On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../include/misc.h:174,
from ../os/access.c:96:
../os/access.c: In function ‘ResetHosts’:
../os/access.c:981:49: warning: array subscript has type ‘char’ [-Wchar-subscripts]
981 | lhostname[i] = tolower(ohostname[i]);
| ^
The symbol controls whether to include dix-config.h, and it's always set,
thus we don't need it (and dozens of ifdef's) anymore.
This commit only removes them from our own source files, where we can
guarantee that dix-config.h is present - leaving the (potentially exported)
headers untouched.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
struct hostent->h_addr_list is of type char**, not const char**.
GCC considers this an error when in C99 mode or later.
Signed-off-by: Joaquim Monteiro <joaquim.monteiro@protonmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1572>
he generic XaceHook() call isn't typesafe (und unnecessarily slow).
Better add an explicit function, just like we already have for others.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1556>
Conditional on ipv6 around including <arpa/inet.h> isn't necessary.
The only reason target not having it is win32, but it doesn't enable
SIOCGLIFCONF anyways.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1539>
DES isn't considered secure anymore for long time now, more and more platforms
dropping DES from their RPC implementations, and even the one where it came
from (Solaris) disabled it for a decade now. We have much better alternatives
(eg. passing creds via Unix socket for local connections, ssh tunneling,
MIT-MAGIC-COOKIE-1, ...), so it's unlikely anybody still really relying on it.
Therefore, sweep it out.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1453>
The xdmcp handling isn't really OS specific, and only few sites actually need
to call it, so at least it's prototypes are better off in some separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
The rpc authentication handling isn't really OS specific, and only few sites
actually need to call it, so at least it's prototypes are better off in some
separate header.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1311>
This provides a way to determine the pid of a peer connection on
systems like darwin that do not support getpeerucred() nor
SO_PEERCRED.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
GetLocalClientCreds() was preferring getpeereid() above other implementations.
getpeereid(), however, only returns the effective uid and gid of the peer,
leaving the pid unset. When this happens, we are unable to use the pid to
determine the peer's command line arguments and incorrectly treat ssh-tunneled
traffic as local.
To address this, we now prioritize getpeerucred() or SO_PEERCRED as those two
implementations will return the pid in addition to uid and gid.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
This helps on KAME-based systems which want to get rid of this hack.
The assumption is that if sin6_scope_id is set, then the interface index
is no longer embedded in the address.
Signed-off-by: Jeremie Courreges-Anglas <jca@wxcvbn.org>
Most (but not all) of these were found by using
codespell --builtin clear,rare,usage,informal,code,names
but not everything reported by that was fixed.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Don't reuse cmd for strtok output to ensure the proper pointer is
freed afterwards.
The code incorrectly assumed the pointer returned by strtok(cmd, ":")
would always point to cmd. However, strtok(str, sep) != str if str
begins with sep. This caused an invalid-free crash when running
a program under X with a name beginning with a colon.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
For link local addresses the XDMCP server would need to either know the
interface thru a scope identifier or try all available interfaces. If
they don't this address will fail in which case the XDMCP server could
still try the other addresses passed - however some only try the first
address and then give up.
Even if this seems to be the wrong place to fix this it seems to be
easier than fixing all display servers.
[ajax: Cleaned up commit message]
Reviewed-by: Adam Jackson <ajax@redhat.com>
By the time we get to ComputeLocalClient, we've already done
NextAvailableClient → ReserveClientIds → DetermineClientCmd (assuming
we're built with #define CLIENTIDS), so we can look up the name of the
client process and refuse to treat ssh's X forwarding as if it were
local.
v2: (Michel Dänzer)
* Only match "ssh" itself, not other executable names starting with
that prefix.
* Ignore executable path for the match.
v3: (Michel Dänzer)
* Use GetClientCmdName (Mark Kettenis)
* Perform check on Windows as well, but only ignore path on Cygwin
(Martin Peres, Emil Velikov, Jon Turney)
v4: (Michel Dänzer)
* Cut of any colon and whatever comes after it. (Adam Jackson)
* Add bugzilla reference.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93261
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Removed from xtrans in 2012, and never wired up in the modular build
anyway.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Globally replace #ifdef and #if defined usage of 'sun' with '__sun'
such that strict ISO compiler modes such as -ansi or -std=c99 can be used.
Signed-off-by: Richard PALO <richard@NetBSD.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
These extensions were accessing internal OS functions and
structures. Expose the necessary functionality to them and remove
their use of osdep.h
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Commit 4b4b9086 "os: support new implicit local user access mode [CVE-2015-3164
2/3]" carefully places the relevant code it adds under !NO_LOCAL_CLIENT_CRED,
but unfortunately doesn't notice that NO_LOCAL_CLIENT_CRED is defined as a
side-effect in the middle of GetLocalClientCreds(), so many of these checks
precede its definition.
Move the check if NO_LOCAL_CLIENT_CRED should be defined to configure.ac, so it
always occurs before it's first use.
v2:
Move check to configure.ac
v3:
Use AC_CACHE_CHECK and name cache varaible appropriately
[ajax: Massaged commit message]
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Ray Strode <rstrode@redhat.com>
If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.
This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.
Xwayland, on the other hand is new, and much more targeted
in scope. It could, in theory, be changed to allow the much
more secure default of a "user who started X server can connect
clients to that server."
This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior. They merely need to call
LocalAccessScopeUser()
in their init functions.
A subsequent commit will add that call for Xwayland.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This was reported on irc on Fedora when rawhide went to 1.17.1.
regression occured in: 2566835b43
os: Eliminate uninitialized value warnings from access.c
siAddrMatch doesn't need addr to be a useful value, it checks
some things like localuser without having an address at all.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
The ConvertAddr function doesn't reliably set the 'addr' return value,
and so callers are getting flagged for using potentially uninitialized
values. Initialize the value in the callers to NULL and then go ahead
and check for NULL values before using them.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
The comment lies, shm hasn't used this code since:
commit fdef7be5c8
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Tue Oct 9 18:44:04 2007 -0700
Sun bug 6589829: include zoneid of shm segment in access [...]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Even though -Wcomment doesn't mind it (in gcc or clang), the appearance
of */* confuses the syntax highlighter of some editors (eg. vim), and
causes warnings in MSVC.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
It is needed in IPv6 configurations (for inet_pton) also when
SIOCGIFCONF is not defined.
Signed-off-by: Pino Toscano <toscano.pino@tiscali.it>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Enrico Weigelt, metux IT consult
Joaquim Monteiro
Matthieu Herrb
Jan Beich
Alan Coopersmith
Jeremy Huddleston Sequoia
Jeremie Courreges-Anglas
Adam Jackson
Tomasz Śniatowski
Reinhard Max
Michel Dänzer
Richard PALO
Keith Packard
Jon TURNEY
Ray Strode
Dave Airlie
Peter Hutterer
Peter Harris
Pino Toscano