(unknown charset) [PATCH] Ensure Polyphemus-Mitigation and properly drop privileges

From: (unknown charset) FRIGN <dev_AT_frign.de>
Date: Wed, 7 Sep 2016 13:32:29 +0200

Don't hide privilege drops inside readpw() and actually make it
configurable what you are dropping to in config.h.

The privilege drop comes after opening the Display because the
user "nobody" with "nogroup" can't do that.

So why do I call this strategy the Polyphemus-Mitigation?

"""
After the giant returns in the evening and eats two more of the men,
Odysseus offers Polyphemus some strong and undiluted wine given to him
earlier on his journey. Drunk and unwary, the giant asks Odysseus his
name, promising him a guest-gift if he answers. Odysseus tells him
"=CE=9F=E1=BD=96=CF=84=CE=B9=CF=82", which means "nobody" and Polyphemus pr=
omises to eat this
"Nobody" last of all. With that, he falls into a drunken sleep. Odysseus
had meanwhile hardened a wooden stake in the fire and now drives it into
Polyphemus' eye. When Polyphemus shouts for help from his fellow giants,
saying that "Nobody" has hurt him, they think Polyphemus is being
afflicted by divine power and recommend prayer as the answer.
"""

(source: https://en.wikipedia.org/wiki/Polyphemus)

---
 config.def.h |  4 ++++
 config.mk    |  2 +-
 slock.c      | 26 +++++++++++++++++++++-----
 3 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/config.def.h b/config.def.h
index eae2d9a..6fba2b6 100644
--- a/config.def.h
+++ b/config.def.h
_AT_@ -1,3 +1,7 @@
+/* user and group to drop privileges to */
+static const char *user  =3D "nobody";
+static const char *group =3D "nogroup";
+
 static const char *colorname[NUMCOLS] =3D {
 	"black",     /* after initialization */
 	"#005577",   /* during input */
diff --git a/config.mk b/config.mk
index 049305c..11357a7 100644
--- a/config.mk
+++ b/config.mk
_AT_@ -15,7 +15,7 @@ INCS =3D -I. -I/usr/include -I${X11INC}
 LIBS =3D -L/usr/lib -lc -lcrypt -L${X11LIB} -lX11 -lXext -lXrandr
=20
 # flags
-CPPFLAGS =3D -DVERSION=3D\"${VERSION}\" -DHAVE_SHADOW_H
+CPPFLAGS =3D -DVERSION=3D\"${VERSION}\" -D_DEFAULT_SOURCE -DHAVE_SHADOW_H
 CFLAGS =3D -std=3Dc99 -pedantic -Wall -Os ${INCS} ${CPPFLAGS}
 LDFLAGS =3D -s ${LIBS}
 COMPATSRC =3D explicit_bzero.c
diff --git a/slock.c b/slock.c
index da4b099..d297fb0 100644
--- a/slock.c
+++ b/slock.c
_AT_@ -6,6 +6,7 @@
=20
 #include <ctype.h>
 #include <errno.h>
+#include <grp.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include <stdlib.h>
_AT_@ -83,7 +84,6 @@ dontkillme(void)
 }
 #endif
=20
-/* only run as root */
 static const char *
 getpw(void)
 {
_AT_@ -119,10 +119,6 @@ getpw(void)
 	}
 #endif /* HAVE_SHADOW_H */
=20
-	/* drop privileges */
-	if (geteuid() =3D=3D 0 &&
-	    ((getegid() !=3D pw->pw_gid && setgid(pw->pw_gid) < 0) || setuid(pw->=
pw_uid) < 0))
-		die("slock: cannot drop privileges\n");
 	return rval;
 }
=20
_AT_@ -316,6 +312,8 @@ usage(void)
=20
 int
 main(int argc, char **argv) {
+	struct passwd *pwd;
+	struct group *grp;
 	const char *pws;
 	Display *dpy;
 	int s, nlocks;
_AT_@ -328,6 +326,16 @@ main(int argc, char **argv) {
 		usage();
 	} ARGEND
=20
+	/* validate drop-user and -group */
+	errno =3D 0;
+	if (!(pwd =3D getpwnam(user)))
+		die("slock: getpwnam %s: %s\n", user, errno ?
+		    strerror(errno) : "user entry not found");
+	errno =3D 0;
+	if (!(grp =3D getgrnam(group)))
+		die("slock: getgrnam %s: %s\n", group, errno ?
+		    strerror(errno) : "group entry not found");
+
 #ifdef __linux__
 	dontkillme();
 #endif
_AT_@ -339,6 +347,14 @@ main(int argc, char **argv) {
 	if (!(dpy =3D XOpenDisplay(NULL)))
 		die("slock: cannot open display\n");
=20
+	/* drop privileges */
+	if (setgroups(0, NULL) < 0)
+		die("slock: setgroups: %s\n", strerror(errno));
+	if (setgid(grp->gr_gid) < 0)
+		die("slock: setgid: %s\n", strerror(errno));
+	if (setuid(pwd->pw_uid) < 0)
+		die("slock: setuid: %s\n", strerror(errno));
+
 	/* check for Xrandr support */
 	rr =3D XRRQueryExtension(dpy, &rrevbase, &rrerrbase);
=20
--=20
2.7.3

Received on Mon Sep 17 2001 - 00:00:00 CEST