Slashdot Mirror
Homeland Security Uncovers Critical Flaw in X11
Amy's Robot writes "An open-source security audit program funded by the U.S. Department of
Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.
Check the CVS server. OpenBSD 0wns again!
In related news, the Department of Homeland security has notifed 3497 people where their missing TV remote control is to be found, where your wife was until 3am last Thursday and have completed a record number of soduku puzzles in newspapers around the country.
Government officials were unwilling to cite their sources for this information instead choosing to simply say "we are watching you".
liqbase
They uncovered only one flaw? Sheesh.
Kudos to the heroes who painstakingly reinserted the missing parenthesis!
You see? You see? Your stupid minds! Stupid! Stupid!
A missing parentheses in a bit of code is to blame...the flaw has already been corrected.
Any word on exactly what the fix was?
Wanted: witty unique signature. Must be willing to relocate.
Shouldn't that be:
(X11 sucks monkey cock
how long has this hole been in X11, i wonder?
Already corrected on what?
Is LinuxUpdate.linux.com going to send this out on Tuesday automatically and reboot my machine?
Oh sure, I'm trolling - but the point is this ISN'T updated on machines around the world. It's updated on a few machines that HAVE some sort of auto-update service (of which many required a fee with your "enterprise service license") and it may or may not be updated when you install a new machine.
I know *MY* servers aren't updated...yet.
That the compilers have a flaw as well? You would think that the semantic rules would catch this and throw a compiler error for a missing parenthesis but maybe I am missing something.
-- Brought to you by Carl's JR
Finally Homeland security has done something noteworthy. I'm glad this benefits the X11 community.
the answers you get depend on the questions you ask.
I wonder if Miles Papazian discovered the flaw by reading the binary or by utilizing a machine-coded matrix?
X11 is actually written entirely in LISP, and therefore there are too many parentheses for a mere mortal to ever get straight.
XML is like violence. If it doesn't solve the problem, use more.
Any word on whether this vulnerability is a risk for those using x11 within osx? TFA mentioned that the X windowing system shipped with OS X without stating what level of risk exists.
If the compiler doesn't have a problem with unmatched parentheses, to prevent any such problems in the future, simply insert) closing) parentheses) instead) of) spaces).
p.s. If it is an easy exploit, please do NOT show me a demonstration.
...
If you're wondering, here is the relevant SUSE security advisory from 21.3 - http://www.novell.com/linux/security/advisories/20 06_16_xorgx11server.html
No, I actually think the audit process they initiated is a really good thing for any company to do, and should even be manditory for all Government departments.
The company (Coverity) which did the audit are the ones who should be thanked not the DHS. This flaw would have been discovered by this company anyway, its their business to find faults.
The bonus that they actually found a bug is nice, however lets not get happy happy joy joy yet, its a local exploit not a wide open remote hole.
The DHS should be busy protecting the Americans and not trying to grab the headlines.
liqbase
No... not if the parenthesis were needed to enforce a particular evaluation order (as opposed to the operator precedence order) of a comparison, for example, or a mathmatical function. It wouldn't be a syntax error then... it'd be a logical error.
I'm using debian 3.1. Is this something I'm going to have to run dist-update for? (the 'crap' is because I'd have to update over dialup).
i don't think that the flaw is really a missing ')' , it's a misplaced ')'
as in example if(somefunc(foo > 0)) {bar}
it compiles alright and even works, but it really isnt somefunc(foo) > 0 that is getting tested. the mistake is an easy one to make, and most modern languages consider it valid (even java if the func accepts a boolean argument).
i never really understood WHY is the X run as root, write a god damn device wrapper that keeps the device handlers separately in root permissions and keep the X itself along with it's flaws in the user's privileges. securing a few ways to access devices is *a lot* easier than to secure the whole X as shown by the current article.
can modular X achieve this ?
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
As this only affects 6.9 and 7.0 (RTFM), you'd need some form of auto-update to actually be exposed. Most distroes are still at 6.8.
M.
The US government is only publicizing this because Microsoft has enough money to bribe it, and it needs some heat taken off it's own flaws!
Just kidding...
--- "Remember, there's a difference between bowing down and bending over." -Frank Zappa
That is used as test each semester for MIT students. So, if it were available on the web, then it would remove an afternoons work.
I prefer the "u" in honour as it seems to be missing these days.
well ..
...
if (((people((wouldstop() == TRUE)(((&& (using_shitty_shortcuts() == FALSE))))))))
{
}
It's possible that something like this may be easier to spot.
And while we're at it, start using your curly braces correctly as well.
Join the Slashcott! Feb 10 thru Feb 17!
if you said a + b * c but you really wanted (a + b) * c the compiler won't bleat.
Engineering is the art of compromise.
Actually, it was not a missing parenthesis, but a missing parenthetical.
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true);
And the patched code:
double r;r = ( (double)rand() / ((double)(RAND_MAX)+(double)(1)) );
if ( r < 0.5 ) gotroot(true); (just kidding!)
The fix was posted before, but the problem was that someone used "geteuid" rather than "geteuid()".
This results in making use of the function address rather than the return value of the function, which could cause difficulties.
So, how is this different from this? I haven't read enough of either, they could be related...
Please note that this exploit is for the local user only. If you are the only user on your Apple or Nix box, then this is a non-news item. However if the BSA, RIAA, MPAA, or Dept of Homeland Security has taken your box and wants root, then you might have a problem. ;-)
The truth shall set you free!
I would, but it's easier to identify a missing bracket the way you wrote it out.
What a novel concept
g 2006-03-17 23:30:10.0000 /* First the options that are only allowed for root */
actual code patch:
--- programs/Xserver/hw/xfree86/common/xf86Init.c.ori
00000 +0200
+++ programs/Xserver/hw/xfree86/common/xf86Init.c 2006-03-17 23:29:35.0000
00000 +0200
@@ -1376,7 +1376,7 @@
}
- if (getuid() == 0 || geteuid != 0)
+ if (getuid() == 0 || geteuid() != 0)
{
if (!strcmp(argv[i], "-modulepath"))
{
@@ -1679,7 +1679,7 @@
}
if (!strcmp(argv[i], "-configure"))
{
- if (getuid() != 0 && geteuid == 0) {
+ if (getuid() != 0 && geteuid() == 0) {
ErrorF("The '-configure' option can only be used by root.\n");
exit(1);
}
Bug:
https://bugs.freedesktop.org/show_bug.cgi?id=6213
I guess we have to excuse your lack of RTFA-ness, too. there was not an unmatched parenthesis. there was a missing set of parentheses.
ELOI, ELOI, LAMA SABACHTHANI!?
Yes. There was not an unmatched parenthesis. There was a missing set of parentheses.
Just as with the WMD's, why are they looking for things that are not there? Oh wait, this is actually a good thing. :-)
Why is this newsworthy? I asume bugs and vulnerabilities are solved all the wile, right? If nothing else it at least shows that Open Source is working. The more eyes you have, the more errors are solved.
To the code: big brother is watching you.
Don't fight for your country, if your country does not fight for you.
-- Thou hast strayed far from the path of the Avatar.
I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.
To Alcohol! The cause of, and solution to, all of life's problems.
This is from march, why is everyone freaking out now?
Yeah. Some programming language let you reference a procedure/function rather than call it. So the following pseudo code will be valid "if (somefunction is null) {do something}" but will not do the same as "if (somefunction() is null) {do something}". The first will check if "somefunction" as been declared, the second will check the output of "somefunction".
The flaw may have been corrected in the source tree, but that says nothing for the tens of millions of X11 systems out in the field yet.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
DHS paid for the company to do this. It was a government initiative. Hence, some props to DHS are in order. And to Coverity, of course, for doing a good job.
It's not wasting time, I'm educating myself.
The advantage of open source shines through once again! This couldn't have happened with MS Windows, that's for sure... without access to the source code, this bug couldn't have been discovered, let alone fixed so quickly.
(And yes, I know that some gov't agencies have a deal to view the Windows source code, but there are WAAAY fewer eyeballs looking at it, and from what I've heard the code is a big badly documented mess.)
My bicyles
It was perfectly legal code.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
At least we will see how was the Debian update infrastructure improved since last time, when it brought the server down on its knees.
..I just saw a story on digg (washes mouth out with pee to get bad taste out of my mouth), and noticed that the FAA just announced they will be running linux to track flights. Maybe there is a tie in-between this find and that announcement?
Sig: I stole this sig.
is getting close to being able to do what they portray on 24.
Jack: I'm running out of time. I need that salelite image.
Chloe: I opened a socket into a NASA server and retasking the satelite.
Jack: Great, download the image to my PDA.
Chloe: I need your IP address.
Jack: 1.2.123.129
Chloe: I'm having some trouble. I'm hacking into a secure server at CTU, and sending the image to your PDA.
Jack: I've got it. Thanks Chloe.
Chloe: Whatever...
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf. I'm not aware of any distro that does that by default, and the Xconf "sample" that comes with XFree86 or Xorg both have remote logins disabled.
I realize that it's too much too assume that anyone geek enough to enable remote X sessions is also geek enough to protect his system adequately, but most of the time that will be the case.
Open Source for Open Minds
AFAIK this exploit can be used over the net, but only if you've enabled remote logins in your Xconf.
The article specified local. Whether this would work over the net could be a subject of debate. You might be right and the article did not touch on remote X sessions.
The truth shall set you free!
Depends,
Have you paid your Moses Fee?
(let my packets go....) [as sung to 'let my people go']
Less Talk. More Stab.
"Whereas Europeans generally pronounce my name the right way ('Ni-klows Wirt'), Americans invariably mangle it into 'Nick-les Worth'. This is to say that Europeans call me by name, but Americans call me by value."
http://en.wikipedia.org/wiki/Niklaus_Wirth
So was the X11 bug in European or American code?
The government is in cohoots with Microsoft! This is all just a smear campaign because we KNOW that security vulnerabilities like this do NOT happen in Open Source software! The software goes through "many eyes" who catch these kinds of things. The fact that it occurs in recent and older versions of the software simply proves they're just smearing, and there's no basis for this in fact. I'm so tired of other people pointing out the security flaws in our software. Don't they understand we're working towards a common goal of ridding the world of Microsoft who make useful, but insecure software! We want the world to use software that's more difficult to use, but secure. That way, only people who know what they're doing will ever use a computer, just as our lord, Linus, says it should be. Torvaldo Fhtagn!
Please note: the above is a work of fiction, sarcasm and humor. If you didn't find it funny, pull the rod out of your ass and get a clue.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
The effective UID (euid) is changed when you run a setuid app, while the real UID (uid in this case, or ruid) is not.
The effective UID is normally associated with permission to access files. Well, Linux actually uses the filesystem UID (fsuid or fuid) for that, but that one nearly always tracks the effective UID for compatibility.
There is also a saved UID (suid or svuid) that is helpful for apps that need to swap UIDs back and forth. It's not used for anything else.
if the-user-really-is-root or the-user-can-do-no-harm-trying
The second case is probably for debugging or for when using a non-setuid X server that relies on a kernel-based framebuffer device to control access.
did she already tazer that drunk dude too? ;)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
The X Window System. And you're excused.
Jack: Sorry Chloe, that IP address was 163.56.1.276 Chloe: Trying it now Jack, thanks
-- "It's not stalking if you're married!" My Wife.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
The compiler's job is to turn any syntactically valid source code into executable code. It might warn you about syntactically dubious constructions. But compilers aren't designed to catch logic errors. While the presence of syntax errors tells you that the code is definitely wrong, the absence of syntax errors does not indicate that the code is correct.
An expressive, succinct, high-level language is still the better bet than a verbose language for producing quality code. All the verbose language does is make you type more, and probably increase the total number of typos. Working in Pascal just creates more syntax errors, which doesn't necessarily reduce the number of logic errors. If you insist on being verbose, your effort would be better spent on adding more assertions and comments to your code.
Unfortunately, if the goal is to produce quality code, C is succinct in all the wrong places, with shortcuts like if (a = b), and verbose in all the wrong places, such requiring you to do your own memory management.
This flaw was found by a security audit of the code, which is an advantage of OSS, that such audits can be performed by third parties. But why didn't the ongoing peer reviews perfomred by the open source community themselves uncover this ages ago?
-- "I never gave these stories much credence." - HAL 9000
Jack: "That was a test. Chloe would have known that 276 is an illegal address byte. We have your room surrounded. Either come out now with your hands up, or take the cyanide pill."
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
There can't be a "missing parenthesis in X11" because X11 is not a piece of code, it's a protocol. This vulnerability only affects the X.org and XFree86 implementations of X11; there are many other implementations that are not affected.
It's pretty sad that Windows and Macintosh have conditioned people to think that every window system is just a piece of code; the notion that a window system could be an API standard with multiple implementations doesn't seem to occur tothem.
That reminded me... Isn't it great that whoever decided to give a name to the phenomenon of "lisping" spelled it that way? So subtly evil!
To do list for Windows
Tiger shipped with (X11 1.1 - XFree86 4.4.0) and X11R6.9.0 and X11R7.0.0 are forked from that. So it could well affect Mac OS X. If it does it will be interesting to see how long it takes Apple to provide an update if at all, given that it's open source
Hmm. Well where I work most sites have a linux server that allows machines that are somewhat akin to thin clients to connect to a master X server.
It's actually an octet not a byte (in the above stated format)
;)
Who are you and where is the real jack
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
This has been said before, but the issue was actually comparing to see if the function's address was not 0, rather than checking if the function didn't return 0.
:(){
Paluminum.net
The set of those bearing this sig is composed of between zero and infinity thieves, and exactly one liar.
They're there affecting their effect.
The exploit mentioned in this article cannot be exploited by a user who isn't logged into your system - you have to be able to run the Xorg command with certain options. See X.Org's advisory at http://lists.freedesktop.org/archives/xorg/2006-Ma rch/013992.html
Homeland Security was able to do the code audit on X11.
Maybe that really should be written as, because the source code was publicly available, Homeland Security was able to do this. How many of these types of faults exist in closed source software that no outside group had the chance to dig into like with X11 or OpenBSD or...
Graham
It's in code that allows you to do things like load code modules from other paths, so it's only allowed if you're already root or not running setuid-root. (It should probably check that you're not running setuid at all, but there's no real point having Xorg setuid to anyone but root, so no one has added that check.)
Comment removed based on user account deletion
If it is, I need to patch my server ASAP.
My wife doesn't listen to me either...
If this results in a Government move to OSS, ensuring that it's as secure as the proponents (of which I am one) say, then I'm all for it! IIRC, TFA mentions a $1.2M price tag for this "security scanning". If that results in more OSS in Gov't, it's worth exponentially more than the current pricetag. I am longing for the day when I can use an OS that is open source. My little 55 person outfit has more than $1.2M of MS and supporting software, between the OS, Exchange, Office, Server, AD, card readers, AV, apps to "push down" upgrades, etc.., I get tired of having to drink the Kool-Aid
I just checked, and stupid gcc does not produce any warning whatsoever. I tried it as C++, I tried -Wall and -W, and still nothing. Not a good showing there.
I think the proper warning is that the test is constant. "geteuid != 0" is always true.
Rumor has it the ISO C++ committee is likely to pass through a proposal for a new keyword, nullptr, which will have a "magic" type "pointer-to-anything" and has the value of the null pointer constant.
// #1 // #2
// # calls #2 // calls #1
So, E.g.:
struct A;
int f( A* );
int f( int );
int m = f( 0 );
int n = f( nullptr );
Of course, that wouldn't help in the aforementioned case. 0 will still be convertible to a pointer type as it is now; it's just that 'nullptr', being a pointer itself, makes for a "better" conversion to a real pointer type.
nullptr is supposed to be a non-disruptive pure extension (except for the fact that it breaks code that uses 'nullptr' as an identifier) -- meaning that it should not change the meaning of existing code.
A linux terminal server need only the X libraries, not even a single instance of an X server, which generally requires elevated privileges to run. I think I've seen work to correct that, but as it stands at large an X server runs as root and has to arbitrate security, whereas X applications linked to X libraries, displaying to a thin client over the network, the server has no root level code and only the thin client filesystem/system is at any risk.
XML is like violence. If it doesn't solve the problem, use more.
Unfortunately, the distros compete with the likes of Windows. As such, though technically speaking X on a multi-user system of any remote importance is a bad idea, if you shrug off X on servers Windows administrators may not like it as much. Install Red Hat or SuSE server oriented distributions and by default you still end up with a X environment. Good administrators know not to run X and it is powerful and even more convenient to run X apps remotely or inside a detachable VNC session. For small business to medium business/departmental servers, expect X servers to be the norm in the enterprise despite best practice.
The obvious solution is X not as root, so the worst you can do is screw around with the devices X really needs access to (screw around with the graphics, and local input devices, but an administrator can still ssh and have an intact, secure system in the ways that matter)
XML is like violence. If it doesn't solve the problem, use more.
If you use a set of parenthesis it will think you're calling a function. If you only have one parenthesis it'll spit out an error. If you have no parenthesis at all it will think you're calling a variable.
So you can have both a variable geteuid and a function geteuid(). I'm assuming this is what happened in this case, and calling the variable instead of the function was an ugly mistake but went unnoticed because the compiler didn't know it was wrong, and it looks right since they're so close.
www.linuxpenguin.net
If it's in UTF16 on a 16-bit machine, or UTF32 on a 32-bit machine, then yes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Starring Bruce Willis, of course, who assembles a crack team to go into the code and insert the missing punctuation before the world gets blown up.
"A missing parentheses in a bit of code is to blame. " how was the source able to compile?
That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.
(At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Next week there will be a followup article:
"The Department of Homeland Security has taken into custody the programmer who injected the security flaw in the commonly used X11 Linux server. The programmer is suspected of having ties to new-age terrorist groups. Officials state that a plot was in progress to compromise vital government computers via this security flaw. Despite the target being an open-source program, the flaw subtle enough that nobody would spot it, despite being very serious. The suspect will be tried on charges of terrorism, vandalism, and a violation of the Millenium act... "
http://lists.freedesktop.org/archives/xorg/2006-Ap ril/014874.html
should be applied next, otherwise the bug is still there
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
agreed partially :)
these definitions make it possible though:
int dummy(int arg){...}
boolean dummy(boolean arg){...}
should compile like a dream in both #C and Java due to polymorphism.
and the missing paretenthesis can always ofcourse be as
if(2*5-1=8) vs if(2*(5-1)=8)
compiled couldn't have a clue.
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
The better question that nobody has asked is this one... would Microsoft submit to this, and release their codebase to public scrutiny? They attack Open Source / Free Software as if we're the devil, but we've put a lot of work and heart into making things clean and clear. True, Linux / Opensource misses a few points that BSD's have traditionally followed more closely (being free to all) but this also allowed a wealth of magnificent code to be completely ripped off by people who then denigrate all forms of non closed source code (Microsoft for one, despite the fact that the entire world bases their TCP/IP stack on that developed by Berkeley, and all of M$'s TCP/IP tools seem based on or completely ripped off from the BSD groups.)
:)
But what do I know
" What luck for rulers that men do not think" - Adolf Hitler
Yes. Basic knowledge of C or C++.
The thing is, in the C programming language world a function() is the invocation of that function while function returns the address of that function. So in effect, what happened was that the coder meant to get the value from that function, i.e. meant to write it with parenthesis, but instead he got the address of that function, i.e. didn't put in the parenthesis.
Aren't C/C++ pointers fun?
Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
they were aparently wrapped around Weapons of Mass Desctruction in Iraq
When did C have strong type checking?
It's normal for you to misuse stuff without casting. If you're lucky gcc might grumble about it.
That's the difference between closed source and open source I guess...
Critical vulnerability in X11, missing parens are to blame, report: "missing parens in code leaves X11 vulnerable, the problem is fixed."
--vs--
Critical vulnerability in Windows, missing parens are to blame (but that's under NDA), report: "the incompetent programmers of the Redmont monopolist did it again, your Windows is totally open to hackers due to a bad, bad vulnerability. While we're on this, let's discuss also how OSX and Linux are infinitely cooler than Windows will ever be, and how Windows users are clueless idiots."
If it is any consolation in many higher level languages "function()" performs a call and "function" returns ... a reference to the function. So, on a conceptual level it is pretty similar. In fact with Python it would have been more interesting as anything other than zero or an empty list is true, so that if statement would always execute. Just goes to show that no matter how powerful the language, it won't stop stupid/ignorant/careless, actually I think it is worse with interpreted languages as it is easier to write crap that still manages to run.
Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
Sure,
would not silently compile into something bad, but the following still would:Linux user since early January 1992.
Lets not forget who caused the DHS to be set up, props to Bush and props to Osama
Ra! Ra! Ra! The US taxpayers!
and props to St Brendan, Lief Ericsson and John Cabot! Yaay!
so if I understand correctly, if I can set the suid-bit to another non-priviliged user I'll be able to pass this check?
That is another and more general problem, namely implicit pointer to int cast.
The many implicit convertions have never been my favorite part of the language, and I try not to rely on them in the code I write.
...of this is: use a real programming language, in which comparing a function's name to an int is a syntactic error rather than a pointer operation.
The if block will be executed anyway, since the result of getuid() is either zero or non-zero.
A good programming language would catch that error: comparing a function address with 0 makes no sense, because the function address can never be 0. Referring to 'getuid' as a function pointer should be a mistake. The function pointer of 'getuid' should be '&getuid' (i.e. getting a reference to the function).
The above shows how broken C is (and C++ by that extend), and that the software problems the IT industry has are mostly due to inferior programming languages.
Err , no. Try reading the quote again. You might understand it at
some point.
You shouldn't need to do a dist-update, upgrade should be fine - debian maintainers will almost ceratainly backport this if required.
Its a good job X11 is open source software, otherwise this bug may have gone un-noticed.
Never rely on 0 being a reasonable value for pointers. Use NULL.
I've seen too many programs segfault on AMD64 just because some lazy programmer wrote "0" as a pointer value to save typing the three more characters required to type "NULL". "0" is a 32 bit integer which turns out to be NOT equal to "NULL", a 64 bit pointer.
Functions are constant pointers in C. After all, what is a function but an address that the program jumps to. In this respect they are similar to arrays.
e.g.
int a [20];
int f() {}
a is a pointer. f is a pointer.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
I thought the size of all octets was 8 bits, and the size of a byte was between a number higher than about 6 and hopefully lower than 40. Historically speaking.
It's always been 8 bits, except during the energy crisis when pushing electrons around got a lil more expensive, they used 7 bits for a while. Measure the size of a 2x4 some time.
fnord.
So you can have both a variable geteuid and a function geteuid().
Actually, geteuid is a variable containing the address of the function geteuid. Appending () to geteuid simply calls the function at that address. The way you wrote it could be interpreted as geteuid and geteuid() being two separate entities.
calling the variable instead of the function
You don't really call variables, you refer to variables. :)
Lets try that again...
I may be being slightly thick here, but isn't it checking that
EITHER
uid == 0 (the process was started by root)
OR
euid != 0 (the effective user id is not root)
Now, the euid!=0 check is presumably to check the program is not suid root, but, because it's an 'or', the check would also be passed if the program was not started by root and *not* suid root? Checking the euid!=0 doesn't tell me much - because it can be almost anything - unless we also check the uid and suid to give context.
If you understand the situation better and can see why the code is correct, then I'd genuinely appreciate an explanation of the above.
Cheers,
Justin.
You're only jealous cos the little penguins are talking to me.
didnt they have the worst gov security rating? yet they have time to dig into
outside projects.. on security no less?
missappropriation of time maybe?
We have seen that living things are too improbable and too beautifully "designed" to have come into existence by chance.
Since the
Um. OK. I've been watching too much adult swim. I'll admit it.
Signatures are a waste of bandwi (buffering...)
You forget the Continental Congress, the United States Army (or whatever it was called during the Revolutionary War), the Congress that allowed DHS to be set up and funded, and of course the American agencies that trained Osama and crew during the Cold War.
Credit where credit is due, after all.
--Ender
Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
Live today, because you never know what tomorrow brings
In concept, there is a separate protocol and implementation of X. But the source has been available under a very permissive license since the very beginning. Because of this, the only thing I've ever seen that was reimplemented was the server (window server), everything else has just been compiled directly from the reference sources.
And even those window servers are compiled from sources derived from the reference sources, with patches.
Do you actually know of any implementations of X other than the two you mentioned? I tried to search for some and couldn't find any.
http://lkml.org/lkml/2005/8/20/95
the United States Army (or whatever it was called during the Revolutionary War),
Depends on who you asked.
To the British they were traitors and terrorist.
To the natives they were immigrants.
Today, they are mostly called hypocrites...
--Phillip
Can you say BIRTH TAX
Beta edition.
Copyright © 1996. Thomas W. Christopher
Quote:
Icon *can* be compiled, but especially these days there's hardly any need to do so.The thing is, if it's not root and not setuid root, _it can't do anything dangerous_. This code is something that should only be allowed if the user is running as root (not just setuid root, as, AFAIK, X is by default to let it access hardware) , and that's how it originally was. Recently, though, someone added the code to say that if it wasn't setuid root - in other words, if it can't do something harmful, if it's running with normal user privileges - it doesn't matter, let it try and execute the code anyway.
I don't know why you would run X with normal user privileges. I can't think of any such situations, but I'm not an X guru; perhaps it's related to the modularization of X.
If one of those entities wants to gain root access to your machine after it is confiscated, they would probably just boot it single user and change the root password.
Yes, and in 300+ comments, I wonder if anyone's mentioned that a good "hacker" "cracker" whatever you want to call him (security penetrator?) with a good hex editor, handmade if necessary could EASILLY break a system... at least with OpenSource the bugs CAN be found... and oftentimes people stumble upon them when they run a search for kicks (I should know, I found a bug in RedHat 5.2... back when I was in college, using redhat 5.2 and the only reason I found it was because I decided to test the actual software used so I could get some practice using debugger and code/event tracers.) It was awesome watching the drivers take hits in memory as I moved the mouse about, etc. Its a truly liberating experience, probably the same as when someone finally understands our universe... its just a step into a bigger world.
" What luck for rulers that men do not think" - Adolf Hitler
Sorry, I don't know that much about X11's development stuff. I thought maybe they were two separate things.
"You don't really call variables, you refer to variables. :)"
Whatever, you get my drift.
www.linuxpenguin.net
Ok, the more "correct" version is "win or draw under any conditions". However, if the game can continue forever, then that would be a valid "draw" condition, as neither side has lost. In chess, they have a three-repeat rule to avoid continuous cycles of this kind by just classing it as a stalemate.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Smashing explanation - thanks.
Justin.
You're only jealous cos the little penguins are talking to me.
Sorry, I don't know that much about X11's development stuff.
The problem isn't related to X11 at all, except for the fact that the bug ocurred in the X Window System. Such a bug could have ocurred in any C program.
Yes it is, according to GP:
"Actually, geteuid is a variable containing the address of the function geteuid."
Now I know it could've happened in other programs with other variables. I just didn't know what the geteuid variable was - maybe it was an int, maybe a boolean, maybe a String. . . to know that I'd have to know about X11's development stuff - read their source or something.
I haven't run into this yet, but I'm assuming the same thing could happen with ANY programming language (I know Java, for anyone who hasn't checked my site out).
www.linuxpenguin.net
Yes it is, according to GP
The bug ocurred in X11, yes, but the problem itself is only related to the C/C++ programming languages.
I just didn't know what the geteuid variable was - maybe it was an int, maybe a boolean, maybe a String. . . to know that I'd have to know about X11's development stuff - read their source or something.
Actually you wouldn't have to. You would only need to know that geteuid() is a common system call on Unix and compatible systems. Knowing this, and the intricacies of the C programming language, is all that is required to understand the bug. geteuid is not an ordinary variable, it's a function. In the C programming language this means that the name of the function is a variable containing the address of the start of the function code.
I haven't run into this yet, but I'm assuming the same thing could happen with ANY programming language (I know Java, for anyone who hasn't checked my site out).
This could not happen in any programming language, only languages with function call semantics similar to C/C++. This bug can not happen in e.g. Java, since the compiler would report it as an error.
Well I didn't know it was a common Unix system call. I don't really know anything about Unix-specific programming (most of my programming experience has been in Java).
I do know a thing or two about C++ programming. I just didn't know what geteuid was.
"This could not happen in any programming language, only languages with function call semantics similar to C/C++. This bug can not happen in e.g. Java, since the compiler would report it as an error."
The Java programming language was based off of C/C++ so it would be familiar for programmers and easier for them to switch from C/C++ to Java. So it's very possible that it would treat this bit of code the same way. Maybe, maybe not - I haven't tried it.
www.linuxpenguin.net
The Java programming language was based off of C/C++ so it would be familiar for programmers and easier for them to switch from C/C++ to Java. So it's very possible that it would treat this bit of code the same way. Maybe, maybe not - I haven't tried it.
I'm quite sure that such a bug is impossible. Remember that Java replaces the whole concept of pointers with references, and I don't think that Java allows references to functions. I assume that using the name of a function as a variable would produce a compile error.
It's great - a huge security flaw and it's treated as "whoops!" A typo, no less, treated as an oversight and no big deal.
Imagine what all you hippies would do if MS said something like this?
KF