From owner-freebsd-cvsweb@FreeBSD.ORG Tue Dec 14 15:08:13 2004 Return-Path: Delivered-To: freebsd-cvsweb@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 385DF16A4CE for ; Tue, 14 Dec 2004 15:08:13 +0000 (GMT) Received: from kazi.fit.vutbr.cz (kazi.fit.vutbr.cz [147.229.8.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87CB043D31 for ; Tue, 14 Dec 2004 15:08:12 +0000 (GMT) (envelope-from kasparek@fit.vutbr.cz) Received-SPF: pass (kazi.fit.vutbr.cz: domain of kasparek@fit.vutbr.cz designates 127.0.0.1 as permitted sender) receiver=kazi.fit.vutbr.cz; client_ip=127.0.0.1; envelope-from=kasparek@fit.vutbr.cz; Received: from kazi.fit.vutbr.cz (localhost [127.0.0.1]) by kazi.fit.vutbr.cz (8.12.11/8.12.11) with ESMTP id iBEF8AYt056125 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 14 Dec 2004 16:08:10 +0100 (CET) Received: (from kasparek@localhost) by kazi.fit.vutbr.cz (8.12.11/8.12.5/Submit) id iBEF8AhT056123 for freebsd-cvsweb@freebsd.org; Tue, 14 Dec 2004 16:08:10 +0100 (CET) X-Authentication-Warning: kazi.fit.vutbr.cz: kasparek set sender to kasparek@fit.vutbr.cz using -f Date: Tue, 14 Dec 2004 16:08:10 +0100 From: Kasparek Tomas To: freebsd-cvsweb@freebsd.org Message-ID: <20041214150809.GM93532@fit.vutbr.cz> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.4.2i X-Scanned-By: MIMEDefang 2.16 (www . roaringpenguin . com / mimedefang) Subject: Patch for non-anonymouse CVS access X-BeenThere: freebsd-cvsweb@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS Web maintenance mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 15:08:13 -0000 --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, I include patch with changes I used to allow accessing of nonanonymous CVS repository. It run the CGI script with suidperl as root and changes to UID and GID of authenticated user as soon as possible. This is enough to make it work, it the just adds the name of the user (via really simple hack). (the patch i against 3.0.4) Bye -- Tomas Kasparek, PhD student E-mail: kasparek@fit.vutbr.cz CVT FIT VUT Brno, BI/140a Web: http://www.fit.vutbr.cz/~kasparek Bozetechova 2, 612 66 Fax: +420 54114-1270 Brno, Czech Republic Phone: +420 54114-1220 ICQ: 293092805 jabber:tomas.kasparek@jabber.cz GPG: 2F1E 1AAF FD3B CFA3 1537 63BD DCBE 18FF A035 53BC --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=cvsweb-patch --- cvsweb.cgi 2004-11-06 09:47:21.000000000 +0100 +++ cvsweb 2004-12-14 15:58:46.812235616 +0100 @@ -1,4 +1,4 @@ -#!/usr/bin/perl -T +#!/usr/bin/suidperl -T -W # # cvsweb - a CGI interface to CVS trees. # @@ -88,7 +88,7 @@ $allow_tar @tar_options @gzip_options @zip_options @cvs_options @annotate_options @rcsdiff_options $HTML_DOCTYPE $HTML_META $cssurl $CSS $cvshistory_url - $allow_enscript @enscript_options %enscript_types + $allow_enscript @enscript_options %enscript_types $UID $USER ); use Cwd qw(abs_path cwd); @@ -208,6 +208,31 @@ # Get rid of unsafe environment vars. Don't do this in BEGIN... delete(@ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}); +#------------------------------------------------- +#Added by Si + +# Get rid of EUID of root + +#is there something reasonable there? +if ($ENV{REMOTE_USER} =~ /^([a-zA-Z0-9]+)$/) { + $UID=getpwnam($1); # $data now untainted +} + +if (! defined $UID) { + #bad user - use Real UID instead + $UID = $<; + print "Unknown user $ENV{REMOTE_USER}, using ". getpwuid($UID) . "

\n"; +} + +#set it as EUID - never can get UID of 0 back! +$USER= getpwuid($UID); + +$) = `/usr/bin/id -G $USER = $UID; + +#End of modification by Si +#------------------------------------------------- + my ($mydir) = (dirname($0) =~ /(.*)/); # untaint # == EDIT this == @@ -4294,7 +4319,12 @@ $title $HTML_META$CSS -$l

$title

+$l

$title


+
+ +Logged in as user: $USER + +
EOH } --vtzGhvizbBRQ85DL--