View previous topic :: View next topic |
Author |
Message |
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Thu May 08, 2008 11:06 pm Post subject: [HOW-TO] xscreensavers for user "root" |
|
|
HOW-TO trick xscreensaver into working for those who log in as root user.
WARNING!
This document effectively tells you how to open a security hole in your system. A brief reading of the source code lets you know this in no uncertain terms. Therefore, if you decide to use the info contained in this document, you do so at your own risk. If you assess your risk to be minimal, and you desire the functionality of screen savers in your non-KDE windows manager, like XFCE perhaps, then this document is for you.
You assume total responsibility for any havoc this hack may wreak upon your system. Of course, if you operate as the root user, that's a risk anyway, so you're probably already aware of the risks. It is therefore assumed that from this point forward, you are fully aware there are risks involved with this operation, and no one is forcing you to do anything; even to read this document. By proceeding, you accept any and all consequences that may befall your system as a result of the actions described herein. Do not use this on a production system!
YOU HAVE BEEN WARNED!
Ok, now that we've got that out of the way, let's get down to the nitty-gritty.
Preparation:
1) Copy the version of xscreensaver (using xscreensaver-5.05 for this example) you wish to hack from your distfiles; most likely /usr/portage/distfiles, into a working directory.
2) Decompress the archive.
3) Copy the patch files from /usr/portage/x11-misc/xscreensaver/files into the extracted source directory.
4) Apply patches.
Hacking:
You are now ready to hack the source code. You will be concerned with only two files: /<src_dir>/driver/exec.c and /<src_dir>/driver/setuid.c. I don't know much about making patches, so if someone can make a patch out of this, please post it in this thread. Thanks
1) exec.c. It is there that the root user rejection lies. It is easily commented out.
Starting on line 187
BEFORE: Code: | hairy_p = !!strpbrk (command, "*?$&!<>[];`'\\\"=");
/* note: = is in the above because of the sh syntax "FOO=bar cmd". */
if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
{
/* If you're thinking of commenting this out, think again.
If you do so, you will open a security hole. Mail jwz
so that he may enlighten you as to the error of your ways.
*/
fprintf (stderr, "%s: we're still running as root! Disaster!\n",
blurb());
exit (-1); |
AFTER: Code: | hairy_p = !!strpbrk (command, "*?$&!<>[];`'\\\"=");
/* note: = is in the above because of the sh syntax "FOO=bar cmd". */
if (getuid() == (uid_t) 0 || geteuid() == (uid_t) 0)
{
/* If you're thinking of commenting this out, think again.
If you do so, you will open a security hole. Mail jwz
so that he may enlighten you as to the error of your ways.
fprintf (stderr, "%s: we're still running as root! Disaster!\n",
blurb());
exit (-1);*/
|
2) setuid.c Don't let the red herrings fool you. There are only a few numbers that need to be changed, literally zeroes and ones. I simply change the forbidden user to user 1. Now the root user is no longer forbidden.
Starting at line 255.
BEFORE: Code: | {
uid_t euid = geteuid();
gid_t egid = getegid();
uid_t uid = getuid();
gid_t gid = getgid();
si->orig_uid = strdup (uid_gid_string (euid, egid));
if (uid != euid || gid != egid)
if (set_ids_by_number (uid, gid, &si->uid_message) != 0)
saver_exit (si, 1, 0);
}
|
AFTER: Code: | {
uid_t euid = geteuid();
gid_t egid = getegid();
uid_t uid = getuid();
gid_t gid = getgid();
si->orig_uid = strdup (uid_gid_string (euid, egid));
if (uid != euid || gid != egid)
if (set_ids_by_number (uid, gid, &si->uid_message) != 1)
saver_exit (si, 1, 0);
}
|
Once again, offer a bogus user ID that isn't 0
Starting at line 278
BEFORE: Code: | if (getuid() == (uid_t) 0)
{
si->locking_disabled_p = True;
si->nolock_reason = "running as root";
}
|
AFTER: Code: | if (getuid() == (uid_t) 1)
{
si->locking_disabled_p = True;
si->nolock_reason = "running as root";
}
|
Why stop there? If we're going, go all the way. I haven't tried this to see if it works. I don't lock my screen savers. Any feedback is appreciated. Allow locking for root.
Starting at line 297
BEFORE: Code: | if (getuid() == (uid_t) 0)
{
struct passwd *p;
p = getpwnam ("nobody");
if (! p) p = getpwnam ("noaccess");
if (! p) p = getpwnam ("daemon");
if (! p)
{ |
AFTER: Code: | if (getuid() == (uid_t) 1)
{
struct passwd *p;
p = getpwnam ("nobody");
if (! p) p = getpwnam ("noaccess");
if (! p) p = getpwnam ("daemon");
if (! p)
{ |
And finally, I finish out the lie in grand style.
Starting at line 329
BEFORE: Code: | {
uid_t uid = getuid (); /* get it again */
struct passwd *p = getpwuid (uid); /* get it again */
if (!p ||
uid == (uid_t) 0 ||
uid == (uid_t) -1 ||
uid == (uid_t) -2 ||
p->pw_uid == (uid_t) 0 ||
p->pw_uid == (uid_t) -1 ||
p->pw_uid == (uid_t) -2 ||
!p->pw_name ||
!*p->pw_name ||
!strcmp (p->pw_name, "root") ||
!strcmp (p->pw_name, "nobody") ||
!strcmp (p->pw_name, "noaccess") ||
!strcmp (p->pw_name, "operator") ||
!strcmp (p->pw_name, "daemon") ||
!strcmp (p->pw_name, "bin") ||
!strcmp (p->pw_name, "adm") ||
!strcmp (p->pw_name, "sys") ||
!strcmp (p->pw_name, "games"))
{
static char buf [1024];
sprintf (buf, "running as %.100s",
(p && p->pw_name && *p->pw_name
? p->pw_name : "<unknown>"));
si->nolock_reason = buf;
si->locking_disabled_p = True;
si->dangerous_uid_p = True;
}
}
}
|
AFTER: Code: | {
uid_t uid = getuid (); /* get it again */
struct passwd *p = getpwuid (uid); /* get it again */
if (!p ||
uid == (uid_t) 1 ||
uid == (uid_t) -1 ||
uid == (uid_t) -2 ||
p->pw_uid == (uid_t) 1 ||
p->pw_uid == (uid_t) -1 ||
p->pw_uid == (uid_t) -2 ||
!p->pw_name ||
!*p->pw_name ||
!strcmp (p->pw_name, "root") ||
!strcmp (p->pw_name, "nobody") ||
!strcmp (p->pw_name, "noaccess") ||
!strcmp (p->pw_name, "operator") ||
!strcmp (p->pw_name, "daemon") ||
!strcmp (p->pw_name, "bin") ||
!strcmp (p->pw_name, "adm") ||
!strcmp (p->pw_name, "sys") ||
!strcmp (p->pw_name, "games"))
{
static char buf [1024];
sprintf (buf, "running as %.100s",
(p && p->pw_name && *p->pw_name
? p->pw_name : "<unknown>"));
si->nolock_reason = buf;
si->locking_disabled_p = True;
si->dangerous_uid_p = True;
}
}
}
|
Now, root user has become user 1 instead of user 0.
Compiling:
Once the code has been hacked, it's time to run configure and make. Since I wanted the xscreensaver executables to operate as though they had been compiled when the original xscreensaver package was emerged using portage, I captured the argument passed to configure.
1) Configure using the following scripts; the 32-bit version: Code: | ./configure --prefix=/usr --host=i486-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-x-app-defaults=/usr/share/X11/app-defaults --with-hackdir=/usr/lib/misc/xscreensaver --with-configdir=/usr/share/xscreensaver/config --x-libraries=/usr/lib --x-includes=/usr/include --with-dpms-ext --with-xf86vmode-ext --with-xf86gamma-ext --with-proc-interrupts --with-xpm --with-xshm-ext --with-xdbe-ext --enable-locking --without-kerberos --without-gle --with-gtk --with-setuid-hacks --without-login-manager --without-xinerama-ext --with-gl --with-jpeg --build=i486-pc-linux-gnu |
the 64 bit version: Code: | ./configure --prefix=/usr --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-x-app-defaults=/usr/share/X11/app-defaults --with-hackdir=/usr/lib64/misc/xscreensaver --with-configdir=/usr/share/xscreensaver/config --x-libraries=/usr/lib64 --x-includes=/usr/include --with-dpms-ext --with-xf86vmode-ext --with-xf86gamma-ext --with-proc-interrupts --with-xpm --with-xshm-ext --with-xdbe-ext --enable-locking --without-kerberos --without-gle --with-gtk --without-setuid-hacks --without-login-manager --without-xinerama-ext --with-pam --with-gl --with-jpeg --libdir=/usr/lib64 --build=x86_64-pc-linux-gnu |
2) make
3) Copy the following files to /usr/bin: /<src_dir>/driver/xscreensaver, xscreensaver-command, xscreensaver-demo, xscreensaver-demo-Gtk, and xscreensaver-getimage.
4) Start xscreensavers.
5) Enjoy!
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
olivier elmekki n00b
Joined: 29 Jan 2006 Posts: 55
|
Posted: Fri May 09, 2008 11:30 pm Post subject: |
|
|
Sorry but... I just can't get it. Why one may want to use xscreensaver as root? _________________ blog : http://kikhome.net
professional site (french) : http://olivier-elmekki.com |
|
Back to top |
|
|
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Sat May 10, 2008 3:47 am Post subject: |
|
|
Why might any user want screen savers? Should root user be denied eye candy? No, not at all. Now, those who want to operate as root user can do so with any GUI, and have screen savers. I fail to see what's so hard to fathom about that.
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5937
|
Posted: Sat May 10, 2008 5:14 am Post subject: |
|
|
Moved from Desktop Environments to Unsupported Software. _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
olivier elmekki n00b
Joined: 29 Jan 2006 Posts: 55
|
Posted: Sat May 10, 2008 10:16 am Post subject: |
|
|
Quote: | Why might any user want screen savers? |
You've got a point
What I don't like in this is that it implies to start an X session as root (because else, the screensaver could simply be run as user). But yes, you've been enough informative about this at the very start, and maybe there are incredibly rare situations where it is necessary...
Making a patch is a quite simple process. Just get in the directory with the old source dir and the new one, and run :
Code: | diff -rNau old new > appname.patch |
_________________ blog : http://kikhome.net
professional site (french) : http://olivier-elmekki.com |
|
Back to top |
|
|
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Sat May 10, 2008 6:15 pm Post subject: |
|
|
It is my experience that those who operate as root user are sure to get some measure of abuse, assuming your distro allows you to operate as root in the first place. When I was posting in LinuxQuestions.com, anyone who admitted to, or asked questions about, or offered advice on operating as root was sure to receive all manner of flame.
Yes, there are risks inherent with operating as root. However, my point is who owns my computers; a bunch of people who didn't pay for them, don't maintain them, and don't have to dance with the devil when they go belly-up, or me? Whether I received the systems as a gift, as a barter, or whether I actually paid money to purchase them, they're my machines to do with as I please. Ayn Rand will back me up on this...well, not really, she's dead.
And yes, I understand that some people feel moved to inform me of how foolish and potentially dangerous my personal choice is in regards to having others take up the death-defying act of operating as root. And I also understand that a total n00b shouldn't take the risks I do.
But, if you look to the left of this message, you'll notice that I have achieved "Guru" status. While I'll gladly debate whether I qualify as Guru, the point remains I have more than a few years experience with Linux. While that experience has a large empty hole in the middle due to me abandoning Linux because I foolishly listened to a boss that told me there was no profit in working with free software, and Linux was a worthless passing fad, the point remains I didn't forget everything I learned the first time around.
So yes, I know the risks, and given the rest of what I deal with in a day, I'd say that worrying about whether someone is going to bring my computers crashing down is the least of them. I live and DRIVE in Dallas, Texas; in the heart of Tornado Alley and Soccer-Moms-In-SUV's-On-Cell-Phones "R" Us. I'm more scared about funnel clouds or Escalades than being root user.
Besides all that, what's the worst that can happen? I'll have to re-install Gentoo? Is that so bad considering I began using it because it was so cool to watch it compile my system? No. And even if I had to redo all of my systems, that would still be OK with me.
So, this hack is dedicated to all those who prefer to operate as root user. Whatever your reasons, you're not alone!
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Wed Aug 06, 2008 11:54 pm Post subject: |
|
|
At long last, I finally made the patch for this. It was built with xscreensaver-5.06, so it hiccups on 5.03-5.05, but it does work on all those versions.
Code: | --- /driver/exec.c 2008-07-05 06:31:59.000000000 -0500
+++ /filehold/xscreensaver-5.06-A/driver/exec.c 2008-08-05 03:55:46.000000000 -0500
@@ -191,10 +191,10 @@
/* If you're thinking of commenting this out, think again.
If you do so, you will open a security hole. Mail jwz
so that he may enlighten you as to the error of your ways.
- */
+
fprintf (stderr, "%s: we're still running as root! Disaster!\n",
blurb());
- exit (-1);
+ exit (-1); */
}
if (hairy_p)
--- /driver/setuid.c 2006-02-08 20:33:29.000000000 -0600
+++ /filehold/xscreensaver-5.06-A/driver/setuid.c 2008-08-05 03:59:05.000000000 -0500
@@ -261,7 +261,7 @@
si->orig_uid = strdup (uid_gid_string (euid, egid));
if (uid != euid || gid != egid)
- if (set_ids_by_number (uid, gid, &si->uid_message) != 0)
+ if (set_ids_by_number (uid, gid, &si->uid_message) != 1)
saver_exit (si, 1, 0);
}
@@ -275,7 +275,7 @@
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
- if (getuid() == (uid_t) 0)
+ if (getuid() == (uid_t) 1)
{
si->locking_disabled_p = True;
si->nolock_reason = "running as root";
@@ -294,7 +294,7 @@
of the xscreensaver manual titled "LOCKING AND ROOT LOGINS",
and "USING XDM".
*/
- if (getuid() == (uid_t) 0)
+ if (getuid() == (uid_t) 1)
{
struct passwd *p;
@@ -331,10 +331,10 @@
struct passwd *p = getpwuid (uid); /* get it again */
if (!p ||
- uid == (uid_t) 0 ||
+ uid == (uid_t) 1 ||
uid == (uid_t) -1 ||
uid == (uid_t) -2 ||
- p->pw_uid == (uid_t) 0 ||
+ p->pw_uid == (uid_t) 1 ||
p->pw_uid == (uid_t) -1 ||
p->pw_uid == (uid_t) -2 ||
!p->pw_name ||
| Enjoy!
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
hirakendu Guru
Joined: 24 Jan 2007 Posts: 386 Location: san diego
|
Posted: Mon Aug 11, 2008 8:54 am Post subject: |
|
|
Nice effort . Should say you are just one step away from ebuild hacking . I had been trying to get xscreensaver's working under gnome under root, but no easy way. Fortunately, I am more a kde user and its not so unforgiving to root'ers . For a brief time I was using gnome, I used kdesktop_lock for locking screen etc. Although I don't remember if the lid functionality of my notebook worked. All said, there should be a bigger fatter red warning about the consequences . Aside, I have been very very pleased with Ubuntu's solution to both security and ease of use - feels so much in control even as a regular user and yet pretty secure. Must say its a formidable task and perhaps more important than even package management. _________________ Helium Sources || Gentoo Minimal Livecd |
|
Back to top |
|
|
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Mon Aug 11, 2008 9:03 am Post subject: |
|
|
I've already hacked an ebuild. Well, actually, I hacked the source code as per a bug report, and I used that hacked source along with an ebuild that was already in use. All I did to "hack" the ebuild was to change its name. Doing that, it called my "fixed" source code, and compiled. The bug prevented compilation.
I don't know it all. I sure wish I did. However, I'm working on it. One of these days, I might even add an ebuild to portage. Wouldn't that be a total geek hoot? I know it would be for me!
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
pappy_mcfae Watchman
Joined: 27 Dec 2007 Posts: 5999 Location: Pomona, California.
|
Posted: Sun Mar 15, 2009 8:58 am Post subject: |
|
|
And, at long last, I debut the ebuild I made to simplify everything. It's not the best hack I've done, but it works.
Code: | # Copyright 1999-2009 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/x11-misc/xscreensaver/xscreensaver-5.08.ebuild,v 1.3 2009/01/19 15:09:11 ssuominen Exp $
EAPI=2
inherit autotools eutils flag-o-matic multilib pam
DESCRIPTION="A modular screen saver and locker for the X Window System"
SRC_URI="http://www.jwz.org/xscreensaver/${P}.tar.gz"
HOMEPAGE="http://www.jwz.org/xscreensaver"
LICENSE="BSD"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~x86-fbsd"
IUSE="jpeg new-login opengl pam suid xinerama"
RDEPEND="x11-libs/libXmu
x11-libs/libXxf86vm
x11-libs/libXrandr
x11-libs/libXxf86misc
x11-libs/libXt
x11-libs/libX11
x11-libs/libXext
x11-apps/xwininfo
x11-apps/appres
media-libs/netpbm
>=dev-libs/libxml2-2.5
>=x11-libs/gtk+-2
>=gnome-base/libglade-1.99
pam? ( virtual/pam )
jpeg? ( media-libs/jpeg )
opengl? ( virtual/opengl )
xinerama? ( x11-libs/libXinerama )
new-login? ( gnome-base/gdm )"
DEPEND="${RDEPEND}
x11-proto/xf86vidmodeproto
x11-proto/xextproto
x11-proto/scrnsaverproto
x11-proto/recordproto
x11-proto/xf86miscproto
sys-devel/bc
dev-util/pkgconfig
sys-devel/gettext
dev-util/intltool
xinerama? ( x11-proto/xineramaproto )"
src_prepare() {
EPATCH_SUFFIX="patch" epatch "${FILESDIR}"/${PV}
patch -p1 < "${FILESDIR}"/5.07/03_xscreensaver_root_uid_hack.patch
eautoreconf #113681
}
src_configure() {
unset BC_ENV_ARGS #24568
econf \
--with-x-app-defaults=/usr/share/X11/app-defaults \
--with-hackdir=/usr/$(get_libdir)/misc/${PN} \
--with-configdir=/usr/share/${PN}/config \
--x-libraries=/usr/$(get_libdir) \
--x-includes=/usr/include \
--with-dpms-ext \
--with-xf86vmode-ext \
--with-xf86gamma-ext \
--with-randr-ext \
--with-proc-interrupts \
--with-xshm-ext \
--with-xdbe-ext \
--enable-locking \
--without-kerberos \
--without-gle \
--with-gtk \
--with-pixbuf \
--with-text-file=/etc/gentoo-release \
$(use_with suid setuid-hacks) \
$(use_with new-login login-manager) \
$(use_with xinerama xinerama-ext) \
$(use_with pam) \
$(use_with opengl gl) \
$(use_with jpeg)
}
src_compile() {
if use ppc || use ppc64; then
# Still fails to build "flurry" screensaver.
filter-flags -mabi=altivec
filter-flags -maltivec
append-flags -U__VEC__
fi
emake -j1 || die "emake failed." #155049
}
src_install() {
emake install_prefix="${D}" install || die "emake install failed."
dodoc README{,.hacking}
use pam && fperms 755 /usr/bin/${PN}
pamd_mimic_system ${PN} auth
# Collision with electricsheep, bug 135549
rm -f "${D}"/usr/share/${PN}/config/{electricsheep,fireflies}.xml
}
|
The patch file is the one posted above this ebuild. It sure beats patching and compiling the old-fashioned way.
Blessed be!
Pappy _________________ This space left intentionally blank, except for these ASCII symbols. |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
|
Back to top |
|
|
hirakendu Guru
Joined: 24 Jan 2007 Posts: 386 Location: san diego
|
Posted: Thu Mar 26, 2009 7:33 am Post subject: |
|
|
Almost forgot about this effort. Meanwhile, on a related note, for those using gnome, I have a modified gnome-session ebuild that disables the warning message when logging in as root and a modified gnome-screensaver ebuild that allows to lock screen when logged in as root. (Do create a desktop-lock-icon.) The ebuilds are in this portage archive. I used to use 'kdesktop_lock --forcelock' with kde 3.5, but in kde4, it has been replaced with '/usr/lib/kde4/libexec/krunner_lock --forcelock'.
While your xscreensaver patch is apparently benign and just disables the uid==0 check, it is simpler and safer to do with gnome-screensaver (patch only at one place) if using gnome, and possibly much safer if using kde and krunner_lock.
Meanwhile, I believe security is an important issue, but so is ease-of-use. I believe Ubuntu has done a great job of balancing the both and hope the 'enhancements' are included upstream and/or other distros too.
Btw, do I find lesser and lesser screensavers in xscreensaver package these days? I don't see lorenz and euphoria (fortunately the kde versions are still present). Flurry was absent in Ubuntu 8.10, but still there in Gentoo fortunately. _________________ Helium Sources || Gentoo Minimal Livecd |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Fri Jun 20, 2014 10:32 pm Post subject: |
|
|
Wouldn't it be simpler to make /usr/bin/xscreensaver a wrapper script that runs the real binary as a non-root user? The objective here is to get it to run while logged in as root, not necessarily to get it to run as root itself. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|