snow/dockapps
1
0
Fork 0
Code Issues Releases Activity

wmload: Incorporate changes from asload-0.9.4.

Browse source 
Obtained from [1].

[1] http://tigr.net/afterstep/download/asload/asload-0.9.4.tar.gz
This commit is contained in:
Doug Torrance 2015-04-07 02:45:17 -05:00 committed by Carlos R. Mafra
parent eec170c034
commit d5e87688a3
2 changed files with 69 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
wmload/ChangeLog
View file

@ -1,3 +1,10 @@
VERSION: 0.9.4
RELEASE DATE: 09 March 2000 by albert@tigr.net
Fixed the security bug. The program now forks
and the child drops privileges before executing
an external command.
VERSION: 0.9.3 VERSION: 0.9.3
RELEASE DATE: 03 March 2000 (sashav@sprintmail.com) RELEASE DATE: 03 March 2000 (sashav@sprintmail.com)
-added range check for values. It seems that on 2.3 kernels -added range check for values. It seems that on 2.3 kernels

66
wmload/wmload.c
View file

@ -1,8 +1,10 @@
#include <ctype.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include <X11/Xlib.h> #include <X11/Xlib.h>
#include <X11/xpm.h> #include <X11/xpm.h>
#include <X11/extensions/shape.h> #include <X11/extensions/shape.h>
@ -17,7 +19,7 @@
#define major_VER 0 #define major_VER 0
#define minor_VER 9 #define minor_VER 9
#define patch_VER 3 #define patch_VER 4
#define MW_EVENTS (ExposureMask | ButtonPressMask | StructureNotifyMask) #define MW_EVENTS (ExposureMask | ButtonPressMask | StructureNotifyMask)
#define FALSE 0 #define FALSE 0
#define Shape(num) (ONLYSHAPE ? num-5 : num) #define Shape(num) (ONLYSHAPE ? num-5 : num)
@ -93,6 +95,62 @@ void usage()
exit(1); exit(1);
} }
/*
* Copied from ascpu - albert@tigr.net - 09 Mar 2000
*
* This function executes an external command while
* checking whether we should drop the privileges.
*
* Since we might need privileges later we fork and
* then drop privileges in one of the instances which
* will then execute the command and die.
*
* This fixes the security hole for FreeBSD and AIX
* where this program needs privileges to access
* the system information.
*/
void ExecuteExternal()
{
uid_t ruid, euid;
int pid;
#ifdef DEBUG
printf("asload: system(%s)\n",Execute);
#endif
if( ! Execute ) {
return;
}
ruid = getuid();
euid = geteuid();
if ( ruid == euid ) {
system( Execute );
return;
}
pid = fork();
if ( pid == -1 ) {
printf("asload : fork() failed (%s), command not executed",
strerror(errno));
return;
}
if ( pid != 0 ) {
/* parent process simply waits for the child and continues */
if ( waitpid(pid, 0, 0) == -1 ) {
printf("asload : waitpid() for child failed (%s)",
strerror(errno));
}
return;
}
/*
* child process drops the privileges
* executes the command and dies
*/
if ( setuid(ruid) ) {
printf("asload : setuid failed (%s), command not executed",
strerror(errno));
exit(127);
}
system( Execute );
exit(0);
}
int main(int argc,char *argv[]) int main(int argc,char *argv[])
{ {
int i; int i;
@ -262,7 +320,7 @@ int main(int argc,char *argv[])
RedrawWindow(&visible); RedrawWindow(&visible);
break; break;
case ButtonPress: case ButtonPress:
system(Execute); ExecuteExternal();
break; break;
case ClientMessage: case ClientMessage:
if ((Event.xclient.format != 32) || if ((Event.xclient.format != 32) ||