Merge pull request #1218 from Hummer12007/suicaps

Terminate when both suid bit and filecaps are set
author: Drew DeVault <sir@cmpwn.com> 2017-05-11 12:48:30 -0400
committer: GitHub <noreply@github.com> 2017-05-11 12:48:30 -0400
commit: 6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f (patch)
tree: ee9a1ffafa93162484829ca42f6f61a997ca0f90
parent: Mention Patreon in README.md (diff)
parent: Replace spaces with tabs in resolve_path (diff)
download: sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.tar.gz
sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.tar.zst
sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.zip
2 files changed, 65 insertions, 41 deletions
diff --git a/common/util.c b/common/util.c
index a9e6a9c2..34bb5ec1 100644
--- a/common/util.c
+++ b/common/util.c
@@ -124,38 +124,38 @@ uint32_t parse_color(const char *color) {
 }
 char* resolve_path(const char* path) {
-    struct stat sb;
+        struct stat sb;
-    ssize_t r;
+        ssize_t r;
-    int i;
+        int i;
-    char *current = NULL;
+        char *current = NULL;
-    char *resolved = NULL;
+        char *resolved = NULL;
-    if(!(current = strdup(path))) {
+        if(!(current = strdup(path))) {
-           return NULL;
+                return NULL;
-    }
+        }
-    for (i = 0; i < 16; ++i) {
+        for (i = 0; i < 16; ++i) {
-        if (lstat(current, &sb) == -1) {
+                if (lstat(current, &sb) == -1) {
-           goto failed;
+                        goto failed;
-        }
+                }
-        if((sb.st_mode & S_IFMT) != S_IFLNK) {
+                if((sb.st_mode & S_IFMT) != S_IFLNK) {
-            return current;
+                        return current;
-        }
+                }
-        if (!(resolved = malloc(sb.st_size + 1))) {
+                if (!(resolved = malloc(sb.st_size + 1))) {
-           goto failed;
+                        goto failed;
-        }
+                }
-        r = readlink(current, resolved, sb.st_size);
+                r = readlink(current, resolved, sb.st_size);
-        if (r == -1 || r > sb.st_size) {
+                if (r == -1 || r > sb.st_size) {
-           goto failed;
+                        goto failed;
-        }
+                }
-        resolved[r] = '\0';
+                resolved[r] = '\0';
-        free(current);
+                free(current);
-        current = strdup(resolved);
+                current = strdup(resolved);
-        free(resolved);
+                free(resolved);
-        resolved = NULL;
+                resolved = NULL;
-    }
+        }
 failed:
-    free(resolved);
+        free(resolved);
-    free(current);
+        free(current);
-    return NULL;
+        return NULL;
-}
-\ No newline at end of file
+}
diff --git a/sway/main.c b/sway/main.c
index b9549b12..819788b1 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -27,6 +27,7 @@
 #include "stringop.h"
 #include "sway.h"
 #include "log.h"
+#include "util.h"
 static bool terminate_request = false;
 static int exit_value = 0;
@@ -209,6 +210,27 @@ static void security_sanity_check() {
 #endif
 }
+static void executable_sanity_check() {
+#ifdef __linux__
+                struct stat sb;
+                char *exe = realpath("/proc/self/exe", NULL);
+                stat(exe, &sb);
+                // We assume that cap_get_file returning NULL implies ENODATA
+                if (sb.st_mode & (S_ISUID|S_ISGID) && cap_get_file(exe)) {
+                        sway_log(L_ERROR,
+                                "sway executable has both the s(g)uid bit AND file caps set.");
+                        sway_log(L_ERROR,
+                                "This is strongly discouraged (and completely broken).");
+                        sway_log(L_ERROR,
+                                "Please clear one of them (either the suid bit, or the file caps).");
+                        sway_log(L_ERROR,
+                                "If unsure, strip the file caps.");
+                        exit(EXIT_FAILURE);
+                }
+                free(exe);
+#endif
+}
 int main(int argc, char **argv) {
        static int verbose = 0, debug = 0, validate = 0;
@@ -288,6 +310,15 @@ int main(int argc, char **argv) {
                }
        }
+        // we need to setup logging before wlc_init in case it fails.
+        if (debug) {
+                init_log(L_DEBUG);
+        } else if (verbose || validate) {
+                init_log(L_INFO);
+        } else {
+                init_log(L_ERROR);
+        }
        if (optind < argc) { // Behave as IPC client
                if(optind != 1) {
                        sway_log(L_ERROR, "Don't use options with the IPC client");
@@ -317,6 +348,7 @@ int main(int argc, char **argv) {
                return 0;
        }
+        executable_sanity_check();
 #ifdef __linux__
        bool suid = false;
        if (getuid() != geteuid() || getgid() != getegid()) {
@@ -329,14 +361,6 @@ int main(int argc, char **argv) {
        }
 #endif
-        // we need to setup logging before wlc_init in case it fails.
-        if (debug) {
-                init_log(L_DEBUG);
-        } else if (verbose || validate) {
-                init_log(L_INFO);
-        } else {
-                init_log(L_ERROR);
-        }
        wlc_log_set_handler(wlc_log_handler);
        log_kernel();
        log_distro();
author	Drew DeVault <sir@cmpwn.com>	2017-05-11 12:48:30 -0400
committer	GitHub <noreply@github.com>	2017-05-11 12:48:30 -0400
commit	6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f (patch)
tree	ee9a1ffafa93162484829ca42f6f61a997ca0f90
parent	Mention Patreon in README.md (diff)
parent	Replace spaces with tabs in resolve_path (diff)
download	sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.tar.gz sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.tar.zst sway-6df0f9a7e4d41cdc56206d178e57eb141a0e3d8f.zip