Patch by Nicolas Boullis <boullis.nico...@libertysurf.fr>. From [1]:
From: Nicolas Boullis <boullis.nico...@libertysurf.fr> To: Debian Bug Tracking System <sub...@bugs.debian.org> Subject: wmtv: dangerous suid root Date: Thu, 08 Nov 2001 20:07:52 +0100 Hi ! I think there is a huge security hole with wmtv and, when wmtv is installed, anyone can easily get a root account. Here is what I have in my terminal: (everytime I launch wmtv, I double-clicked in the tv subwindow to call the external program) ---------------------------------------------------------------------- Tintin:~> wmtv -e whoami root Tintin:~> cat > crack_root.sh #!/bin/sh cp /bin/sh /tmp chmod u+s /tmp/sh Tintin:~> chmod +x crack_root.sh Tintin:~> wmtv -e ~/crack_root.sh Tintin:~> ll /tmp/sh -rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh* ---------------------------------------------------------------------- I tried to make wmtv non-suid root, and... sometimes it works (despite an error message), sometimes it does not... ---------------------------------------------------------------------- Tintin:~> ll /usr/bin/X11/wmtv -rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv* Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted wmtv: no physical frame buffer access ---------------------------------------------------------------------- Hence, I guess you should either correct wmtv so that it always work without being suid root, or make wmtv lose its privileges before it runs an external program. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778 --- wmtv/src/wmtv.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/wmtv/src/wmtv.c b/wmtv/src/wmtv.c index d2998f5..7e2d663 100644 --- a/wmtv/src/wmtv.c +++ b/wmtv/src/wmtv.c @@ -249,7 +249,7 @@ main(int argc, char *argv[]) break; case 'e': exe = strdup(optarg); - strcat(exe, " &"); + /* strcat(exe, " &"); */ break; case 'b': fprintf(stderr, "wmtv: option not implemented yet\n"); @@ -439,7 +439,17 @@ main(int argc, char *argv[]) if (exe) { ntfb_status = SETOFF; TVOff(); - system(exe); + /* system(exe); */ + if (fork() == (pid_t) 0) { + char *argv[4]; + setuid(getuid()); /* Drop the privileges */ + argv[0] = "sh"; + argv[1] = "-c"; + argv[2] = exe; + argv[3] = NULL; + execv("/bin/sh", argv); + exit(-1); + } #if 0 pid = fork(); -- 2.5.0 -- To unsubscribe, send mail to wmaker-dev-unsubscr...@lists.windowmaker.org.
