Apply by doing: cd /usr/X11 patch -p0<014_xlock.patch Then rebuild the xlock binary: cd xc/programs/xlockmore xmkmf; make Makefiles; make; make install --- xc/programs/xlockmore/iconfig.h 2000/10/07 17:36:06 1.12 +++ xc/programs/xlockmore/iconfig.h 2000/12/19 20:21:41 1.13 @@ -313,6 +313,10 @@ XCOMM *** END DEBUG CHECK SECTION *** +XCOMM *** DEFINE THIS TO USE A SEPARATE PROCESS (SAFER) *** +XCOMM *** TO VALIDATE PASSWORDS *** +PIPEDEF = -DUSE_A_DAMN_PIPE + #ifndef __QNX__ #ifndef MathLibrary #define MathLibrary -lm @@ -522,7 +526,7 @@ XCOMM OPTDEF += -DSTAFF_NETGROUP=\"/etc/xlock.netgroup\" DEFINES = -DDEF_FILESEARCHPATH=\"$(LIBDIR)/%T/%N%S\" \ -$(SYSTEMDEF) $(EDITRESDEF) $(SLEEPDEF) $(OPTDEF) $(RANDDEF) \ +$(PIPEDEF) $(SYSTEMDEF) $(EDITRESDEF) $(SLEEPDEF) $(OPTDEF) $(RANDDEF) \ $(MODULEDEF) $(CHECKDEF) $(UNSTABLEDEF) $(PASSWDDEF) $(XMINC) $(XAWINC) \ $(CPPDEF) $(XPMDEF) $(GLDEF) $(DTSAVERDEF) $(DPMSDEF) \ $(SOUNDDEF) $(PASSWDINC) $(XPMINC) $(GLINC) $(DTSAVERINC) $(DPMSINC) \ --- xc/programs/xlockmore/modes/Imakefile 2000/04/15 09:45:59 1.6 +++ xc/programs/xlockmore/modes/Imakefile 2000/12/19 19:20:23 1.7 @@ -80,7 +80,7 @@ $(DOU)util$(OU)logout$(OU)mode$(OU)ras$(OU)xbm$(O)$(S)\ $(DOU)vis$(OU)color$(OU)random$(OU)iostuff$(OU)automata$(O)$(S)\ $(DOU)spline$(OU)erase$(OU)sound$(O)$(S)\ -$(DOU)vtlock$(OU)vtlock_proc$(O) +$(DOU)vtlock$(OU)vtlock_proc$(OU)atomicio$(O) #ifdef Check XLOCKCHECKOBJS = $(S)memcheck$(O) #endif @@ -162,7 +162,7 @@ XLOCKUTILSRCS = $(DU)xlock$(CU)passwd$(CU)resource$(CU)parsecmd$(C) \ $(DU)vis$(CU)color$(CU)random$(CU)iostuff$(CU)automata$(C) \ $(DU)spline$(CU)sound$(CU)erase$(C) \ -$(DU)vtlock$(CU)vtlock_proc$(C) +$(DU)vtlock$(CU)vtlock_proc$(CU)atomicio$(C) XLOCKCHECKSRCS = $(DU)memcheck$(C) XLOCKMODESRCS = $(DM)ant$(CM)ball$(CM)bat$(CM)blot$(C) \ $(DM)bouboule$(CM)bounce$(CM)braid$(CM)bubble$(CM)bug$(C) \ --- xc/programs/xlockmore/xlock/Imakefile 1999/12/05 16:37:06 1.5 +++ xc/programs/xlockmore/xlock/Imakefile 2000/12/19 19:20:24 1.6 @@ -19,7 +19,7 @@ $(DOU)util$(OU)logout$(OU)mode$(OU)ras$(OU)xbm$(O)$(S)\ $(DOU)vis$(OU)color$(OU)random$(OU)iostuff$(OU)automata$(O)$(S)\ $(DOU)spline$(OU)sound$(OU)erase$(O)$(S)\ -$(DOU)vtlock$(OU)vtlock_proc$(O) +$(DOU)vtlock$(OU)vtlock_proc$(OU)atomicio$(O) #ifdef Check XLOCKCHECKOBJS = $(S)memcheck$(O) #endif @@ -30,7 +30,7 @@ $(DU)util$(CU)logout$(CU)mode$(CU)ras$(CU)xbm$(C) \ $(DU)vis$(CU)color$(CU)random$(CU)iostuff$(CU)automata$(C) \ $(DU)spline$(CU)sound$(CU)erase$(C) \ -$(DU)vtlock$(CU)vtlock_proc$(C) +$(DU)vtlock$(CU)vtlock_proc$(CU)atomicio$(C) XLOCKCHECKSRCS = $(DU)memcheck$(C) XCOMM default target --- xc/programs/xlockmore/xlock/passwd.c 2000/04/15 09:46:00 1.9 +++ xc/programs/xlockmore/xlock/passwd.c 2000/12/19 19:20:24 1.10 @@ -64,7 +64,14 @@ #include #endif +#ifdef USE_A_DAMN_PIPE +#include +int passwd_rpipe = -1; +int passwd_wpipe = -1; +pid_t passwd_pid; +#endif + #if defined( __bsdi__ ) && _BSDI_VERSION >= 199608 #define BSD_AUTH #endif @@ -1193,6 +1200,9 @@ } } #endif +#ifdef USE_A_DAMN_PIPE + done = passwd_do_check(buffer); +#else if (!done) { done = (!strcmp((char *) crypt(buffer, userpass), userpass)); /* userpass is used */ @@ -1220,6 +1230,7 @@ syslog(SYSLOG_NOTICE, "%s: %s unlocked screen", ProgramName, ROOT); #endif } +#endif /* !USE_A_DAMN_PIPE */ #endif /* !BSD_AUTH */ #endif /* !ultrix */ #endif /* !PAM */ @@ -1925,9 +1936,50 @@ else gpass(); #else +#ifdef USE_A_DAMN_PIPE + { + int pipes1[2]; + int pipes2[2]; + + if (pipe(pipes1) == -1) + return; + if (pipe(pipes2) == -1) { + close(pipes1[0]); + close(pipes1[1]); + return; + } + passwd_pid = fork(); + switch (passwd_pid) { + case -1: + close(pipes1[0]); + close(pipes1[1]); + close(pipes2[0]); + close(pipes2[1]); + return; + default: + /* parent */ + close(pipes1[0]); + passwd_wpipe = pipes1[1]; + close(pipes2[1]); + passwd_rpipe = pipes2[0]; + return; + + case 0: + /* child */ + close(pipes1[1]); + passwd_rpipe = pipes1[0]; + close(pipes2[0]); + passwd_wpipe = pipes2[1]; + + passwd_run_checks(); + _exit(1); + } + } +#else getCryptedUserPasswd(); #endif #endif +#endif if (allowroot) getCryptedRootPasswd(); #endif /* !BSD_AUTH */ @@ -1937,3 +1989,53 @@ initDCE(); #endif } + +#ifdef USE_A_DAMN_PIPE + +int +passwd_do_check(user) + char *user; +{ + char buf[PIPE_BUF]; + + strlcpy(buf, user, sizeof buf); + if (atomicio(write, passwd_wpipe, buf, sizeof buf) != sizeof buf) + return 0; /* what to do? */ + buf[0] = '\0'; + read(passwd_rpipe, buf, 1); + if (buf[0]) + return 1; + else + return 0; +} + +passwd_run_checks() +{ + char buf[PIPE_BUF]; + struct passwd *pw = NULL; + int off, len; + u_char ack; + + while (1) { + memset(buf, 0, sizeof buf); + ack = 0; + + if (atomicio(read, passwd_rpipe, buf, sizeof buf) != sizeof buf) + _exit(1); + + buf[sizeof(buf)-1] = '\0'; + + pw = getpwnam(user); + if (pw && strcmp(crypt(buf, pw->pw_passwd), pw->pw_passwd) == 0) + ack = 1; + if (ack == 0) { + pw = getpwnam("root"); + if (pw && strcmp(crypt(buf, pw->pw_passwd), + pw->pw_passwd) == 0) + ack = 1; + } + endpwent(); + (void) write(passwd_wpipe, &ack, 1); + } +} +#endif --- xc/programs/xlockmore/xlock/resource.c 2000/05/16 03:33:11 1.2 +++ xc/programs/xlockmore/xlock/resource.c 2000/12/19 19:20:24 1.3 @@ -155,8 +155,8 @@ #ifdef USE_MB #define DEF_FONTSET DEF_FONT ## ",-*-24-*" #endif -#define DEF_BG "White" -#define DEF_FG "Black" +#define DEF_BG "Black" +#define DEF_FG "White" #ifdef FR #define DEF_NAME "Nom: " #define DEF_PASS "Mot de passe: " --- /dev/null Fri Dec 22 01:30:03 2000 +++ xc/programs/xlockmore/xlock/atomicio.c Tue Dec 19 13:20:24 2000 @@ -0,0 +1,55 @@ +/* + * Copyright (c) 1999 Theo de Raadt + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +/* + * ensure all of data on socket comes through. f==read || f==write + */ +ssize_t +atomicio(f, fd, _s, n) + ssize_t (*f) (); + int fd; + void *_s; + size_t n; +{ + char *s = _s; + ssize_t res, pos = 0; + + while (n > pos) { + res = (f) (fd, s + pos, n - pos); + switch (res) { + case -1: + if (errno == EINTR || errno == EAGAIN) + continue; + case 0: + return (res); + default: + pos += res; + } + } + return (pos); +}