[PATCH weston] weston-launch: Let the user use her real shell

2014-03-06 Thread Quentin Glidic
From: Quentin Glidic sardemff7+...@sardemff7.net

Signed-off-by: Quentin Glidic sardemff7+...@sardemff7.net
---

This patch restores the old behaviour if the user wants to. This keeps
/bin/sh around for shells that do not understand -c weston \$@\.

 src/weston-launch.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/weston-launch.c b/src/weston-launch.c
index 56e22b1..fd04552 100644
--- a/src/weston-launch.c
+++ b/src/weston-launch.c
@@ -103,6 +103,7 @@ struct weston_launch {
 
pid_t child;
int verbose;
+   int user_shell;
char *new_user;
 };
 
@@ -644,7 +645,7 @@ launch_compositor(struct weston_launch *wl, int argc, char 
*argv[])
sigaddset(mask, SIGINT);
sigprocmask(SIG_UNBLOCK, mask, NULL);
 
-   child_argv[0] = /bin/sh;
+   child_argv[0] = wl-user_shell ? wl-pw-pw_shell : /bin/sh;
child_argv[1] = -l;
child_argv[2] = -c;
child_argv[3] = BINDIR /weston \$@\;
@@ -663,6 +664,7 @@ help(const char *name)
fprintf(stderr, Usage: %s [args...] [-- [weston args..]]\n, name);
fprintf(stderr,   -u, --user  Start session as specified 
username\n);
fprintf(stderr,   -t, --tty   Start session on alternative tty\n);
+   fprintf(stderr,   -s, --shell Use the user shell instead of 
/bin/sh to run weston\n);
fprintf(stderr,   -v, --verbose   Be verbose\n);
fprintf(stderr,   -h, --help  Display this help message\n);
 }
@@ -676,6 +678,7 @@ main(int argc, char *argv[])
struct option opts[] = {
{ user,required_argument, NULL, 'u' },
{ tty, required_argument, NULL, 't' },
+   { shell,   no_argument,   NULL, 's' },
{ verbose, no_argument,   NULL, 'v' },
{ help,no_argument,   NULL, 'h' },
{ 0, 0, NULL,  0  }
@@ -683,7 +686,7 @@ main(int argc, char *argv[])
 
memset(wl, 0, sizeof wl);
 
-   while ((c = getopt_long(argc, argv, u:t::vh, opts, i)) != -1) {
+   while ((c = getopt_long(argc, argv, u:t::svh, opts, i)) != -1) {
switch (c) {
case 'u':
wl.new_user = optarg;
@@ -693,6 +696,9 @@ main(int argc, char *argv[])
case 't':
tty = optarg;
break;
+   case 's':
+   wl.user_shell = 1;
+   break;
case 'v':
wl.verbose = 1;
break;
-- 
1.9.0

___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel


Re: [PATCH weston] weston-launch: Let the user use her real shell

2014-03-06 Thread Jason Ekstrand
Where is the shell coming from?  If it's the shell specified in /etc/paswd
and if we can guarantee that it doesn't read ~/.profile or similar than
it's ok.  However, If this is the case, then how is it useful to run with
the user's shell?

If it is the shell from $SHELL or if it reads ~/.profile and friends, then
we have just leaked drm/evdev fd's to the entire system and that's bad.  If
the caller can specify a shell or specify the environment in which the
shell runs, then a malicious program can modify this stuff too, run
weston-launch, and get access to protected stuff.  Please double-check this.
--Jason Ekstrand
On Mar 6, 2014 8:03 AM, Quentin Glidic sardemff7+wayl...@sardemff7.net
wrote:

 From: Quentin Glidic sardemff7+...@sardemff7.net

 Signed-off-by: Quentin Glidic sardemff7+...@sardemff7.net
 ---

 This patch restores the old behaviour if the user wants to. This keeps
 /bin/sh around for shells that do not understand -c weston \$@\.

  src/weston-launch.c | 10 --
  1 file changed, 8 insertions(+), 2 deletions(-)

 diff --git a/src/weston-launch.c b/src/weston-launch.c
 index 56e22b1..fd04552 100644
 --- a/src/weston-launch.c
 +++ b/src/weston-launch.c
 @@ -103,6 +103,7 @@ struct weston_launch {

 pid_t child;
 int verbose;
 +   int user_shell;
 char *new_user;
  };

 @@ -644,7 +645,7 @@ launch_compositor(struct weston_launch *wl, int argc,
 char *argv[])
 sigaddset(mask, SIGINT);
 sigprocmask(SIG_UNBLOCK, mask, NULL);

 -   child_argv[0] = /bin/sh;
 +   child_argv[0] = wl-user_shell ? wl-pw-pw_shell : /bin/sh;
 child_argv[1] = -l;
 child_argv[2] = -c;
 child_argv[3] = BINDIR /weston \$@\;
 @@ -663,6 +664,7 @@ help(const char *name)
 fprintf(stderr, Usage: %s [args...] [-- [weston args..]]\n,
 name);
 fprintf(stderr,   -u, --user  Start session as specified
 username\n);
 fprintf(stderr,   -t, --tty   Start session on alternative
 tty\n);
 +   fprintf(stderr,   -s, --shell Use the user shell instead of
 /bin/sh to run weston\n);
 fprintf(stderr,   -v, --verbose   Be verbose\n);
 fprintf(stderr,   -h, --help  Display this help message\n);
  }
 @@ -676,6 +678,7 @@ main(int argc, char *argv[])
 struct option opts[] = {
 { user,required_argument, NULL, 'u' },
 { tty, required_argument, NULL, 't' },
 +   { shell,   no_argument,   NULL, 's' },
 { verbose, no_argument,   NULL, 'v' },
 { help,no_argument,   NULL, 'h' },
 { 0, 0, NULL,  0  }
 @@ -683,7 +686,7 @@ main(int argc, char *argv[])

 memset(wl, 0, sizeof wl);

 -   while ((c = getopt_long(argc, argv, u:t::vh, opts, i)) != -1) {
 +   while ((c = getopt_long(argc, argv, u:t::svh, opts, i)) != -1) {
 switch (c) {
 case 'u':
 wl.new_user = optarg;
 @@ -693,6 +696,9 @@ main(int argc, char *argv[])
 case 't':
 tty = optarg;
 break;
 +   case 's':
 +   wl.user_shell = 1;
 +   break;
 case 'v':
 wl.verbose = 1;
 break;
 --
 1.9.0

 ___
 wayland-devel mailing list
 wayland-devel@lists.freedesktop.org
 http://lists.freedesktop.org/mailman/listinfo/wayland-devel

___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel


Re: [PATCH weston] weston-launch: Let the user use her real shell

2014-01-27 Thread Quentin Glidic

Hi,

On 24/01/2014 08:33, David Herrmann wrote:

weston-launch passes privileged FDs back to weston. I don't think we
should allow a user to use their own shell to spawn weston. How can
you guarantee the shell does not point to some random binary of the
user? This way, they can get access to arbitrary input FDs,
circumventing the access-mode restrictions on the device-nodes.


From man chsh:
“The only restriction placed on the login shell is that the command name 
must be listed in /etc/shells, unless the invoker is the superuser, and 
then any value may be added.”


So unless root access (= full access anyway) the user cannot use a 
random binary but only system approved ones.


Thanks,

--

Quentin “Sardem FF7” Glidic
___
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel