170 lines
		
	
	
		
			5.9 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			170 lines
		
	
	
		
			5.9 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 8d2f9bdeafbdca395c22bc051c508d967b178ff4 Mon Sep 17 00:00:00 2001
 | |
| From: John Wolfe <jwolfe@vmware.com>
 | |
| Date: Mon, 8 May 2023 19:04:57 -0700
 | |
| Subject: [PATCH] Remove some dead code.
 | |
| 
 | |
| RH-Author: Ani Sinha <None>
 | |
| RH-MergeRequest: 4: Remove some dead code.
 | |
| RH-Bugzilla: 2215566
 | |
| RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
 | |
| RH-Commit: [1/1] 4601ac4b341378b23d3afe8a9089c369061b45a5 (anisinha/centos-open-vm-tools)
 | |
| 
 | |
| Address CVE-2023-20867.
 | |
| Remove some authentication types which were deprecated long
 | |
| ago and are no longer in use. These are dead code.
 | |
| 
 | |
| Cherry-picked from
 | |
| https://github.com/vmware/open-vm-tools/blob/CVE-2023-20867.patch/2023-20867-Remove-some-dead-code.patch
 | |
| 
 | |
| Signed-off-by: Ani Sinha <anisinha@redhat.com>
 | |
| Signed-off-by: Kevin Lyons <kevin.x.lyons@oracle.com>
 | |
| Reviewed-by: Alex Burmashev <alexander.burmashev@oracle.com>
 | |
| ---
 | |
|  open-vm-tools/services/plugins/vix/vixTools.c | 102 ------------------
 | |
|  1 file changed, 102 deletions(-)
 | |
| 
 | |
| diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c
 | |
| index 9f376a72..85c5ba74 100644
 | |
| --- a/open-vm-tools/services/plugins/vix/vixTools.c
 | |
| +++ b/open-vm-tools/services/plugins/vix/vixTools.c
 | |
| @@ -254,8 +254,6 @@ char *gImpersonatedUsername = NULL;
 | |
|  #define  VIX_TOOLS_CONFIG_API_AUTHENTICATION          "Authentication"
 | |
|  #define  VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS             "InfrastructureAgents"
 | |
|  
 | |
| -#define VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT  TRUE
 | |
| -
 | |
|  /*
 | |
|   * The switch that controls all APIs
 | |
|   */
 | |
| @@ -730,9 +728,6 @@ VixError GuestAuthSAMLAuthenticateAndImpersonate(
 | |
|  
 | |
|  void GuestAuthUnimpersonate();
 | |
|  
 | |
| -static Bool VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,
 | |
| -                                                     const char *typeName);
 | |
| -
 | |
|  #if SUPPORT_VGAUTH
 | |
|  
 | |
|  VGAuthError TheVGAuthContext(VGAuthContext **ctx);
 | |
| @@ -8013,29 +8008,6 @@ VixToolsImpersonateUser(VixCommandRequestHeader *requestMsg,   // IN
 | |
|                                            userToken);
 | |
|        break;
 | |
|     }
 | |
| -   case VIX_USER_CREDENTIAL_ROOT:
 | |
| -   {
 | |
| -      if ((requestMsg->requestFlags & VIX_REQUESTMSG_HAS_HASHED_SHARED_SECRET) &&
 | |
| -          !VixToolsCheckIfAuthenticationTypeEnabled(gConfDictRef,
 | |
| -                                            VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS)) {
 | |
| -          /*
 | |
| -           * Don't accept hashed shared secret if disabled.
 | |
| -           */
 | |
| -          g_message("%s: Requested authentication type has been disabled.\n",
 | |
| -                    __FUNCTION__);
 | |
| -          err = VIX_E_GUEST_AUTHTYPE_DISABLED;
 | |
| -          goto done;
 | |
| -      }
 | |
| -   }
 | |
| -   // fall through
 | |
| -
 | |
| -   case VIX_USER_CREDENTIAL_CONSOLE_USER:
 | |
| -      err = VixToolsImpersonateUserImplEx(NULL,
 | |
| -                                          credentialType,
 | |
| -                                          NULL,
 | |
| -                                          loadUserProfile,
 | |
| -                                          userToken);
 | |
| -      break;
 | |
|     case VIX_USER_CREDENTIAL_NAME_PASSWORD:
 | |
|     case VIX_USER_CREDENTIAL_NAME_PASSWORD_OBFUSCATED:
 | |
|     case VIX_USER_CREDENTIAL_NAMED_INTERACTIVE_USER:
 | |
| @@ -8204,36 +8176,6 @@ VixToolsImpersonateUserImplEx(char const *credentialTypeStr,         // IN
 | |
|           }
 | |
|        }
 | |
|  
 | |
| -      /*
 | |
| -       * If the VMX asks to be root, then we allow them.
 | |
| -       * The VMX will make sure that only it will pass this value in,
 | |
| -       * and only when the VM and host are configured to allow this.
 | |
| -       */
 | |
| -      if ((VIX_USER_CREDENTIAL_ROOT == credentialType)
 | |
| -            && (thisProcessRunsAsRoot)) {
 | |
| -         *userToken = PROCESS_CREATOR_USER_TOKEN;
 | |
| -
 | |
| -         gImpersonatedUsername = Util_SafeStrdup("_ROOT_");
 | |
| -         err = VIX_OK;
 | |
| -         goto quit;
 | |
| -      }
 | |
| -
 | |
| -      /*
 | |
| -       * If the VMX asks to be root, then we allow them.
 | |
| -       * The VMX will make sure that only it will pass this value in,
 | |
| -       * and only when the VM and host are configured to allow this.
 | |
| -       *
 | |
| -       * XXX This has been deprecated XXX
 | |
| -       */
 | |
| -      if ((VIX_USER_CREDENTIAL_CONSOLE_USER == credentialType)
 | |
| -            && ((allowConsoleUserOps) || !(thisProcessRunsAsRoot))) {
 | |
| -         *userToken = PROCESS_CREATOR_USER_TOKEN;
 | |
| -
 | |
| -         gImpersonatedUsername = Util_SafeStrdup("_CONSOLE_USER_NAME_");
 | |
| -         err = VIX_OK;
 | |
| -         goto quit;
 | |
| -      }
 | |
| -
 | |
|        /*
 | |
|         * If the VMX asks us to run commands in the context of the current
 | |
|         * user, make sure that the user who requested the command is the
 | |
| @@ -10914,50 +10856,6 @@ VixToolsCheckIfVixCommandEnabled(int opcode,                          // IN
 | |
|  }
 | |
|  
 | |
|  
 | |
| -/*
 | |
| - *-----------------------------------------------------------------------------
 | |
| - *
 | |
| - * VixToolsCheckIfAuthenticationTypeEnabled --
 | |
| - *
 | |
| - *    Checks to see if a given authentication type has been
 | |
| - *    disabled via the tools configuration.
 | |
| - *
 | |
| - * Return value:
 | |
| - *    TRUE if enabled, FALSE otherwise.
 | |
| - *
 | |
| - * Side effects:
 | |
| - *    None
 | |
| - *
 | |
| - *-----------------------------------------------------------------------------
 | |
| - */
 | |
| -
 | |
| -static Bool
 | |
| -VixToolsCheckIfAuthenticationTypeEnabled(GKeyFile *confDictRef,     // IN
 | |
| -                                         const char *typeName)      // IN
 | |
| -{
 | |
| -   char authnDisabledName[64]; // Authentication.<AuthenticationType>.disabled
 | |
| -   gboolean disabled;
 | |
| -
 | |
| -   Str_Snprintf(authnDisabledName, sizeof(authnDisabledName),
 | |
| -                VIX_TOOLS_CONFIG_API_AUTHENTICATION ".%s.disabled",
 | |
| -                typeName);
 | |
| -
 | |
| -   ASSERT(confDictRef != NULL);
 | |
| -
 | |
| -   /*
 | |
| -    * XXX Skip doing the strcmp() to verify the auth type since we only
 | |
| -    * have the one typeName (VIX_TOOLS_CONFIG_AUTHTYPE_AGENTS), and default
 | |
| -    * it to VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT.
 | |
| -    */
 | |
| -   disabled = VMTools_ConfigGetBoolean(confDictRef,
 | |
| -                                       VIX_TOOLS_CONFIG_API_GROUPNAME,
 | |
| -                                       authnDisabledName,
 | |
| -                                       VIX_TOOLS_CONFIG_INFRA_AGENT_DISABLED_DEFAULT);
 | |
| -
 | |
| -   return !disabled;
 | |
| -}
 | |
| -
 | |
| -
 | |
|  /*
 | |
|   *-----------------------------------------------------------------------------
 | |
|   *
 | |
| -- 
 | |
| 2.39.3
 | |
| 
 |