From 62aa06d499bd2dbcdf04a8bd9c0556b54333bc31 Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Thu, 16 Apr 2009 22:33:12 -0400 Subject: [PATCH 1/3] security: Revert behavior of extension access for compatibility. Previously, three extensions were defined as "trusted" by the extension: BIG-REQUESTS, XC-MISC, and XPrint. No other extensions were permitted to be used by untrusted clients. In commit 8b5d21cc1d1f4e9d20e5d5eca44cb1e60a419763 this was changed for some reason. Return to the old, compatible behavior. (cherry picked from commit 6045506be0cebca4ebbe943ae77f020aafa703d4) --- Xext/security.c | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/Xext/security.c b/Xext/security.c index ad30e06b8..99f4e5610 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -63,10 +63,10 @@ typedef struct { } SecurityStateRec; /* Extensions that untrusted clients shouldn't have access to */ -static char *SecurityUntrustedExtensions[] = { - "RandR", - "SECURITY", - "XFree86-DGA", +static char *SecurityTrustedExtensions[] = { + "XC-MISC", + "BIG-REQUESTS", + "XpExtension", NULL }; @@ -859,16 +859,18 @@ SecurityExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) subj = dixLookupPrivate(&rec->client->devPrivates, stateKey); - if (subj->haveState && subj->trustLevel != XSecurityClientTrusted) - while (SecurityUntrustedExtensions[i]) - if (!strcmp(SecurityUntrustedExtensions[i++], rec->ext->name)) { - SecurityAudit("Security: denied client %d access to extension " - "%s on request %s\n", - rec->client->index, rec->ext->name, - SecurityLookupRequestName(rec->client)); - rec->status = BadAccess; - return; - } + if (subj->haveState && subj->trustLevel == XSecurityClientTrusted) + return; + + while (SecurityTrustedExtensions[i]) + if (!strcmp(SecurityTrustedExtensions[i++], rec->ext->name)) + return; + + SecurityAudit("Security: denied client %d access to extension " + "%s on request %s\n", + rec->client->index, rec->ext->name, + SecurityLookupRequestName(rec->client)); + rec->status = BadAccess; } static void From a26ae2c63d73b6f8cfb9757c4db451bc68e6a947 Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Thu, 16 Apr 2009 22:39:54 -0400 Subject: [PATCH 2/3] security: Fix a crash caused by wrong ordering of format arguments. (cherry picked from commit 3481b32ab971c41cb972f6819ae049f3e9f7033b) --- Xext/security.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Xext/security.c b/Xext/security.c index 99f4e5610..d185ee35e 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -955,9 +955,10 @@ SecuritySend(CallbackListPtr *pcbl, pointer unused, pointer calldata) SecurityAudit("Security: denied client %d from sending event " "of type %s to window 0x%x of client %d\n", - rec->client->index, rec->pWin->drawable.id, - wClient(rec->pWin)->index, - LookupEventName(rec->events[i].u.u.type)); + rec->client->index, + LookupEventName(rec->events[i].u.u.type), + rec->pWin->drawable.id, + wClient(rec->pWin)->index); rec->status = BadAccess; return; } From e1edd9e6689ea614167294a4f0eaa93c06f570fb Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Thu, 16 Apr 2009 22:48:11 -0400 Subject: [PATCH 3/3] security: Grant untrusted windows remove access on all windows. This allows untrusted clients to destroy their own windows when they have been reparented by a trusted window manager. (cherry picked from commit 4559d2ace6ac55fe361f572ded0769cdd1f3b545) --- Xext/security.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Xext/security.c b/Xext/security.c index d185ee35e..e65fc8ddf 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -76,6 +76,7 @@ static char *SecurityTrustedExtensions[] = { static const Mask SecurityResourceMask = DixGetAttrAccess | DixReceiveAccess | DixListPropAccess | DixGetPropAccess | DixListAccess; +static const Mask SecurityWindowExtraMask = DixRemoveAccess; static const Mask SecurityRootWindowExtraMask = DixReceiveAccess | DixSendAccess | DixAddAccess | DixRemoveAccess; static const Mask SecurityDeviceMask = @@ -819,6 +820,10 @@ SecurityResource(CallbackListPtr *pcbl, pointer unused, pointer calldata) if (subj->haveState && subj->trustLevel != XSecurityClientTrusted) ((WindowPtr)rec->res)->forcedBG = TRUE; + /* additional permissions for specific resource types */ + if (rec->rtype == RT_WINDOW) + allowed |= SecurityWindowExtraMask; + /* special checks for server-owned resources */ if (cid == 0) { if (rec->rtype & RC_DRAWABLE)