[102162] trunk/dports/sysutils/htop
cal at macports.org
cal at macports.org
Mon Jan 28 14:38:23 PST 2013
Revision: 102162
https://trac.macports.org/changeset/102162
Author: cal at macports.org
Date: 2013-01-28 14:38:23 -0800 (Mon, 28 Jan 2013)
Log Message:
-----------
htop: restore SUID root, add checks to prevent priv escalation
Modified Paths:
--------------
trunk/dports/sysutils/htop/Portfile
Added Paths:
-----------
trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff
Removed Paths:
-------------
trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff
Modified: trunk/dports/sysutils/htop/Portfile
===================================================================
--- trunk/dports/sysutils/htop/Portfile 2013-01-28 22:12:03 UTC (rev 102161)
+++ trunk/dports/sysutils/htop/Portfile 2013-01-28 22:38:23 UTC (rev 102162)
@@ -10,7 +10,7 @@
epoch 1
version 0.8.2.1
-revision 2
+revision 3
name htop
categories sysutils
platforms darwin
@@ -22,7 +22,8 @@
long_description This is htop, ${description}. It is a text-mode \
application (for console or X terminals).
-patchfiles patch-Makefile.am-setgid-procmod.diff
+patch.args -p1
+patchfiles patch-suid-privchecks.diff
depends_build port:autoconf \
port:automake \
Deleted: trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff
===================================================================
--- trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff 2013-01-28 22:12:03 UTC (rev 102161)
+++ trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff 2013-01-28 22:38:23 UTC (rev 102162)
@@ -1,8 +0,0 @@
---- Makefile.am.orig 2013-01-27 20:29:54.000000000 +0100
-+++ Makefile.am 2013-01-27 20:30:13.000000000 +0100
-@@ -51,4 +51,4 @@
- $(MAKE) all CFLAGS="-ggdb -DDEBUGLITE"
-
- install-exec-hook:
-- chmod 4755 $(DESTDIR)$(bindir)/htop
-+ -chgrp procmod $(DESTDIR)$(bindir)/htop && chmod 2755 $(DESTDIR)$(bindir)/htop
Added: trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff
===================================================================
--- trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff (rev 0)
+++ trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff 2013-01-28 22:38:23 UTC (rev 102162)
@@ -0,0 +1,74 @@
+diff --git a/OpenFilesScreen.c b/OpenFilesScreen.c
+index a312d0f..25b1904 100644
+--- a/OpenFilesScreen.c
++++ b/OpenFilesScreen.c
+@@ -76,8 +76,13 @@ static void OpenFilesScreen_draw(OpenFilesScreen* this) {
+ static OpenFiles_ProcessData* OpenFilesScreen_getProcessData(int pid) {
+ char command[1025];
+ snprintf(command, 1024, "lsof -p %d -F 2> /dev/null", pid);
++ uid_t euid = geteuid();
++ seteuid(getuid());
+ FILE* fd = popen(command, "r");
++ seteuid(euid);
+ OpenFiles_ProcessData* process = calloc(sizeof(OpenFiles_ProcessData), 1);
++ if (fd)
++ {
+ OpenFiles_FileData* file = NULL;
+ OpenFiles_ProcessData* item = process;
+ process->failed = true;
+@@ -107,6 +112,7 @@ static OpenFiles_ProcessData* OpenFilesScreen_getProcessData(int pid) {
+ item->data[cmd] = entry;
+ }
+ pclose(fd);
++ }
+ return process;
+ }
+
+diff --git a/Process.c b/Process.c
+index cd9a887..42c4fe0 100644
+--- a/Process.c
++++ b/Process.c
+@@ -587,12 +587,16 @@ Process_toggleTag( Process * this ) {
+
+ bool
+ Process_setPriority( Process * this, int priority ) {
+- int old_prio = getpriority( PRIO_PROCESS, this->pid );
+- int err = setpriority( PRIO_PROCESS, this->pid, priority );
+- if ( err == 0 && old_prio != getpriority( PRIO_PROCESS, this->pid ) ) {
+- this->nice = priority;
++ if ( Process_getuid == 0 || Process_getuid == this->st_uid ) {
++ int old_prio = getpriority( PRIO_PROCESS, this->pid );
++ int err = setpriority( PRIO_PROCESS, this->pid, priority );
++ if ( err == 0 && old_prio != getpriority( PRIO_PROCESS, this->pid ) ) {
++ this->nice = priority;
++ }
++ return ( err == 0 );
+ }
+- return ( err == 0 );
++ else
++ return false;
+ }
+
+ unsigned long
+@@ -607,7 +611,8 @@ Process_setAffinity( Process * this, unsigned long mask ) {
+
+ void
+ Process_sendSignal( Process * this, int signal ) {
+- kill( this->pid, signal );
++ if ( Process_getuid == 0 || Process_getuid == this->st_uid )
++ kill( this->pid, signal );
+ }
+
+ int
+diff --git a/TraceScreen.c b/TraceScreen.c
+index 19254f9..0fd86b6 100644
+--- a/TraceScreen.c
++++ b/TraceScreen.c
+@@ -70,6 +70,7 @@ void TraceScreen_run(TraceScreen* this) {
+ int child = fork();
+ if (child == -1) return;
+ if (child == 0) {
++ seteuid(getuid());
+ dup2(fdpair[1], STDERR_FILENO);
+ fcntl(fdpair[1], F_SETFL, O_NONBLOCK);
+ sprintf(buffer, "%d", this->process->pid);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20130128/ddee6490/attachment-0001.html>
More information about the macports-changes
mailing list