91	perror("setuid()");	92	perror("setuid()");
92	return 1;	93	return 1;
93	}	94	}
94	close( pipes[ 0 ] );	95	close( pipes[ 0 ] );
95	/* read original environment passed by start_kdeinit_wrapper */	96	/* read original environment passed by start_kdeinit_wrapper */
96	if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {	97	if( read( 0, header, 7 ) == 7 && strncmp( header, "environ", 7 ) == 0 ) {
97	int count;	98	unsigned count;
98	if( read( 0, &count, sizeof( int )) == sizeof( int )) {	99	if( read( 0, &count, sizeof( unsigned )) == sizeof( unsigned )
		100	&& count && count < (1<<16)) {
99	char** env = malloc(( count + 1 ) * sizeof( char* ));	101	char** env = malloc(( count + 1 ) * sizeof( char* ));
100	int ok = 1;	102	int ok = 1;
101	for( i = 0;	103	for( i = 0;
102	i < count && ok;	104	i < count && ok;
103	++i ) {	105	++i ) {
104	int len;	106	unsigned len;
105	if( read( 0, &len, sizeof( int )) == sizeof( int )) {	107	if( read( 0, &len, sizeof( unsigned )) == sizeof( unsigned )
		108	&& len && len < (1<<12)) {
106	env[ i ] = malloc( len + 1 );	109	env[ i ] = malloc( len + 1 );
107	if( read( 0, env[ i ], len ) == len ) {	110	if( (unsigned) read( 0, env[ i ], len ) == len ) {
108	env[ i ][ len ] = '\0';	111	env[ i ][ len ] = '\0';
109	} else {	112	} else {
110	ok = 0;	113	ok = 0;
Lines 128-134 int main(int argc, char **argv) Link Here
128	sprintf( helper_num, "%d", pipes[ 1 ] );	131	sprintf( helper_num, "%d", pipes[ 1 ] );
129	new_argv[ 2 ] = helper_num;	132	new_argv[ 2 ] = helper_num;
130	for( i = 1;	133	for( i = 1;
131	i <= argc;	134	i <= (unsigned) argc;
132	++i )	135	++i )
133	new_argv[ i + 2 ] = argv[ i ];	136	new_argv[ i + 2 ] = argv[ i ];
134	if( orig_environ )	137	if( orig_environ )
Lines 145-154 int main(int argc, char **argv) Link Here
145	if( ret < 0 && errno == EINTR )	148	if( ret < 0 && errno == EINTR )
146	continue;	149	continue;
147	if( ret <= 0 ) /* pipe closed or error, exit */	150	if( ret <= 0 ) /* pipe closed or error, exit */
148	return 0;	151	_exit(0);
149	if( pid != 0 ) {	152	if( pid != 0 ) {
150	set_protection( pid, 0 );	153	if (set_protection( pid, 0 ))
151	kill( pid, SIGUSR1 );	154	kill( pid, SIGUSR1 );
152	}	155	}
153	}	156	}
154	}	157	}