[Pkg-wmaker-commits] [wmload] 17/58: wmload: Incorporate changes from asload-0.9.4.
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Mon Aug 24 23:36:19 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to branch master
in repository wmload.
commit 697ccbae4efcb50787568befcdd2809ea0554850
Author: Doug Torrance <dtorrance at monmouthcollege.edu>
Date: Tue Apr 7 02:45:17 2015 -0500
wmload: Incorporate changes from asload-0.9.4.
Obtained from [1].
[1] http://tigr.net/afterstep/download/asload/asload-0.9.4.tar.gz
---
ChangeLog | 7 +++++++
wmload.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 69 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 025865b..d2c36d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+VERSION: 0.9.4
+RELEASE DATE: 09 March 2000 by albert at tigr.net
+
+ Fixed the security bug. The program now forks
+ and the child drops privileges before executing
+ an external command.
+
VERSION: 0.9.3
RELEASE DATE: 03 March 2000 (sashav at sprintmail.com)
-added range check for values. It seems that on 2.3 kernels
diff --git a/wmload.c b/wmload.c
index 78ee558..ad928e3 100644
--- a/wmload.c
+++ b/wmload.c
@@ -1,8 +1,10 @@
-#include <ctype.h>
#include <stdio.h>
-#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <errno.h>
+
#include <X11/Xlib.h>
#include <X11/xpm.h>
#include <X11/extensions/shape.h>
@@ -17,7 +19,7 @@
#define major_VER 0
#define minor_VER 9
-#define patch_VER 3
+#define patch_VER 4
#define MW_EVENTS (ExposureMask | ButtonPressMask | StructureNotifyMask)
#define FALSE 0
#define Shape(num) (ONLYSHAPE ? num-5 : num)
@@ -93,6 +95,62 @@ void usage()
exit(1);
}
+/*
+ * Copied from ascpu - albert at tigr.net - 09 Mar 2000
+ *
+ * This function executes an external command while
+ * checking whether we should drop the privileges.
+ *
+ * Since we might need privileges later we fork and
+ * then drop privileges in one of the instances which
+ * will then execute the command and die.
+ *
+ * This fixes the security hole for FreeBSD and AIX
+ * where this program needs privileges to access
+ * the system information.
+ */
+void ExecuteExternal()
+{
+ uid_t ruid, euid;
+ int pid;
+#ifdef DEBUG
+ printf("asload: system(%s)\n",Execute);
+#endif
+ if( ! Execute ) {
+ return;
+ }
+ ruid = getuid();
+ euid = geteuid();
+ if ( ruid == euid ) {
+ system( Execute );
+ return;
+ }
+ pid = fork();
+ if ( pid == -1 ) {
+ printf("asload : fork() failed (%s), command not executed",
+ strerror(errno));
+ return;
+ }
+ if ( pid != 0 ) {
+ /* parent process simply waits for the child and continues */
+ if ( waitpid(pid, 0, 0) == -1 ) {
+ printf("asload : waitpid() for child failed (%s)",
+ strerror(errno));
+ }
+ return;
+ }
+ /*
+ * child process drops the privileges
+ * executes the command and dies
+ */
+ if ( setuid(ruid) ) {
+ printf("asload : setuid failed (%s), command not executed",
+ strerror(errno));
+ exit(127);
+ }
+ system( Execute );
+ exit(0);
+}
int main(int argc,char *argv[])
{
int i;
@@ -262,7 +320,7 @@ int main(int argc,char *argv[])
RedrawWindow(&visible);
break;
case ButtonPress:
- system(Execute);
+ ExecuteExternal();
break;
case ClientMessage:
if ((Event.xclient.format != 32) ||
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmload.git
More information about the Pkg-wmaker-commits
mailing list