[14402] in bugtraq
Re: gpm-root
daemon@ATHENA.MIT.EDU (Koblinger Egmont)
Fri Mar 24 02:52:54 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0003231428110.13143-100000@csibe.fazekas.hu>
Date: Thu, 23 Mar 2000 14:45:15 +0100
Reply-To: Koblinger Egmont <egmont@FAZEKAS.HU>
From: Koblinger Egmont <egmont@FAZEKAS.HU>
X-To: ADAM Sulmicki <adam@cfar.umd.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0003221831440.14564-100000@chia.umiacs.umd.edu>
I sent them the bug report and the patch several times even before the
1.18.x releases. Okay, I didn't read the README of 1.19, I just thought
it was time to tell the world not to install gpm-root, because the authors
simply ignored this security problem. Okay, you're right, I send the patch
at the end of this message.
bye
Egmont
> Well, if you would check README in 1.19.0 version, you would notice
> following fragment:
>
> =========== MAINTAINANCE
> As of 1.19.0, gpm is officially unmaintained. I can't do it any more,
> and nobody expressed interest in it.
>
> So I don't think it is fair to blame someone who spent a great deal of
> their time doing gpm and has just quit it. Instead of blaming them
> how about making up a patch and telling everybody "here's a patch
> which fixes this problem".
diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
--- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
+++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
@@ -1969,6 +1969,12 @@
be broken by this daemon. Things should be sufficiently secure, but
if you find a hole please tell me about it.
+@item -r
+ Always run commands as root instead of the user who owns the tty.
+ Implies -u. This is useful for those system administrators who
+ put menu entries to reboot or halt the system, start or stop
+ xdm, change keyboard layout etc.
+
@item -D
Do not automatically enter background operation when started,
and log messages to the standard error stream, not the syslog
diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
--- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
+++ ./gpm-root.y Thu Mar 23 14:37:43 2000
@@ -41,6 +41,7 @@
#include <sys/syslog.h>
#include <signal.h> /* sigaction() */
#include <pwd.h> /* pwd entries */
+#include <grp.h> /* initgroups() */
#include <sys/kd.h> /* KDGETMODE */
#include <sys/stat.h> /* fstat() */
#include <sys/utsname.h> /* uname() */
@@ -117,6 +118,7 @@
int opt_mod = 4; /* control */
int opt_buf = 0; /* ask the kernel about it */
int opt_user = 1; /* allow user cfg files */
+int opt_root = 0; /* run everything as root */
@@ -447,6 +449,7 @@
void f__fix(struct passwd *pass)
{
setgid(pass->pw_gid);
+ initgroups(pass->pw_name, pass->pw_gid);
setuid(pass->pw_uid);
setenv("HOME", pass->pw_dir, 1);
setenv("LOGNAME", pass->pw_name,1);
@@ -539,7 +542,7 @@
return 1;
case 0:
- setuid(uid);
+ if (opt_root) uid=0;
pass=getpwuid(uid);
if (!pass) exit(1);
f__fix(pass);
@@ -926,6 +929,7 @@
printf(" Valid options are\n"
" -m <number-or-name> modifier to use\n"
" -u inhibit user configuration files\n"
+ " -r run commands as root\n"
" -D don't auto-background and run as daemon\n"
" -V <verbosity-delta> increase amount of logged messages\n"
);
@@ -971,12 +975,13 @@
int opt;
gpm_log_daemon = 1;
- while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
+ while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
{
switch (opt)
{
case 'm': opt_mod=getmask(optarg, tableMod); break;
case 'u': opt_user=0; break;
+ case 'r': opt_root=1; opt_user=0; break;
case 'D': gpm_log_daemon = 0; break;
case 'V':
gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0, 0));
