From 37842edd9695fa5073ef313f85d54c570cb16fe5 Mon Sep 17 00:00:00 2001 From: John Wolfe Date: Mon, 8 May 2023 19:04:57 -0700 Subject: [PATCH] Remove some dead code. RH-Author: Ani Sinha RH-MergeRequest: 15: Remove some dead code. RH-Bugzilla: 2215563 RH-Acked-by: Vitaly Kuznetsov RH-Acked-by: Cathy Avery RH-Acked-by: Miroslav Rezanina RH-Commit: [1/1] d0172d67defde68ce7751302d7df5432e0053a9a Address CVE-2023-20867. Remove some authentication types which were deprecated long ago and are no longer in use. These are dead code. Cherry-picked from https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch Signed-off-by: Ani Sinha --- open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------ 1 file changed, 102 deletions(-) diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c index 9f376a72..85c5ba74 100644 --- a/open-vm-tools/services/plugins/vix/vixTools.c +++ b/open-vm-tools/services/plugins/vix/vixTools.c @@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL; #define VIX_TOOLS_CONFIG_API_AUTHENTICATION "Authentication" #define VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS "InfrastructureAgents" -#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT TRUE - /* * The switch that controls all APIs */ @@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate( void GuestAuthUnimpersonate(); -static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, - const char *typeName); - #if SUPPORT_VGAUTH VGAuthError TheVGAuthContext(VGAuthContext **ctx); @@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg, // IN userToken); break; } - case VIX_USER_CREDENTIAL_ROOT: - { - if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) && - !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef, - VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) { - /* - * Don't accept hashed shared secret if disabled. - */ - g_message("%s: Requested authentication type has been disabled.\n", - __FUNCTION__); - err = VIX_E_GUEST_AUTHTYPE_DISABLED; - goto done; - } - } - // fall through - - case VIX_USER_CREDENTIAL_CONSOLE_USER: - err = VixToolsImpersonateUserImplEx(NULL, - credentialType, - NULL, - loadUserProfile, - userToken); - break; case VIX_USER_CREDENTIAL_NAME_PASSWORD: case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED: case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER: @@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr, // IN } } - /* - * If the VMX asks to be root, then we allow them. - * The VMX will make sure that only it will pass this value in, - * and only when the VM and host are configured to allow this. - */ - if ((VIX_USER_CREDENTIAL_ROOT == credentialType) - && (thisProcessRunsAsRoot)) { - *userToken = PROCESS_CREATOR_USER_TOKEN; - - gImpersonatedUsername = Util_SafeStrdup("_ROOT_"); - err = VIX_OK; - goto quit; - } - - /* - * If the VMX asks to be root, then we allow them. - * The VMX will make sure that only it will pass this value in, - * and only when the VM and host are configured to allow this. - * - * XXX This has been deprecated XXX - */ - if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType) - && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) { - *userToken = PROCESS_CREATOR_USER_TOKEN; - - gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_"); - err = VIX_OK; - goto quit; - } - /* * If the VMX asks us to run commands in the context of the current * user, make sure that the user who requested the command is the @@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode, // IN } -/* - *----------------------------------------------------------------------------- - * - * VixToolsCheckIfAuthenticationTypeEnabled -- - * - * Checks to see if a given authentication type has been - * disabled via the tools configuration. - * - * Return value: - * TRUE if enabled, FALSE otherwise. - * - * Side effects: - * None - * - *----------------------------------------------------------------------------- - */ - -static Bool -VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef, // IN - const char *typeName) // IN -{ - char authnDisabledName[64]; // Authentication..disabled - gboolean disabled; - - Str_Snprintf(authnDisabledName, sizeof(authnDisabledName), - VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled", - typeName); - - ASSERT(confDictRef != NULL); - - /* - * XXX Skip doing the strcmp() to verify the auth type since we only - * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default - * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT. - */ - disabled = VMTools_ConfigGetBoolean(confDictRef, - VIX_TOOLS_CONFIG_API_GROUPNAME, - authnDisabledName, - VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT); - - return !disabled; -} - - /* *----------------------------------------------------------------------------- * -- 2.37.3