[102162] trunk/dports/sysutils/htop

Mon Jan 28 14:38:23 PST 2013

Revision: 102162
          https://trac.macports.org/changeset/102162
Author:   cal at macports.org
Date:     2013-01-28 14:38:23 -0800 (Mon, 28 Jan 2013)
Log Message:
-----------
htop: restore SUID root, add checks to prevent priv escalation

Modified Paths:
--------------
    trunk/dports/sysutils/htop/Portfile

Added Paths:
-----------
    trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff

Removed Paths:
-------------
    trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff

Modified: trunk/dports/sysutils/htop/Portfile
===================================================================

--- trunk/dports/sysutils/htop/Portfile	2013-01-28 22:12:03 UTC (rev 102161)
+++ trunk/dports/sysutils/htop/Portfile	2013-01-28 22:38:23 UTC (rev 102162)
@@ -10,7 +10,7 @@
 
 epoch               1
 version             0.8.2.1
-revision            2
+revision            3
 name                htop
 categories          sysutils
 platforms           darwin
@@ -22,7 +22,8 @@
 long_description    This is htop, ${description}. It is a text-mode \
                     application (for console or X terminals).
 
-patchfiles          patch-Makefile.am-setgid-procmod.diff
+patch.args          -p1
+patchfiles          patch-suid-privchecks.diff
 
 depends_build       port:autoconf \
                     port:automake \

Deleted: trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff
===================================================================
--- trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff	2013-01-28 22:12:03 UTC (rev 102161)
+++ trunk/dports/sysutils/htop/files/patch-Makefile.am-setgid-procmod.diff	2013-01-28 22:38:23 UTC (rev 102162)
@@ -1,8 +0,0 @@
---- Makefile.am.orig	2013-01-27 20:29:54.000000000 +0100
-+++ Makefile.am	2013-01-27 20:30:13.000000000 +0100
-@@ -51,4 +51,4 @@
- 	$(MAKE) all CFLAGS="-ggdb -DDEBUGLITE"
- 
- install-exec-hook:
--	chmod 4755 $(DESTDIR)$(bindir)/htop
-+	-chgrp procmod $(DESTDIR)$(bindir)/htop && chmod 2755 $(DESTDIR)$(bindir)/htop

Added: trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff
===================================================================
--- trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff	                        (rev 0)
+++ trunk/dports/sysutils/htop/files/patch-suid-privchecks.diff	2013-01-28 22:38:23 UTC (rev 102162)
@@ -0,0 +1,74 @@
+diff --git a/OpenFilesScreen.c b/OpenFilesScreen.c
+index a312d0f..25b1904 100644
+--- a/OpenFilesScreen.c
++++ b/OpenFilesScreen.c
+@@ -76,8 +76,13 @@ static void OpenFilesScreen_draw(OpenFilesScreen* this) {
+ static OpenFiles_ProcessData* OpenFilesScreen_getProcessData(int pid) {
+    char command[1025];
+    snprintf(command, 1024, "lsof -p %d -F 2> /dev/null", pid);
++   uid_t euid = geteuid();
++   seteuid(getuid());
+    FILE* fd = popen(command, "r");
++   seteuid(euid);
+    OpenFiles_ProcessData* process = calloc(sizeof(OpenFiles_ProcessData), 1);
++   if (fd)
++   {
+    OpenFiles_FileData* file = NULL;
+    OpenFiles_ProcessData* item = process;
+    process->failed = true;
+@@ -107,6 +112,7 @@ static OpenFiles_ProcessData* OpenFilesScreen_getProcessData(int pid) {
+       item->data[cmd] = entry;
+    }
+    pclose(fd);
++   }
+    return process;
+ }
+ 
+diff --git a/Process.c b/Process.c
+index cd9a887..42c4fe0 100644
+--- a/Process.c
++++ b/Process.c
+@@ -587,12 +587,16 @@ Process_toggleTag( Process * this ) {
+ 
+ bool
+ Process_setPriority( Process * this, int priority ) {
+-  int old_prio = getpriority( PRIO_PROCESS, this->pid );
+-  int err = setpriority( PRIO_PROCESS, this->pid, priority );
+-  if ( err == 0 && old_prio != getpriority( PRIO_PROCESS, this->pid ) ) {
+-    this->nice = priority;
++  if ( Process_getuid == 0 || Process_getuid == this->st_uid ) {
++    int old_prio = getpriority( PRIO_PROCESS, this->pid );
++    int err = setpriority( PRIO_PROCESS, this->pid, priority );
++    if ( err == 0 && old_prio != getpriority( PRIO_PROCESS, this->pid ) ) {
++      this->nice = priority;
++    }
++    return ( err == 0 );
+   }
+-  return ( err == 0 );
++  else
++    return false;
+ }
+ 
+ unsigned long
+@@ -607,7 +611,8 @@ Process_setAffinity( Process * this, unsigned long mask ) {
+ 
+ void
+ Process_sendSignal( Process * this, int signal ) {
+-  kill( this->pid, signal );
++    if ( Process_getuid == 0 || Process_getuid == this->st_uid )
++        kill( this->pid, signal );
+ }
+ 
+ int
+diff --git a/TraceScreen.c b/TraceScreen.c
+index 19254f9..0fd86b6 100644
+--- a/TraceScreen.c
++++ b/TraceScreen.c
+@@ -70,6 +70,7 @@ void TraceScreen_run(TraceScreen* this) {
+    int child = fork();
+    if (child == -1) return;
+    if (child == 0) {
++      seteuid(getuid());
+       dup2(fdpair[1], STDERR_FILENO);
+       fcntl(fdpair[1], F_SETFL, O_NONBLOCK);
+       sprintf(buffer, "%d", this->process->pid);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20130128/ddee6490/attachment-0001.html>
