From bc8b5dc1a82f43887b28c2eac44fba637f86e04d03136d4a9a4e1c4fd65d5847 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Fri, 12 Jun 2015 12:39:57 +0000 Subject: [PATCH] Accepting request 311799 from home:michalsrb:branches:X11:XOrg - U_os-support-new-implicit-local-user-access-mode.patch, U_xwayland-default-to-local-user-if-no-xauth-file-given.patch, U_xwayland-enable-access-control-on-open-socket.patch * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164) OBS-URL: https://build.opensuse.org/request/show/311799 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=575 --- ...-new-implicit-local-user-access-mode.patch | 245 ++++++++++++++++++ ...to-local-user-if-no-xauth-file-given.patch | 32 +++ ...enable-access-control-on-open-socket.patch | 32 +++ xorg-x11-server.changes | 8 + xorg-x11-server.spec | 9 + 5 files changed, 326 insertions(+) create mode 100644 U_os-support-new-implicit-local-user-access-mode.patch create mode 100644 U_xwayland-default-to-local-user-if-no-xauth-file-given.patch create mode 100644 U_xwayland-enable-access-control-on-open-socket.patch diff --git a/U_os-support-new-implicit-local-user-access-mode.patch b/U_os-support-new-implicit-local-user-access-mode.patch new file mode 100644 index 0000000..e5667ef --- /dev/null +++ b/U_os-support-new-implicit-local-user-access-mode.patch @@ -0,0 +1,245 @@ +Subject: os: support new implicit local user access mode +Author: Ray Strode +Path-mainline: Upstream +Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538 +References: bnc#934102 CVE-2015-3164 +Signed-off-by: Michal Srb + +If the X server is started without a '-auth' argument, then +it gets started wide open to all local users on the system. + +This isn't a great default access model, but changing it in +Xorg at this point would break backward compatibility. + +Xwayland, on the other hand is new, and much more targeted +in scope. It could, in theory, be changed to allow the much +more secure default of a "user who started X server can connect +clients to that server." + +This commit paves the way for that change, by adding a mechanism +for DDXs to opt-in to that behavior. They merely need to call + +LocalAccessScopeUser() + +in their init functions. + +A subsequent commit will add that call for Xwayland. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/include/os.h b/include/os.h +index 6638c84..b2b96c8 100644 +--- a/include/os.h ++++ b/include/os.h +@@ -431,11 +431,28 @@ extern _X_EXPORT void + ResetHosts(const char *display); + + extern _X_EXPORT void ++EnableLocalAccess(void); ++ ++extern _X_EXPORT void ++DisableLocalAccess(void); ++ ++extern _X_EXPORT void + EnableLocalHost(void); + + extern _X_EXPORT void + DisableLocalHost(void); + ++#ifndef NO_LOCAL_CLIENT_CRED ++extern _X_EXPORT void ++EnableLocalUser(void); ++ ++extern _X_EXPORT void ++DisableLocalUser(void); ++ ++extern _X_EXPORT void ++LocalAccessScopeUser(void); ++#endif ++ + extern _X_EXPORT void + AccessUsingXdmcp(void); + +diff --git a/os/access.c b/os/access.c +index 8fa028e..75e7a69 100644 +--- a/os/access.c ++++ b/os/access.c +@@ -102,6 +102,10 @@ SOFTWARE. + #include + #include + ++#ifndef NO_LOCAL_CLIENT_CRED ++#include ++#endif ++ + #if defined(TCPCONN) || defined(STREAMSCONN) + #include + #endif /* TCPCONN || STREAMSCONN */ +@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE; + static int LocalHostRequested = FALSE; + static int UsingXdmcp = FALSE; + ++static enum { ++ LOCAL_ACCESS_SCOPE_HOST = 0, ++#ifndef NO_LOCAL_CLIENT_CRED ++ LOCAL_ACCESS_SCOPE_USER, ++#endif ++} LocalAccessScope; ++ + /* FamilyServerInterpreted implementation */ + static Bool siAddrMatch(int family, void *addr, int len, HOST * host, + ClientPtr client); +@@ -237,6 +248,21 @@ static void siTypesInitialize(void); + */ + + void ++EnableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ EnableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ EnableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + EnableLocalHost(void) + { + if (!UsingXdmcp) { +@@ -249,6 +275,21 @@ EnableLocalHost(void) + * called when authorization is enabled to keep us secure + */ + void ++DisableLocalAccess(void) ++{ ++ switch (LocalAccessScope) { ++ case LOCAL_ACCESS_SCOPE_HOST: ++ DisableLocalHost(); ++ break; ++#ifndef NO_LOCAL_CLIENT_CRED ++ case LOCAL_ACCESS_SCOPE_USER: ++ DisableLocalUser(); ++ break; ++#endif ++ } ++} ++ ++void + DisableLocalHost(void) + { + HOST *self; +@@ -262,6 +303,74 @@ DisableLocalHost(void) + } + } + ++#ifndef NO_LOCAL_CLIENT_CRED ++static int GetLocalUserAddr(char **addr) ++{ ++ static const char *type = "localuser"; ++ static const char delimiter = '\0'; ++ static const char *value; ++ struct passwd *pw; ++ int length = -1; ++ ++ pw = getpwuid(getuid()); ++ ++ if (pw == NULL || pw->pw_name == NULL) ++ goto out; ++ ++ value = pw->pw_name; ++ ++ length = asprintf(addr, "%s%c%s", type, delimiter, value); ++ ++ if (length == -1) { ++ goto out; ++ } ++ ++ /* Trailing NUL */ ++ length++; ++ ++out: ++ return length; ++} ++ ++void ++EnableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ NewHost(FamilyServerInterpreted, addr, length, TRUE); ++ ++ free(addr); ++} ++ ++void ++DisableLocalUser(void) ++{ ++ char *addr = NULL; ++ int length = -1; ++ ++ length = GetLocalUserAddr(&addr); ++ ++ if (length == -1) ++ return; ++ ++ RemoveHost(NULL, FamilyServerInterpreted, length, addr); ++ ++ free(addr); ++} ++ ++void ++LocalAccessScopeUser(void) ++{ ++ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER; ++} ++#endif ++ + /* + * called at init time when XDMCP will be used; xdmcp always + * adds local hosts manually when needed +diff --git a/os/auth.c b/os/auth.c +index 5fcb538..7da6fc6 100644 +--- a/os/auth.c ++++ b/os/auth.c +@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length, + + /* + * If the authorization file has at least one entry for this server, +- * disable local host access. (loadauth > 0) ++ * disable local access. (loadauth > 0) + * + * If there are zero entries (either initially or when the + * authorization file is later reloaded), or if a valid +- * authorization file was never loaded, enable local host access. ++ * authorization file was never loaded, enable local access. + * (loadauth == 0 || !loaded) + * + * If the authorization file was loaded initially (with valid +@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length, + */ + + if (loadauth > 0) { +- DisableLocalHost(); /* got at least one */ ++ DisableLocalAccess(); /* got at least one */ + loaded = TRUE; + } + else if (loadauth == 0 || !loaded) +- EnableLocalHost(); ++ EnableLocalAccess(); + } + if (name_length) { + for (i = 0; i < NUM_AUTHORIZATION; i++) { diff --git a/U_xwayland-default-to-local-user-if-no-xauth-file-given.patch b/U_xwayland-default-to-local-user-if-no-xauth-file-given.patch new file mode 100644 index 0000000..11e7b12 --- /dev/null +++ b/U_xwayland-default-to-local-user-if-no-xauth-file-given.patch @@ -0,0 +1,32 @@ +Subject: xwayland: default to local user if no xauth file given. +Author: Ray Strode +Path-mainline: Upstream +Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451 +References: bnc#934102 CVE-2015-3164 +Signed-off-by: Michal Srb + +Right now if "-auth" isn't passed on the command line, we let +any user on the system connect to the Xwayland server. + +That's clearly suboptimal, given Xwayland is generally designed +to be used by one user at a time. + +This commit changes the behavior, so only the user who started the +X server can connect clients to it. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index c5bee77..bc92beb 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv) + if (AddScreen(xwl_screen_init, argc, argv) == -1) { + FatalError("Couldn't add screen\n"); + } ++ ++ LocalAccessScopeUser(); + } diff --git a/U_xwayland-enable-access-control-on-open-socket.patch b/U_xwayland-enable-access-control-on-open-socket.patch new file mode 100644 index 0000000..15b7101 --- /dev/null +++ b/U_xwayland-enable-access-control-on-open-socket.patch @@ -0,0 +1,32 @@ +Subject: xwayland: Enable access control on open sockets +Author: Ray Strode +Path-mainline: Upstream +Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588 +References: bnc#934102 CVE-2015-3164 +Signed-off-by: Michal Srb + +Xwayland currently allows wide-open access to the X sockets +it listens on, ignoring Xauth access control. + +This commit makes sure to enable access control on the sockets, +so one user can't snoop on another user's X-over-wayland +applications. + +Signed-off-by: Ray Strode +Reviewed-by: Daniel Stone +Reviewed-by: Alan Coopersmith +Signed-off-by: Keith Packard + +diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c +index 7e8d667..c5bee77 100644 +--- a/hw/xwayland/xwayland.c ++++ b/hw/xwayland/xwayland.c +@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen) + int i; + + for (i = 0; i < xwl_screen->listen_fd_count; i++) +- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE); ++ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE); + } + + static void diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index f252fe9..3808f29 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com + +- U_os-support-new-implicit-local-user-access-mode.patch, + U_xwayland-default-to-local-user-if-no-xauth-file-given.patch, + U_xwayland-enable-access-control-on-open-socket.patch + * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164) + ------------------------------------------------------------------- Mon Jun 8 15:21:18 UTC 2015 - antoine.belvire@laposte.net diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index c3deb4a..99ccf54 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -168,6 +168,12 @@ Patch115: N_Force-swcursor-for-KMS-drivers-without-hw-cursor-sup.patch Patch116: U_os-XDMCP-options-like-query-etc-should-imply-listen.patch Patch117: xorg-x11-server-byte-order.patch Patch118: U_int10-Fix-error-check-for-pci_device_map_legacy.patch +# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164 +Patch119: U_xwayland-enable-access-control-on-open-socket.patch +# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164 +Patch120: U_os-support-new-implicit-local-user-access-mode.patch +# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164 +Patch121: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch Patch1000: n_xserver-optimus-autoconfig-hack.patch @@ -265,6 +271,9 @@ cp %{SOURCE90} . %patch116 -p1 %patch117 -p1 %patch118 -p1 +%patch119 -p1 +%patch120 -p1 +%patch121 -p1 %patch1000 -p1