bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cvs-1.12.13 patch to include some hooks in order to build a jail in a hi


From: Francisco Yuste Garcia
Subject: cvs-1.12.13 patch to include some hooks in order to build a jail in a highly automatized environment, after patching with gssapi-et-all-051002.patch
Date: Tue, 18 Apr 2006 09:29:56 +0200
User-agent: Mozilla Thunderbird 1.0.7-1.4.1 (X11/20051007)

I added a few lines just to introduce some hooks which will make easier
some jailing tasks.

Could you make any suggestion, please?

I'm strongly interested on security consequences of this patch.

Cheers; Fran.

PS: You can find gssapi-et-all-051002.patch at
http://savannah.nongnu.org/bugs/download.php?file_id=2983.

--
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Francisco Yuste Garcia    mailto:address@hidden
  CERN  Dept. IT/DES        Phone  : +41 22 767 01 72
  Blg. 31-1-022             CH-1211 Geneva 23, Switzerland

  System Infrastructure Services
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


diff -rBu ../cvs-1.12.13/src/buffer.c ./src/buffer.c
--- ../cvs-1.12.13/src/buffer.c 2006-04-13 12:04:37.000000000 +0200
+++ ./src/buffer.c      2006-04-12 10:29:00.000000000 +0200
@@ -272,6 +272,11 @@
 int
 buf_send_output (struct buffer *buf)
 {
+       
+       if (buf == NULL) {
+               return 0;
+       }
+
     assert (buf->output != NULL);
 
     while (buf->data != NULL)
@@ -461,10 +465,15 @@
        return ENOMEM;
     }
 
-    data->next = buf->data;
-    buf->data = data;
-    if (buf->last == NULL)
-       buf->last = data;
+        if (buf == NULL) 
+       {
+               data->next = NULL;
+       } else {
+               data->next = buf->data;
+               buf->data = data;
+               if (buf->last == NULL)
+                       buf->last = data;
+       }
 
     data->bufp = data->text;
     data->size = sizeof (int);
diff -rBu ../cvs-1.12.13/src/main.c ./src/main.c
--- ../cvs-1.12.13/src/main.c   2006-04-13 12:04:38.000000000 +0200
+++ ./src/main.c        2006-04-12 17:12:40.000000000 +0200
@@ -1159,6 +1164,16 @@
                lock_cleanup_setup = 1;
            }
 
+
+           /* FYG: hook after user switching and directory saving
+               We must check here the Read Control Access.                     
+               Then we need jailing the execution.
+           */
+           run_setup ("/etc/cvs/cvshook_preexec.sh");
+           run_exec (RUN_TTY, RUN_TTY, RUN_TTY, 
+               RUN_REALLY|RUN_STDOUT_APPEND|RUN_STDERR_APPEND|RUN_SIGIGNORE);
+
+
            /* Call our worker function.  */
            err = (*(cm->func)) (argc, argv);
        
diff -rBu ../cvs-1.12.13/src/root.c ./src/root.c
--- ../cvs-1.12.13/src/root.c   2006-04-13 12:04:38.000000000 +0200
+++ ./src/root.c        2006-04-12 17:12:40.000000000 +0200
@@ -757,6 +757,10 @@
     Sanitize_Repository_Name (cvsroot_copy);
     newroot->directory = xstrdup (cvsroot_copy);
 
+    run_setup("/etc/cvs/cvshook_savedirectory.sh");
+    run_add_arg(newroot->directory);
+    run_exec (RUN_TTY, RUN_TTY, RUN_TTY,
+        RUN_REALLY|RUN_STDOUT_APPEND|RUN_STDERR_APPEND|RUN_SIGIGNORE);
     /*
      * Do various sanity checks.
      */
@@ -1008,6 +1012,12 @@
      */
     Sanitize_Repository_Name (newroot->directory);
 
+
+    run_setup("/etc/cvs/cvshook_savedirectory.sh");
+    run_add_arg(newroot->directory);
+    run_exec (RUN_TTY, RUN_TTY, RUN_TTY,
+        RUN_REALLY|RUN_STDOUT_APPEND|RUN_STDERR_APPEND|RUN_SIGIGNORE);
+
 #ifdef PROXY_SUPPORT
     /* Translate the directory to a local one in the case that we are
      * configured as a secondary.  If root_allow has not been initialized,
diff -rBu ../cvs-1.12.13/src/server.c ./src/server.c
--- ../cvs-1.12.13/src/server.c 2006-04-13 12:04:38.000000000 +0200
+++ ./src/server.c      2006-04-12 10:29:01.000000000 +0200
@@ -2386,7 +2386,7 @@
     /* FIXME - read the comment in verifymsg_proc() about why we use abs()
      * below() and shouldn't.
      */
-    return abs (run_exec (RUN_TTY, RUN_TTY, RUN_TTY,
+       return abs (run_exec (RUN_TTY, RUN_TTY, RUN_TTY, 
                          RUN_NORMAL | RUN_SIGIGNORE));
 }
 
@@ -6653,6 +6653,11 @@
        }
     }
 
+    /* FYG: hook before user switching */
+      run_setup ("/etc/cvs/cvshook_switchuser.sh");
+      run_exec (RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL | RUN_SIGIGNORE);
+    /* FYG */
+
     if (setuid (pw->pw_uid) < 0)
     {
        /* Note that this means that if run as a non-root user,


reply via email to

[Prev in Thread] Current Thread [Next in Thread]