From 129ba5c584826fca4fb81c8b6d568284024f96ea Mon Sep 17 00:00:00 2001 From: tg Date: Mon, 9 Jun 2014 12:28:19 +0000 Subject: [PATCH] =?UTF-8?q?fix=20the=20=E2=80=9Cset=20=C2=B1p=E2=80=9D=20i?= =?UTF-8?q?ssue=20for=20good=20cf.=20http://blog.cmpxchg8b.com/2013/08/sec?= =?UTF-8?q?urity-debianisms.html?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.c | 32 ++++++++++++++++---------------- mksh.1 | 22 +++++++++------------- sh_flags.opt | 4 ++-- 3 files changed, 27 insertions(+), 31 deletions(-) diff --git a/main.c b/main.c index 18cdc6b..cc49349 100644 --- a/main.c +++ b/main.c @@ -34,7 +34,7 @@ #include #endif -__RCSID("$MirOS: src/bin/mksh/main.c,v 1.279 2014/01/16 13:59:12 tg Exp $"); +__RCSID("$MirOS: src/bin/mksh/main.c,v 1.280 2014/06/09 12:28:17 tg Exp $"); extern char **environ; @@ -407,7 +407,7 @@ main_init(int argc, const char *argv[], Source **sp, struct block **lp) setint_n((vp_pipest = global("PIPESTATUS")), 0, 10); /* Set this before parsing arguments */ - Flag(FPRIVILEGED) = kshuid != ksheuid || kshgid != kshegid; + Flag(FPRIVILEGED) = (kshuid != ksheuid || kshgid != kshegid) ? 2 : 0; /* this to note if monitor is set on command line (see below) */ #ifndef MKSH_UNEMPLOYED @@ -585,22 +585,22 @@ main_init(int argc, const char *argv[], Source **sp, struct block **lp) if (!current_wd[0] && Flag(FTALKING)) warningf(false, "can't determine current directory"); - if (Flag(FLOGIN)) { + if (Flag(FLOGIN)) include(MKSH_SYSTEM_PROFILE, 0, NULL, true); - if (!Flag(FPRIVILEGED)) - include(substitute("$HOME/.profile", 0), 0, - NULL, true); - } - if (Flag(FPRIVILEGED)) + if (!Flag(FPRIVILEGED)) { + if (Flag(FLOGIN)) + include(substitute("$HOME/.profile", 0), 0, NULL, true); + if (Flag(FTALKING)) { + cp = substitute(substitute("${ENV:-" MKSHRC_PATH "}", + 0), DOTILDE); + if (cp[0] != '\0') + include(cp, 0, NULL, true); + } + } else { include(MKSH_SUID_PROFILE, 0, NULL, true); - else if (Flag(FTALKING)) { - char *env_file; - - /* include $ENV */ - env_file = substitute(substitute("${ENV:-" MKSHRC_PATH "}", 0), - DOTILDE); - if (*env_file != '\0') - include(env_file, 0, NULL, true); + /* turn off -p if not set explicitly */ + if (Flag(FPRIVILEGED) != 1) + change_flag(FPRIVILEGED, OF_INTERNAL, false); } if (restricted) { diff --git a/mksh.1 b/mksh.1 index e534a04..e987dc1 100644 --- a/mksh.1 +++ b/mksh.1 @@ -1,4 +1,4 @@ -.\" $MirOS: src/bin/mksh/mksh.1,v 1.334 2014/06/09 11:22:50 tg Exp $ +.\" $MirOS: src/bin/mksh/mksh.1,v 1.335 2014/06/09 12:28:17 tg Exp $ .\" $OpenBSD: ksh.1,v 1.152 2014/02/12 16:28:13 schwarze Exp $ .\"- .\" Copyright © 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, @@ -247,8 +247,7 @@ below. Privileged shell. A shell is .Dq privileged -if this option is used -or if the real user ID or group ID does not match the +if the real user ID or group ID does not match the effective user ID or group ID (see .Xr getuid 2 and @@ -257,6 +256,9 @@ Clearing the privileged option causes the shell to set its effective user ID (group ID) to its real user ID (group ID). For further implications, see .Sx Startup files . +If the shell is privileged and this flag is not explicitly set, the +.Dq privileged +option is cleared automatically after processing the startup files. .It Fl r Restricted shell. A shell is @@ -366,15 +368,9 @@ parameter after subjecting it to parameter, command, arithmetic and tilde substitution; if unset or empty, the user mkshrc profile is processed; otherwise, if a file whose name is the substitution result exists, it is processed; non-existence is silently ignored. -.Pp -The suid profile probably should run -.Ic set +p -unless the shell was explicitly started with -.Fl p . -This isn't easily implemented but -.Pq just always run Ic set +p -a stopgap measure for: -.Pa http://blog.cmpxchg8b.com/2013/08/security\-debianisms.html +A privileged shell then drops privileges if neither was the +.Fl p +option given on the command line nor set during execution of the startup files. .Ss Command syntax The shell begins parsing its input by removing any backslash-newline combinations, then breaking it into @@ -6457,7 +6453,7 @@ $ /bin/sleep 666 && echo fubar .Ed .Pp This document attempts to describe -.Nm mksh\ R49 +.Nm mksh\ R50 and up, compiled without any options impacting functionality, such as .Dv MKSH_SMALL , diff --git a/sh_flags.opt b/sh_flags.opt index 036074a..ef64580 100644 --- a/sh_flags.opt +++ b/sh_flags.opt @@ -1,5 +1,5 @@ @SHFLAGS_DEFNS -__RCSID("$MirOS: src/bin/mksh/sh_flags.opt,v 1.1 2013/11/17 22:22:56 tg Exp $"); +__RCSID("$MirOS: src/bin/mksh/sh_flags.opt,v 1.2 2014/06/09 12:28:19 tg Exp $"); #define FN(sname,cname,flags,ochar) \ static const struct { \ /* character flag (if any) */ \ @@ -123,7 +123,7 @@ FN("pipefail", FPIPEFAIL, OF_ANY >| FN("posix", FPOSIX, OF_ANY -/* -p use suid_profile; privileged shell */ +/* -p privileged shell (suid) */ >p| FN("privileged", FPRIVILEGED, OF_ANY