[PATCH weston] weston-launch: Let the user use her real shell
From: Quentin Glidic sardemff7+...@sardemff7.net Signed-off-by: Quentin Glidic sardemff7+...@sardemff7.net --- This patch restores the old behaviour if the user wants to. This keeps /bin/sh around for shells that do not understand -c weston \$@\. src/weston-launch.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/weston-launch.c b/src/weston-launch.c index 56e22b1..fd04552 100644 --- a/src/weston-launch.c +++ b/src/weston-launch.c @@ -103,6 +103,7 @@ struct weston_launch { pid_t child; int verbose; + int user_shell; char *new_user; }; @@ -644,7 +645,7 @@ launch_compositor(struct weston_launch *wl, int argc, char *argv[]) sigaddset(mask, SIGINT); sigprocmask(SIG_UNBLOCK, mask, NULL); - child_argv[0] = /bin/sh; + child_argv[0] = wl-user_shell ? wl-pw-pw_shell : /bin/sh; child_argv[1] = -l; child_argv[2] = -c; child_argv[3] = BINDIR /weston \$@\; @@ -663,6 +664,7 @@ help(const char *name) fprintf(stderr, Usage: %s [args...] [-- [weston args..]]\n, name); fprintf(stderr, -u, --user Start session as specified username\n); fprintf(stderr, -t, --tty Start session on alternative tty\n); + fprintf(stderr, -s, --shell Use the user shell instead of /bin/sh to run weston\n); fprintf(stderr, -v, --verbose Be verbose\n); fprintf(stderr, -h, --help Display this help message\n); } @@ -676,6 +678,7 @@ main(int argc, char *argv[]) struct option opts[] = { { user,required_argument, NULL, 'u' }, { tty, required_argument, NULL, 't' }, + { shell, no_argument, NULL, 's' }, { verbose, no_argument, NULL, 'v' }, { help,no_argument, NULL, 'h' }, { 0, 0, NULL, 0 } @@ -683,7 +686,7 @@ main(int argc, char *argv[]) memset(wl, 0, sizeof wl); - while ((c = getopt_long(argc, argv, u:t::vh, opts, i)) != -1) { + while ((c = getopt_long(argc, argv, u:t::svh, opts, i)) != -1) { switch (c) { case 'u': wl.new_user = optarg; @@ -693,6 +696,9 @@ main(int argc, char *argv[]) case 't': tty = optarg; break; + case 's': + wl.user_shell = 1; + break; case 'v': wl.verbose = 1; break; -- 1.9.0 ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] weston-launch: Let the user use her real shell
Where is the shell coming from? If it's the shell specified in /etc/paswd and if we can guarantee that it doesn't read ~/.profile or similar than it's ok. However, If this is the case, then how is it useful to run with the user's shell? If it is the shell from $SHELL or if it reads ~/.profile and friends, then we have just leaked drm/evdev fd's to the entire system and that's bad. If the caller can specify a shell or specify the environment in which the shell runs, then a malicious program can modify this stuff too, run weston-launch, and get access to protected stuff. Please double-check this. --Jason Ekstrand On Mar 6, 2014 8:03 AM, Quentin Glidic sardemff7+wayl...@sardemff7.net wrote: From: Quentin Glidic sardemff7+...@sardemff7.net Signed-off-by: Quentin Glidic sardemff7+...@sardemff7.net --- This patch restores the old behaviour if the user wants to. This keeps /bin/sh around for shells that do not understand -c weston \$@\. src/weston-launch.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/weston-launch.c b/src/weston-launch.c index 56e22b1..fd04552 100644 --- a/src/weston-launch.c +++ b/src/weston-launch.c @@ -103,6 +103,7 @@ struct weston_launch { pid_t child; int verbose; + int user_shell; char *new_user; }; @@ -644,7 +645,7 @@ launch_compositor(struct weston_launch *wl, int argc, char *argv[]) sigaddset(mask, SIGINT); sigprocmask(SIG_UNBLOCK, mask, NULL); - child_argv[0] = /bin/sh; + child_argv[0] = wl-user_shell ? wl-pw-pw_shell : /bin/sh; child_argv[1] = -l; child_argv[2] = -c; child_argv[3] = BINDIR /weston \$@\; @@ -663,6 +664,7 @@ help(const char *name) fprintf(stderr, Usage: %s [args...] [-- [weston args..]]\n, name); fprintf(stderr, -u, --user Start session as specified username\n); fprintf(stderr, -t, --tty Start session on alternative tty\n); + fprintf(stderr, -s, --shell Use the user shell instead of /bin/sh to run weston\n); fprintf(stderr, -v, --verbose Be verbose\n); fprintf(stderr, -h, --help Display this help message\n); } @@ -676,6 +678,7 @@ main(int argc, char *argv[]) struct option opts[] = { { user,required_argument, NULL, 'u' }, { tty, required_argument, NULL, 't' }, + { shell, no_argument, NULL, 's' }, { verbose, no_argument, NULL, 'v' }, { help,no_argument, NULL, 'h' }, { 0, 0, NULL, 0 } @@ -683,7 +686,7 @@ main(int argc, char *argv[]) memset(wl, 0, sizeof wl); - while ((c = getopt_long(argc, argv, u:t::vh, opts, i)) != -1) { + while ((c = getopt_long(argc, argv, u:t::svh, opts, i)) != -1) { switch (c) { case 'u': wl.new_user = optarg; @@ -693,6 +696,9 @@ main(int argc, char *argv[]) case 't': tty = optarg; break; + case 's': + wl.user_shell = 1; + break; case 'v': wl.verbose = 1; break; -- 1.9.0 ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/wayland-devel ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/wayland-devel
Re: [PATCH weston] weston-launch: Let the user use her real shell
Hi, On 24/01/2014 08:33, David Herrmann wrote: weston-launch passes privileged FDs back to weston. I don't think we should allow a user to use their own shell to spawn weston. How can you guarantee the shell does not point to some random binary of the user? This way, they can get access to arbitrary input FDs, circumventing the access-mode restrictions on the device-nodes. From man chsh: “The only restriction placed on the login shell is that the command name must be listed in /etc/shells, unless the invoker is the superuser, and then any value may be added.” So unless root access (= full access anyway) the user cannot use a random binary but only system approved ones. Thanks, -- Quentin “Sardem FF7” Glidic ___ wayland-devel mailing list wayland-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/wayland-devel