systrace(1) patch

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

systrace(1) patch

dasn-4
Since I haven't installed X11, when I use systrace(1) only followed by a
command (without any options), I got:
    systrace: execvp: /usr/X11R6/bin/xsystrace: No such file or directory
This diff can do some test to see whether xsystrace(1) is available or not
when calling systrace(1).


Index: systrace.c
===================================================================
RCS file: /cvs/src/bin/systrace/systrace.c,v
retrieving revision 1.50
diff -u -r1.50 systrace.c
--- systrace.c 3 May 2005 18:03:26 -0000 1.50
+++ systrace.c 11 Nov 2005 03:19:08 -0000
@@ -587,6 +587,7 @@
  int setcredentials = 0;
  uid_t cr_uid;
  gid_t cr_gid;
+ struct stat buf;
 
  while ((c = getopt(argc, argv, "c:aAeituUCd:g:f:p:")) != -1) {
  switch (c) {
@@ -650,6 +651,12 @@
 
  if (argc == 0 || (pidattach && *argv[0] != '/'))
  usage();
+
+ if (usex11 && stat(guipath, &buf) < 0) {
+ usex11 = 0; /* go to text mode */
+ /* fprintf(stderr, "Cannot access file: %s\n", guipath); */
+ }
+
 
  systrace_parameters();
 
Index: systrace.1
===================================================================
RCS file: /cvs/src/bin/systrace/systrace.1,v
retrieving revision 1.41
diff -u -r1.41 systrace.1
--- systrace.1 23 Apr 2005 09:36:47 -0000 1.41
+++ systrace.1 11 Nov 2005 03:19:06 -0000
@@ -69,8 +69,9 @@
 .Dq notification user agent ,
 normally
 .Xr xsystrace 1 ,
-unless text mode is specified via
-.Fl t .
+if
+.Xr xsystrace 1
+cannot be located, text mode will be used.
 .Pp
 When running in
 .Dq automatic enforcement

Reply | Threaded
Open this post in threaded view
|

Re: systrace(1) patch

Theo de Raadt
I think the failure is the right thing to do.  I don't like security
software that fails over like that.

Reply | Threaded
Open this post in threaded view
|

Re: systrace(1) patch

dasn-4
On Fri, Nov 11, 2005 at 06:22:02AM -0700, Theo de Raadt wrote:
> I think the failure is the right thing to do.  I don't like security
> software that fails over like that.
>

IMHO, it seems that this kind of failure information gives us a slight
indication that we SHOULD treat X11 as an important role of the whole
system, so, does that mean the user was recommended to install it?

Reply | Threaded
Open this post in threaded view
|

Re: systrace(1) patch

dasn-4
In reply to this post by dasn-4
This is a new diff for systrace(1). Just changed its default behavior to
text mode other than calling the "notification user agent" which cannot
be found in the base system. We can use '-G' option to force the gui
mode.

Index: systrace.c
===================================================================
RCS file: /cvs/src/bin/systrace/systrace.c,v
retrieving revision 1.50
diff -u -r1.50 systrace.c
--- systrace.c 3 May 2005 18:03:26 -0000 1.50
+++ systrace.c 12 Nov 2005 09:35:56 -0000
@@ -582,13 +582,13 @@
  char *policypath = NULL;
  struct timeval tv, tv_wait = {60, 0};
  pid_t pidattach = 0;
- int usex11 = 1, count;
+ int usex11 = 0, count;
  int background;
  int setcredentials = 0;
  uid_t cr_uid;
  gid_t cr_gid;
 
- while ((c = getopt(argc, argv, "c:aAeituUCd:g:f:p:")) != -1) {
+ while ((c = getopt(argc, argv, "c:aAeGituUCd:g:f:p:")) != -1) {
  switch (c) {
  case 'c':
  setcredentials = 1;
@@ -620,6 +620,9 @@
  case 'g':
  guipath = optarg;
  break;
+ case 'G':
+ usex11 = 1;
+ break;
  case 'C':
  cradle = 1;
  break;
@@ -635,7 +638,7 @@
  }
  break;
  case 't':
- usex11 = 0;
+ /* default mode */
  break;
  case 'U':
  userpolicy = 0;

Reply | Threaded
Open this post in threaded view
|

Re: systrace(1) patch

Theo de Raadt
> This is a new diff for systrace(1). Just changed its default behavior to
> text mode other than calling the "notification user agent" which cannot
> be found in the base system. We can use '-G' option to force the gui
> mode.

Please just install X, or use the option to say you are not using X.