NOTE: This is a resent patch (patchwork...) Fixes bnc#584223, which is a security issue noted on CVE-2010-0436. It is referenced here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0436 --- --- kdebase-3.5.10/kdm/backend/ctrl.c.sav 2010-03-23 13:22:28.000000000 +0100 +++ kdebase-3.5.10/kdm/backend/ctrl.c 2010-03-23 14:21:48.619350322 +0100 @@ -78,7 +78,25 @@ nukeSock( struct cmdsock *cs ) } +#ifdef HONORS_SOCKET_PERMS static CtrlRec ctrl = { 0, 0, -1, 0, 0, { -1, 0, 0 } }; +#else +static CtrlRec ctrl = { 0, 0, 0, -1, 0, 0, { -1, 0, 0 } }; + +static int mkTempDir( char *dir ) +{ + int i, l = strlen( dir ) - 6; + + for (i = 0; i < 100; i++) { + randomStr( dir + l ); + if (!mkdir( dir, 0700 )) + return True; + if (errno != EEXIST) + break; + } + return False; +} +#endif void openCtrl( struct display *d ) @@ -140,22 +158,50 @@ openCtrl( struct display *d ) if (strlen( cr->path ) >= sizeof(sa.sun_path)) LogError( "path %\"s too long; no control sockets will be available\n", cr->path ); - else if (mkdir( sockdir, 0755 ) && errno != EEXIST) +#ifdef HONORS_SOCKET_PERMS + else if (mkdir( sockdir, 0700 ) && errno != EEXIST) LogError( "mkdir %\"s failed; no control sockets will be available\n", sockdir ); + else if (unlink( cr->path ) && errno != ENOENT) + LogError( "unlink %\"s failed: %m; control socket will not be available\n", + cr->path ); else { - if (!d) - chown( sockdir, -1, fifoGroup ); +#else + else if (unlink( sockdir ) && errno != ENOENT) + LogError( "unlink %\"s failed: %m; control socket will not be available\n", + sockdir ); + else if (!strApp( &cr->realdir, sockdir, "-XXXXXX", (char *)0)) + ; + else if (!mkTempDir( cr->realdir )) { + LogError( "mkdir %\"s failed: %m; control socket will not be available\n", + cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; + } else if (symlink( cr->realdir, sockdir )) { + LogError( "symlink %\"s => %\"s failed: %m; control socket will not be available\n", + sockdir, cr->realdir ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; + } else { + chown( sockdir, 0, d ? 0 : fifoGroup ); chmod( sockdir, 0750 ); +#endif if ((cr->fd = socket( PF_UNIX, SOCK_STREAM, 0 )) < 0) LogError( "Cannot create control socket\n" ); else { - unlink( cr->path ); sa.sun_family = AF_UNIX; strcpy( sa.sun_path, cr->path ); if (!bind( cr->fd, (struct sockaddr *)&sa, sizeof(sa) )) { if (!listen( cr->fd, 5 )) { +#ifdef HONORS_SOCKET_PERMS + chmod( cr->path, 0660 ); + if (!d) + chown( cr->path, -1, fifoGroup ); + chmod( sockdir, 0755 ); +#else chmod( cr->path, 0666 ); +#endif RegisterCloseOnFork( cr->fd ); RegisterInput( cr->fd ); free( sockdir ); @@ -170,6 +216,14 @@ openCtrl( struct display *d ) close( cr->fd ); cr->fd = -1; } +#ifdef HONORS_SOCKET_PERMS + rmdir( sockdir ); +#else + unlink( sockdir ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; +#endif } free( cr->path ); cr->path = 0; @@ -190,7 +244,14 @@ closeCtrl( struct display *d ) cr->fd = -1; unlink( cr->path ); *strrchr( cr->path, '/' ) = 0; +#ifdef HONORS_SOCKET_PERMS rmdir( cr->path ); +#else + unlink( cr->path ); + rmdir( cr->realdir ); + free( cr->realdir ); + cr->realdir = 0; +#endif free( cr->path ); cr->path = 0; while (cr->css) { @@ -218,12 +279,12 @@ chownCtrl( CtrlRec *cr, int uid ) { if (cr->fpath) chown( cr->fpath, uid, -1 ); - if (cr->path) { - char *ptr = strrchr( cr->path, '/' ); - *ptr = 0; + if (cr->path) +#ifdef HONORS_SOCKET_PERMS chown( cr->path, uid, -1 ); - *ptr = '/'; - } +#else + chown( cr->realdir, uid, -1 ); +#endif } void --- kdebase-3.5.10/kdm/backend/dm.h.sav 2010-03-23 13:22:28.401354858 +0100 +++ kdebase-3.5.10/kdm/backend/dm.h 2010-03-23 13:28:24.843351116 +0100 @@ -218,6 +218,9 @@ typedef struct { struct cmdsock *css; /* open connections */ char *path; /* filename of the socket */ +#ifndef HONORS_SOCKET_PERMS + char *realdir; /* real dirname of the socket */ +#endif int fd; /* fd of the socket */ int gid; /* owner group of the socket */ --- kdebase-3.5.10/config.h.in.sav 2008-08-20 18:00:23.000000000 +0200 +++ kdebase-3.5.10/config.h.in 2010-03-23 13:36:38.913475918 +0100 @@ -739,6 +739,9 @@ /* Defined if your system has XRandR support */ #undef XRANDR_SUPPORT +/* Define to 1 if OS honors permission bits on socket inodes */ +#undef HONORS_SOCKET_PERMS + /* * jpeg.h needs HAVE_BOOLEAN, when the system uses boolean in system * headers and I'm too lazy to write a configure test as long as only --- kdebase-3.5.10/configure.in.in.sav 2006-07-22 10:15:55.000000000 +0200 +++ kdebase-3.5.10/configure.in.in 2010-03-23 13:51:24.504477535 +0100 @@ -274,3 +274,31 @@ AC_SUBST(LIBART_RPATH) AC_ARG_WITH([composite], AC_HELP_STRING([--without-composite], [Disable Xcomposite support (default: check)]) ) +AC_TRY_RUN([ +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <string.h> +#include <unistd.h> +#include <errno.h> +int main() +{ + int fd, fd2; + struct sockaddr_un sa; + + if ((fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) + return 2; + sa.sun_family = AF_UNIX; + strcpy(sa.sun_path, "testsock"); + unlink(sa.sun_path); + if (bind(fd, (struct sockaddr *)&sa, sizeof(sa))) + return 2; + chmod(sa.sun_path, 0); + setuid(getuid() + 1000); + if ((fd2 = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) + return 2; + connect(fd2, (struct sockaddr *)&sa, sizeof(sa)); + return errno != EACCES; +} +], AC_DEFINE_UNQUOTED(HONORS_SOCKET_PERMS, 1, [Define to 1 if OS honors permission bits on socket inodes]))