diff -Nru open-vm-tools-12.3.0/ReleaseNotes.md open-vm-tools-12.3.5/ReleaseNotes.md --- open-vm-tools-12.3.0/ReleaseNotes.md 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/ReleaseNotes.md 2023-10-26 15:39:15.000000000 +0000 @@ -1,8 +1,8 @@ -# open-vm-tools 12.3.0 Release Notes +# open-vm-tools 12.3.5 Release Notes -Updated on: 31 August 2023 +Updated on: 26 October 2023 -open-vm-tools | 31 AUGUST 2023 | Build 22234872 +open-vm-tools | 26 OCTOBER 2023 | Build 22544099 Check back for additions and updates to these release notes. @@ -10,7 +10,7 @@ The release notes cover the following topics: -- [open-vm-tools 12.3.0 Release Notes](#open-vm-tools-1230-release-notes) +- [open-vm-tools 12.3.5 Release Notes](#open-vm-tools-1235-release-notes) - [What's in the Release Notes](#whats-in-the-release-notes) - [What's New](#whats-new) - [End of Feature Support Notice](#end-of-feature-support-notice) @@ -22,13 +22,15 @@ ## What's New -This release resolves CVE-2023-20900. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. +* This release resolves CVE-2023-34058. For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. + +* This release resolves CVE-2023-34059 which only affects open-vm-tools. * Please see the [Resolved Issues](#resolvedissues) and [Known Issues](#knownissues) sections below. -* A complete list of the granular changes in the open-vm-tools 12.3.0 release is available at: +* A complete list of the granular changes in the open-vm-tools 12.3.5 release is available at: - [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.0/open-vm-tools/ChangeLog) + [open-vm-tools ChangeLog](https://github.com/vmware/open-vm-tools/blob/stable-12.3.5/open-vm-tools/ChangeLog) ## End of Feature Support Notice @@ -38,7 +40,7 @@ ## Internationalization -open-vm-tools 12.3.0 is available in the following languages: +open-vm-tools 12.3.5 is available in the following languages: * English * French @@ -60,66 +62,32 @@ ## Resolved Issues -* **This release resolves CVE-2023-20900.** - - For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html. - -* **Linux quiesced snapshot: "SyncDriver: failed to freeze '_filesystem_'"** - - The open-vm-tools 12.2.0 release had an update to the Linux quiesced snapshot operation that would avoid starting a quiesced snapshot if a filesystem had already been frozen by another process. See the [Resolved Issues](https://github.com/vmware/open-vm-tools/blob/stable-12.2.0/ReleaseNotes.md#-resolved-issues) section in the open-vm-tools 12.2.0 Release Notes. That fix may have been backported into earlier versions of open-vm-tools by Linux vendors. - - It is possible that filesystems are being frozen in custom pre-freeze scripts to control the order in which those specific filesystems are to be frozen. The vmtoolsd process **must be informed** of all such filesystems with the help of "excludedFileSystems" setting of tools.conf. - - ``` - [vmbackup] - - excludedFileSystems=/opt/data,/opt/app/project-*,... - ``` - - A temporary workaround is available (starting from open-vm-tools 12.3.0) for system administrators to quickly allow a quiescing operation to succeed until the "excludedFileSystems" list can be configured. Note, if another process thaws the file system while a quiescing snapshot operation is ongoing, the snapshot may be compromised. Once the "excludedFileSystems" list is configured this setting MUST be unset (or set to false). - - ``` - [vmbackup] - - ignoreFrozenFileSystems = true - ``` - - This workaround is provided in the source file changes in - - https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2 - - and at Linux vendors' discretion, may be backported to earlier versions of open-vm-tools. - -* **A number of Coverity reported issues have been addressed.** +* **This release resolves CVE-2023-34058.** -* **Component Manager / salt-minion: New InstallStatus "UNMANAGED".** + For more information on this vulnerability and its impact on VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html. - Salt-minion added support for "ExternalInstall" (106) to indicate an older version of salt-minion is installed on the vm and cannot be managed by the svtminion.* scripts. The Component Manager will track that as "UNMANAGED" and take no action. + open-vm-tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H -* **The following pull requests and issues have been addressed** + A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. - * Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES + Note: While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that must be addressed. - [Issue #638](https://github.com/vmware/open-vm-tools/issues/638) - [Pull request #639](https://github.com/vmware/open-vm-tools/pull/639) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34058.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch). - * Invalid argument with "\\" in Linux username (Active Directory user) +* **This release resolves CVE-2023-34059.** - [Issue #641](https://github.com/vmware/open-vm-tools/issues/641) + open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.4. - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - * Improve POSIX guest identification + A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. - [Issue #647](https://github.com/vmware/open-vm-tools/issues/647) - [Issue #648](https://github.com/vmware/open-vm-tools/issues/648) + A patch for earlier versions of open-vm-tools is available at [CVE-2023-34059.patch](https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch). - * Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib" +* **The following github.com/vmware/open-vm-tools issue have been addressed** - [Issue #658](https://github.com/vmware/open-vm-tools/issues/658) + * Better cooperation between deployPkg plugin and cloud-init concerning location of 'disable_vmware_customization' flag. - * Fix build problems with grpc + [Issue #310](https://github.com/vmware/open-vm-tools/issues/310) - [Pull request #664](https://github.com/vmware/open-vm-tools/pull/664) - [Issue #676](https://github.com/vmware/open-vm-tools/issues/676) ## Known Issues diff -Nru open-vm-tools-12.3.0/debian/.gitlab-ci.yml open-vm-tools-12.3.5/debian/.gitlab-ci.yml --- open-vm-tools-12.3.0/debian/.gitlab-ci.yml 2023-09-06 06:56:32.000000000 +0000 +++ open-vm-tools-12.3.5/debian/.gitlab-ci.yml 2023-12-05 18:41:25.000000000 +0000 @@ -9,6 +9,8 @@ SALSA_CI_DISABLE_BLHC: 0 SALSA_CI_DISABLE_LINTIAN: 0 SALSA_CI_DISABLE_PIUPARTS: 0 - SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_REPROTEST: 0 SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0 SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0 + SALSA_CI_DISABLE_CROSSBUILD_ARM64: 1 + SALSA_CI_REPROTEST_ENABLE_DIFFOSCOPE: 1 diff -Nru open-vm-tools-12.3.0/debian/changelog open-vm-tools-12.3.5/debian/changelog --- open-vm-tools-12.3.0/debian/changelog 2023-10-27 11:24:07.000000000 +0000 +++ open-vm-tools-12.3.5/debian/changelog 2023-12-05 21:18:07.000000000 +0000 @@ -1,3 +1,36 @@ +open-vm-tools (2:12.3.5-3~ubuntu0.23.10.1) mantic; urgency=medium + + * Backport recent open-vm-tools release v12.3.5 + (LP: #2028420) + + -- Bryce Harrington Tue, 05 Dec 2023 13:18:07 -0800 + +open-vm-tools (2:12.3.5-3) unstable; urgency=medium + + * [7699f7a] Fix typo in last upload + + -- Bernd Zeimetz Mon, 27 Nov 2023 16:29:44 +0100 + +open-vm-tools (2:12.3.5-2) unstable; urgency=medium + + * [80ed173] Disable arm cross-build + * [61a0f4d] (Temporarily) build with diffoscope + * [d929c44] Fix containerinfo plugin directory. + Thanks to John Wolfe (Closes: #1056205) + + -- Bernd Zeimetz Mon, 27 Nov 2023 15:50:13 +0100 + +open-vm-tools (2:12.3.5-1) unstable; urgency=high + + * [1b07bee] Remove api doc build dir with dh_clean. + Thanks to Lucas Nussbaum (Closes: #1046018) + * [de2e0ba] New upstream version 12.3.5 (Closes: #1054662) + - New upstream release fixes two CVEs: + CVE-2023-34059 CVE-2023-34058 + Closes: #1054666 + + -- Bernd Zeimetz Sat, 28 Oct 2023 01:41:22 +0200 + open-vm-tools (2:12.3.0-1ubuntu0.1) mantic-security; urgency=medium * SECURITY UPDATE: SAML Bypass diff -Nru open-vm-tools-12.3.0/debian/clean open-vm-tools-12.3.5/debian/clean --- open-vm-tools-12.3.0/debian/clean 2023-09-06 06:56:32.000000000 +0000 +++ open-vm-tools-12.3.5/debian/clean 2023-12-05 18:41:00.000000000 +0000 @@ -1 +1,2 @@ debian/open-vm-tools-dkms.dkms +open-vm-tools/docs/api/build/ diff -Nru open-vm-tools-12.3.0/debian/patches/CVE-2023-34058.patch open-vm-tools-12.3.5/debian/patches/CVE-2023-34058.patch --- open-vm-tools-12.3.0/debian/patches/CVE-2023-34058.patch 2023-10-27 11:19:07.000000000 +0000 +++ open-vm-tools-12.3.5/debian/patches/CVE-2023-34058.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,237 +0,0 @@ -From 6822b5a84f8cfa60d46479d6b8f1c63eb85eac87 Mon Sep 17 00:00:00 2001 -From: John Wolfe -Date: Wed, 18 Oct 2023 09:04:07 -0700 -Subject: [PATCH] Address CVE-2023-34058 - -VGAuth: don't accept tokens with unrelated certs. - ---- - open-vm-tools/vgauth/common/certverify.c | 145 ++++++++++++++++++++++++ - open-vm-tools/vgauth/common/certverify.h | 4 + - open-vm-tools/vgauth/common/prefs.h | 2 + - open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c | 14 +++ - 4 files changed, 165 insertions(+) - -diff --git a/open-vm-tools/vgauth/common/certverify.c b/open-vm-tools/vgauth/common/certverify.c -index 0ed78ed..e1d7cc6 100644 ---- a/open-vm-tools/vgauth/common/certverify.c -+++ b/open-vm-tools/vgauth/common/certverify.c -@@ -914,3 +914,148 @@ done: - - return err; - } -+ -+ -+/* -+ * Finds a cert with a subject (if checkSubj is set) or issuer (if -+ * checkSUbj is unset), matching 'val' in the list -+ * of certs. Returns a match or NULL. -+ */ -+ -+static X509 * -+FindCert(GList *cList, -+ X509_NAME *val, -+ int checkSubj) -+{ -+ GList *l; -+ X509 *c; -+ X509_NAME *v; -+ -+ l = cList; -+ while (l != NULL) { -+ c = (X509 *) l->data; -+ if (checkSubj) { -+ v = X509_get_subject_name(c); -+ } else { -+ v = X509_get_issuer_name(c); -+ } -+ if (X509_NAME_cmp(val, v) == 0) { -+ return c; -+ } -+ l = l->next; -+ } -+ return NULL; -+} -+ -+ -+/* -+ ****************************************************************************** -+ * CertVerify_CheckForUnrelatedCerts -- */ /** -+ * -+ * Looks over a list of certs. If it finds that they are not all -+ * part of the same chain, returns failure. -+ * -+ * @param[in] numCerts The number of certs in the chain. -+ * @param[in] pemCerts The chain of certificates to verify. -+ * -+ * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. -+ * -+ ****************************************************************************** -+ */ -+ -+VGAuthError -+CertVerify_CheckForUnrelatedCerts(int numCerts, -+ const char **pemCerts) -+{ -+ VGAuthError err = VGAUTH_E_FAIL; -+ int chainLen = 0; -+ int i; -+ X509 **certs = NULL; -+ GList *rawList = NULL; -+ X509 *baseCert; -+ X509 *curCert; -+ X509_NAME *subject; -+ X509_NAME *issuer; -+ -+ /* common single cert case; nothing to do */ -+ if (numCerts == 1) { -+ return VGAUTH_E_OK; -+ } -+ -+ /* convert all PEM to X509 objects */ -+ certs = g_malloc0(numCerts * sizeof(X509 *)); -+ for (i = 0; i < numCerts; i++) { -+ certs[i] = CertStringToX509(pemCerts[i]); -+ if (NULL == certs[i]) { -+ g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); -+ goto done; -+ } -+ } -+ -+ /* choose the cert to start the chain. shouldn't matter which */ -+ baseCert = certs[0]; -+ -+ /* put the rest into a list */ -+ for (i = 1; i < numCerts; i++) { -+ rawList = g_list_append(rawList, certs[i]); -+ } -+ -+ /* now chase down to a leaf, looking for certs the baseCert issued */ -+ subject = X509_get_subject_name(baseCert); -+ while ((curCert = FindCert(rawList, subject, 0)) != NULL) { -+ /* pull it from the list */ -+ rawList = g_list_remove(rawList, curCert); -+ /* set up the next find */ -+ subject = X509_get_subject_name(curCert); -+ } -+ -+ /* -+ * walk up to the root cert, by finding a cert where the -+ * issuer equals the subject of the current -+ */ -+ issuer = X509_get_issuer_name(baseCert); -+ while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { -+ /* pull it from the list */ -+ rawList = g_list_remove(rawList, curCert); -+ /* set up the next find */ -+ issuer = X509_get_issuer_name(curCert); -+ } -+ -+ /* -+ * At this point, anything on the list should be certs that are not part -+ * of the chain that includes the original 'baseCert'. -+ * -+ * For a valid token, the list should be empty. -+ */ -+ chainLen = g_list_length(rawList); -+ if (chainLen != 0 ) { -+ GList *l; -+ -+ g_warning("%s: %d unrelated certs found in list\n", -+ __FUNCTION__, chainLen); -+ -+ /* debug helper */ -+ l = rawList; -+ while (l != NULL) { -+ X509* c = (X509 *) l->data; -+ char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); -+ -+ g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); -+ free(s); -+ l = l->next; -+ } -+ -+ goto done; -+ } -+ -+ g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); -+ err = VGAUTH_E_OK; -+ -+done: -+ g_list_free(rawList); -+ for (i = 0; i < numCerts; i++) { -+ X509_free(certs[i]); -+ } -+ g_free(certs); -+ return err; -+} -diff --git a/open-vm-tools/vgauth/common/certverify.h b/open-vm-tools/vgauth/common/certverify.h -index d7c6410..f582bb8 100644 ---- a/open-vm-tools/vgauth/common/certverify.h -+++ b/open-vm-tools/vgauth/common/certverify.h -@@ -67,6 +67,10 @@ VGAuthError CertVerify_CheckSignatureUsingCert(VGAuthHashAlg hash, - size_t signatureLen, - const unsigned char *signature); - -+ -+VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, -+ const char **pemCerts); -+ - gchar * CertVerify_StripPEMCert(const gchar *pemCert); - - gchar * CertVerify_CertToX509String(const gchar *pemCert); -diff --git a/open-vm-tools/vgauth/common/prefs.h b/open-vm-tools/vgauth/common/prefs.h -index ff11692..87ccc9b 100644 ---- a/open-vm-tools/vgauth/common/prefs.h -+++ b/open-vm-tools/vgauth/common/prefs.h -@@ -136,6 +136,8 @@ msgCatalog = /etc/vmware-tools/vgauth/messages - #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" - /** The number of seconds slack allowed in either direction in SAML token date checks. */ - #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" -+/** If unrelated certificates are allowed in a SAML token */ -+#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" - - /** Ticket group name. */ - #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" -diff --git a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -index 14cba1b..57e9316 100644 ---- a/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -+++ b/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c -@@ -49,6 +49,7 @@ - #include "vmxlog.h" - - static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; -+static gboolean gAllowUnrelatedCerts = FALSE; - static xmlSchemaPtr gParsedSchemas = NULL; - static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; - -@@ -369,6 +370,10 @@ LoadPrefs(void) - VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); - Log("%s: Allowing %d of clock skew for SAML date validation\n", - __FUNCTION__, gClockSkewAdjustment); -+ gAllowUnrelatedCerts = Pref_GetBool(gPrefs, -+ VGAUTH_PREF_ALLOW_UNRELATED_CERTS, -+ VGAUTH_PREF_GROUP_NAME_SERVICE, -+ FALSE); - } - - -@@ -1697,6 +1702,15 @@ SAML_VerifyBearerTokenAndChain(const char *xmlText, - return VGAUTH_E_AUTHENTICATION_DENIED; - } - -+ if (!gAllowUnrelatedCerts) { -+ err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); -+ if (err != VGAUTH_E_OK) { -+ VMXLog_Log(VMXLOG_LEVEL_WARNING, -+ "Unrelated certs found in SAML token, failing\n"); -+ return VGAUTH_E_AUTHENTICATION_DENIED; -+ } -+ } -+ - subj.type = SUBJECT_TYPE_NAMED; - subj.name = *subjNameOut; - err = ServiceVerifyAndCheckTrustCertChainForSubject(num, --- -2.6.2 - diff -Nru open-vm-tools-12.3.0/debian/patches/CVE-2023-34059.patch open-vm-tools-12.3.5/debian/patches/CVE-2023-34059.patch --- open-vm-tools-12.3.0/debian/patches/CVE-2023-34059.patch 2023-10-27 11:19:11.000000000 +0000 +++ open-vm-tools-12.3.5/debian/patches/CVE-2023-34059.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,182 +0,0 @@ -From 2011181cbe60b256ced8d28daf7b704e8613467c Mon Sep 17 00:00:00 2001 -From: John Wolfe -Date: Wed, 18 Oct 2023 09:11:54 -0700 -Subject: [PATCH] Address CVE-2023-34059 - -Fix file descriptor vulnerability in the open-vm-tools - vmware-user-suid-wrapper on Linux. - - Moving the privilege drop logic (dropping privilege to the real uid - and gid of the process for the vmusr service) from suidWrapper to - vmtoolsd code. - ---- - open-vm-tools/services/vmtoolsd/mainPosix.c | 76 +++++++++++++++++++++++++++ - open-vm-tools/vmware-user-suid-wrapper/main.c | 26 ++------- - 2 files changed, 79 insertions(+), 23 deletions(-) - -diff --git a/open-vm-tools/services/vmtoolsd/mainPosix.c b/open-vm-tools/services/vmtoolsd/mainPosix.c -index fd2667c..8b46979 100644 ---- a/open-vm-tools/services/vmtoolsd/mainPosix.c -+++ b/open-vm-tools/services/vmtoolsd/mainPosix.c -@@ -28,10 +28,12 @@ - #include - #include - #include -+#include - #include - #include "file.h" - #include "guestApp.h" - #include "hostinfo.h" -+#include "su.h" - #include "system.h" - #include "unicode.h" - #include "util.h" -@@ -155,6 +157,59 @@ ToolsCoreWorkAroundLoop(ToolsServiceState *state, - - - /** -+ * Tools function to set close-on-exec flg for the fd. -+ * -+ * @param[in] fd open file descriptor. -+ * -+ * @return TRUE on success, FALSE otherwise. -+ */ -+ -+static gboolean -+ToolsSetCloexecFlag(int fd) -+{ -+ int flags; -+ -+ if (fd == -1) { -+ /* fd is not present, no need to manipulate */ -+ return TRUE; -+ } -+ -+ flags = fcntl(fd, F_GETFD, 0); -+ if (flags < 0) { -+ g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno); -+ return FALSE; -+ } -+ flags |= FD_CLOEXEC; -+ if (fcntl(fd, F_SETFD, flags) < 0) { -+ g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ -+ -+/** -+ * Tools function to close the fds. -+ */ -+ -+static void -+ToolsCloseFds(void) -+{ -+ if (gState.ctx.blockFD != -1) { -+ close(gState.ctx.blockFD); -+ } -+ -+ /* -+ * uinputFD will be available only for wayland. -+ */ -+ if (gState.ctx.uinputFD != -1) { -+ close(gState.ctx.uinputFD); -+ } -+} -+ -+ -+/** - * Tools daemon entry function. - * - * @param[in] argc Argument count. -@@ -210,6 +265,27 @@ main(int argc, - g_free(argvCopy); - argvCopy = NULL; - -+ /* -+ * Drops privilege to the real uid and gid of the process -+ * for the "vmusr" service. -+ */ -+ if (TOOLS_IS_USER_SERVICE(&gState)) { -+ uid_t uid = getuid(); -+ gid_t gid = getgid(); -+ -+ if ((Id_SetREUid(uid, uid) != 0) || -+ (Id_SetREGid(gid, gid) != 0)) { -+ g_printerr("could not drop privileges: %s", strerror(errno)); -+ ToolsCloseFds(); -+ goto exit; -+ } -+ if (!ToolsSetCloexecFlag(gState.ctx.blockFD) || -+ !ToolsSetCloexecFlag(gState.ctx.uinputFD)) { -+ ToolsCloseFds(); -+ goto exit; -+ } -+ } -+ - if (gState.pidFile != NULL) { - /* - * If argv[0] is not an absolute path, make it so; all other path -diff --git a/open-vm-tools/vmware-user-suid-wrapper/main.c b/open-vm-tools/vmware-user-suid-wrapper/main.c -index e9d7e50..a19af53 100644 ---- a/open-vm-tools/vmware-user-suid-wrapper/main.c -+++ b/open-vm-tools/vmware-user-suid-wrapper/main.c -@@ -156,8 +156,7 @@ MaskSignals(void) - * - * Obtains the library directory from the Tools locations database, then - * opens a file descriptor (while still root) to add and remove blocks, -- * drops privilege to the real uid of this process, and finally starts -- * vmware-user. -+ * and finally starts vmware-user. - * - * Results: - * Parent: TRUE on success, FALSE on failure. -@@ -173,8 +172,6 @@ static Bool - StartVMwareUser(char *const envp[]) - { - pid_t pid; -- uid_t uid; -- gid_t gid; - int blockFd = -1; - char blockFdStr[8]; - int uinputFd = -1; -@@ -191,8 +188,8 @@ StartVMwareUser(char *const envp[]) - } - - /* -- * Now create a child process, obtain a file descriptor as root, downgrade -- * privilege, and run vmware-user. -+ * Now create a child process, obtain a file descriptor as root and -+ * run vmware-user. - */ - pid = fork(); - if (pid == -1) { -@@ -229,23 +226,6 @@ StartVMwareUser(char *const envp[]) - } - } - -- uid = getuid(); -- gid = getgid(); -- -- if ((setreuid(uid, uid) != 0) || -- (setregid(gid, gid) != 0)) { -- Error("could not drop privileges: %s\n", strerror(errno)); -- if (blockFd != -1) { -- close(blockFd); -- } -- if (useWayland) { -- if (uinputFd != -1) { -- close(uinputFd); -- } -- } -- return FALSE; -- } -- - /* - * Since vmware-user provides features that don't depend on vmblock, we - * invoke vmware-user even if we couldn't obtain a file descriptor or we --- -2.6.2 - diff -Nru open-vm-tools-12.3.0/debian/patches/series open-vm-tools-12.3.5/debian/patches/series --- open-vm-tools-12.3.0/debian/patches/series 2023-10-27 11:19:11.000000000 +0000 +++ open-vm-tools-12.3.5/debian/patches/series 2023-12-05 21:18:07.000000000 +0000 @@ -1,4 +1,2 @@ use-debian-pam debian/scsi-udev-rule -CVE-2023-34058.patch -CVE-2023-34059.patch diff -Nru open-vm-tools-12.3.0/debian/rules open-vm-tools-12.3.5/debian/rules --- open-vm-tools-12.3.0/debian/rules 2023-09-06 06:56:32.000000000 +0000 +++ open-vm-tools-12.3.5/debian/rules 2023-12-05 18:41:25.000000000 +0000 @@ -83,8 +83,8 @@ rm -rf debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/serviceDiscovery/ # moving open-vm-tools-containerinfo files - mkdir -p debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/containerinfo/ - mv debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/libcontainerInfo.so debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/containerinfo/ + mkdir -p debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/ + mv debian/open-vm-tools/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/libcontainerInfo.so debian/open-vm-tools-containerinfo/usr/lib/$(DEB_HOST_MULTIARCH)/open-vm-tools/plugins/vmsvc/ ifneq (,$(findstring $(DEB_HOST_ARCH), amd64)) # moving open-vm-tools-salt-minion files diff -Nru open-vm-tools-12.3.0/open-vm-tools/ChangeLog open-vm-tools-12.3.5/open-vm-tools/ChangeLog --- open-vm-tools-12.3.0/open-vm-tools/ChangeLog 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/ChangeLog 2023-10-26 15:39:15.000000000 +0000 @@ -1,3 +1,119 @@ +commit 6acd1f6742a8fc0dea9cabf7ba15416a2daf5075 +Author: Katy Feng +Date: Thu Oct 26 08:35:59 2023 -0700 + + Update the ReleaseNotes.md for the 12.3.5 open-vm-tools release. + +commit d5a0ca16b64730507735281012bc3a4660c5b46c +Author: Katy Feng +Date: Wed Oct 25 11:13:15 2023 -0700 + + Prepare for the open-vm-tools 12.3.5 release. + - Update the tools version in the configure.ac. + - Update the build numbers in the buldNumber.h. + +commit ca8bde40e2bb2e03b5f3a38530f6be0d4b19de34 +Author: Katy Feng +Date: Tue Oct 17 15:31:51 2023 -0700 + + Update the ChangeLog file with the changes in the 12.3.5 open-vm-tools release. + - plus the 12.3.0 open-vm-tools release point in the ChangeLog. + +commit 1bfe23d728b74e08f4f65cd9b0093ca73937003a +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + Don't accept tokens with unrelated certs + + If a SAML token has a cert that's not a part of a chain, + fail the token as invalid. + +commit 63f7c79c4aecb14d37cc4ce9da509419e31d394f +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + File descriptor vulnerability in the open-vm-tools vmware-user-suid-wrapperx + on Linux + + Moving the privilege drop logic (dropping privilege to the real uid and + gid of the process for the vmusr service) from suidWrapper to vmtoolsd code. + Now the vmtoolsd is not executed with dropped privileges (started as setuid + program) and the dumpable attribute of the process is not reset. + The unprivileged user will not have access to the privileged file descriptors + in the vmtoolsd vmusr process. + Also, setting the FD_CLOEXEC flag for both uinputFd and blockFd preventing + the file descriptors being inherited any further from the vmtoolsd. + +commit 3b5308bb4bdf3eeebd49808eb0efa015aa183772 +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + Suppress optional arg to backup scripts when empty string. + Backup scripts can be called with an optional argument. Don't pass the + optional arg to the script if it's an empty string. + +commit 395cb80dc14e86f07e22541ae5ff205ad695056e +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + Checking flag 'disable_vmware_customization' in more cloud-init config files + + Currently, deployPkg plugin checks the existence of flag + 'disable_vmware_customization: false' in the /etc/cloud/cloud.cfg file + to determine if VMware customization is enabled or not on cloud-init + side when cloud-init is available in guest. + Both cloud-init team and customers suggested that it's better practice to + put local configuration like this flag into some .cfg files under + /etc/cloud/cloud.cfg.d directory, ex: /etc/cloud/cloud.cfg.d/somefile.cfg + + This change implements the following adjustments to make sure we handle + this flag the same way as cloud-init does in ds-identify and Datasource: + 1. Instead of regex matching flag 'disable_vmware_customization: false', + we will check the value of flag 'disable_vmware_customization': + If the value is 'false', it means VMware customization is enabled. + If the value is 'true', it means VMware customization is disabled. + If the flag is not set, by default VMware customization is disabled + on cloud-init side. + 2. Besides cloud-init /etc/cloud/cloud.cfg file, we will check all .cfg + files under /etc/cloud/cloud.cfg.d directory. + 3. The value of flag 'disable_vmware_customization' in .cfg files under + /etc/cloud/cloud.cfg.d directory will overwrite the one in + /etc/cloud/cloud.cfg file. + 4. The value of flag 'disable_vmware_customization' in a .cfg file listed + further down the alphabetical order under /etc/cloud/cloud.cfg.d directory + will overwrite the value in a .cfg file listed earier. + 5. If a cloud-init config file contains more than one instance of this + flag, the value of the later flag will overwrite the former one's. + + Github Issue: https://github.com/vmware/open-vm-tools/issues/310 + +commit d9ffb3275ada811caa8478d481cd9003766baa1c +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + Add missed 2023 copyright change. + +commit ba8219ee4bab927d7142e8392b20e183c589786e +Author: Katy Feng +Date: Tue Oct 17 15:24:48 2023 -0700 + + Enabling the open-vm-tools VGAuth Host Verification feature. + + The Host Verified SAML token work is complete. Adding the new code to the + open-vm-tools source. + +commit 650ce059114e09cbac3594b9e1be4069febe4311 +Author: Katy Feng +Date: Tue Oct 17 15:24:47 2023 -0700 + + Setting the VMware Tools version to 12.3.5. + +commit 865e76adf86fb38380220a3b760aa92ba5407c60 +Author: Katy Feng +Date: Thu Aug 31 07:38:59 2023 -0700 + + Update of the ChangeLog with the "open-vm-tools 12.3.0" release point marker. + commit 4fe4b1be1d7139aa571a6431f26904e6f0b77883 Author: Katy Feng Date: Thu Aug 31 07:32:27 2023 -0700 diff -Nru open-vm-tools-12.3.0/open-vm-tools/configure.ac open-vm-tools-12.3.5/open-vm-tools/configure.ac --- open-vm-tools-12.3.0/open-vm-tools/configure.ac 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/configure.ac 2023-10-26 15:39:15.000000000 +0000 @@ -35,10 +35,10 @@ ### Initialization ### -TOOLS_VERSION="12.3.0" +TOOLS_VERSION="12.3.5" AC_INIT( [open-vm-tools], - [12.3.0], + [12.3.5], [open-vm-tools-devel@lists.sourceforge.net]) # In order to make this configure script auto-detect situations where @@ -1944,12 +1944,6 @@ -AM_CONDITIONAL([VMTOOLS_FS_VGAUTH_HOST_VERIFICATION],[true]) -if test "$enable_vgauth" = "yes"; then - echo "Enabling vgauth host verification" - CPPFLAGS="$CPPFLAGS -DVMTOOLS_FS_VGAUTH_HOST_VERIFICATION" -fi - ### ### Output diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h --- open-vm-tools-12.3.0/open-vm-tools/lib/include/buildNumber.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/lib/include/buildNumber.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,12 +1,12 @@ #define BUILD_NUMBER \ - "build-22234872" + "build-22544099" #define BUILD_NUMBER_NUMERIC \ - 22234872 + 22544099 #define BUILD_NUMBER_NUMERIC_STRING \ - "22234872" + "22544099" #define PRODUCT_BUILD_NUMBER \ - "product-build-44994" + "product-build-46049" #define PRODUCT_BUILD_NUMBER_NUMERIC \ - 44994 + 46049 #define PRODUCT_BUILD_NUMBER_NUMERIC_STRING \ - "44994" + "46049" diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h --- open-vm-tools-12.3.0/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/lib/include/compat/compat_stdarg.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2006-2016 VMware, Inc. All rights reserved. + * Copyright (C) 2006-2016,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -Nru open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h --- open-vm-tools-12.3.0/open-vm-tools/lib/include/vm_tools_version.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/lib/include/vm_tools_version.h 2023-10-26 15:39:15.000000000 +0000 @@ -1751,15 +1751,22 @@ #define TOOLS_VERSION_BANDSAW_UPDATE1_V_BASE 5 #ifndef RC_INVOKED -#define TOOLS_VERSION_NEXT TOOLS_VERSION_TO_UINT(TOOLS_VERSION_NEXT_V) +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V) #endif /* RC_INVOKED */ -#define TOOLS_VERSION_NEXT_V_MJR 12 -#define TOOLS_VERSION_NEXT_V_MNR 3 -#define TOOLS_VERSION_NEXT_V_BASE 0 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MJR 12 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_MNR 3 +#define TOOLS_VERSION_HEDGE_TRIMMER_RELEASE_V_BASE 0 -#define TOOLS_VERSION_CURRENT TOOLS_VERSION_NEXT -#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_NEXT) -#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_NEXT) +#ifndef RC_INVOKED +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1 TOOLS_VERSION_TO_UINT(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V) +#endif /* RC_INVOKED */ +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MJR 12 +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_MNR 3 +#define TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1_V_BASE 5 + +#define TOOLS_VERSION_CURRENT TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1 +#define TOOLS_VERSION_CURRENT_STR TOOLS_VERSION_TO_STR(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1) +#define TOOLS_VERSION_CURRENT_CSV TOOLS_VERSION_TO_CSV(TOOLS_VERSION_HEDGE_TRIMMER_UPDATE1) /* * The extended Tools version is the current Tools version with the diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c --- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeployment.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2006-2022 VMware, Inc. All rights reserved. + * Copyright (c) 2006-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -1236,7 +1236,6 @@ { static const char cfgName[] = "cust.cfg"; static const char metadataName[] = "metadata"; - static const char cloudInitConfigFilePath[] = "/etc/cloud/cloud.cfg"; static const char cloudInitCommand[] = "/usr/bin/cloud-init -v"; char cloudInitCommandOutput[MAX_LENGTH_CLOUDINIT_VERSION]; int forkExecResult; @@ -1288,7 +1287,7 @@ return USE_CLOUDINIT_OK; } } else { - if (IsCloudInitEnabled(cloudInitConfigFilePath)) { + if (IsCloudInitCustomizationEnabled()) { return USE_CLOUDINIT_OK; } else { return USE_CLOUDINIT_DISABLED; diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c --- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2016-2019 VMware, Inc. All rights reserved. + * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -18,70 +18,99 @@ #include #include +#include #include #include #include #include #include "linuxDeploymentUtilities.h" +#include "str.h" extern LogFunction sLog; +// The status code of flag 'disable_vmware_customization' +typedef enum DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE { + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET = 0, + DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE, + DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE, +} DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE; + +// Private functions +static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE +GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath); +static int +FilterCfgExt(const struct dirent *dir); + /** *---------------------------------------------------------------------------- * - * IsCloudInitEnabled + * IsCloudInitCustomizationEnabled * - * Function to determine if cloud-init is enabled. + * Function to determine if cloud-init customization workflow is enabled. * Essentially it does - * - read a cloud-init config file - * - Find if a particular flag is enabled or disabled. + * - Read all cloud-init configuration files under /etc/cloud/cloud.cfg.d/ + * - Read the cloud-init configuration file /etc/cloud/cloud.cfg + * - Find if a particular flag is enabled or disabled + * - Particularly, the value of flag in files under /etc/cloud/cloud.cfg.d/ + * has higher priority than the one in file /etc/cloud/cloud.cfg, and the + * value of flag in file listed behind in alphabetical sort under + * /etc/cloud/cloud.cfg.d/ has higher priority than the one in file listed + * in front * - * @param [IN] cloudFilePath path of the cloud-init config file - * @returns TRUE if disable_vmware_customization is false and FALSE otherwise. + * @returns TRUE if value of the flag 'disable_vmware_customization' is false + * FALSE otherwise * *---------------------------------------------------------------------------- **/ bool -IsCloudInitEnabled(const char *cloudFilePath) +IsCloudInitCustomizationEnabled() { - bool isEnabled = false; - FILE *cloudFile; - char line[256]; - regex_t regex; - const char *cloudInitRegex = - "^\\s*disable_vmware_customization\\s*:\\s*false\\s*$"; - int reti; - - sLog(log_info, "Checking if cloud.cfg exists and if cloud-init is enabled."); - cloudFile = fopen(cloudFilePath, "r"); - if (cloudFile == NULL) { - sLog(log_info, "Could not open file: %s", strerror(errno)); - return isEnabled; - } - - reti = regcomp(®ex, cloudInitRegex, 0); - if (reti != 0) { - char buf[256]; - regerror(reti, ®ex, buf, sizeof(buf)); - sLog(log_error, "Error compiling regex for cloud-init flag: %s", buf); - goto done; - } - - while (fgets(line, sizeof(line), cloudFile) != NULL) { - if (regexec(®ex, line, 0, NULL, 0) == 0) { - isEnabled = true; - break; + DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus = + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + static const char cloudInitBaseConfigFilePath[] = "/etc/cloud/cloud.cfg"; + static const char cloudInitConfigDirPath[] = "/etc/cloud/cloud.cfg.d/"; + struct dirent **fileList; + int i, fileCount; + size_t filePathLength; + char *filePath = NULL; + + sLog(log_info, "Checking if cloud-init customization is enabled."); + fileCount = + scandir(cloudInitConfigDirPath, &fileList, FilterCfgExt, alphasort); + if (fileCount < 0) { + sLog(log_warning, "Could not scan directory %s, error: %s.", + cloudInitConfigDirPath, strerror(errno)); + } else { + for (i = fileCount - 1; i >= 0; i--) { + filePathLength = Str_Strlen(cloudInitConfigDirPath, PATH_MAX) + + Str_Strlen(fileList[i]->d_name, FILENAME_MAX) + 1; + filePath = malloc(filePathLength); + if (filePath == NULL) { + sLog(log_warning, "Error allocating memory to copy '%s'.", + cloudInitConfigDirPath); + break; + } + Str_Strcpy(filePath, cloudInitConfigDirPath, filePathLength); + Str_Strcat(filePath, fileList[i]->d_name, filePathLength); + flagStatus = GetDisableVMwareCustomizationFlagStatus(filePath); + free(filePath); + filePath = NULL; + if (flagStatus != DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) { + break; + } + } + for (i = 0; i < fileCount; i++) { + free(fileList[i]); } } - if (ferror(cloudFile) != 0) { - sLog(log_warning, "Error reading file: %s", strerror(errno)); - isEnabled = false; + free(fileList); + + if (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET) { + flagStatus = + GetDisableVMwareCustomizationFlagStatus(cloudInitBaseConfigFilePath); } - regfree(®ex); -done: - fclose(cloudFile); - return isEnabled; + return (flagStatus == DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE); } /** @@ -113,7 +142,7 @@ sLog(log_info, "Check if custom script(pre/post customization) exists."); tempDir = opendir(dirPath); if (tempDir == NULL) { - sLog(log_warning, "Could not open directory %s: error: %s", dirPath, + sLog(log_warning, "Could not open directory %s: error: %s.", dirPath, strerror(errno)); return scriptName; } @@ -123,7 +152,7 @@ char buf[256]; regerror(regRet, &scriptRegex, buf, sizeof(buf)); - sLog(log_error, "Error compiling regex for custom script: %s", buf); + sLog(log_error, "Error compiling regex for custom script: %s.", buf); goto done; } @@ -131,7 +160,7 @@ if (regexec(&scriptRegex, dir->d_name, 0, NULL, 0) == 0) { scriptName = strdup(dir->d_name); if (scriptName == NULL) { - sLog(log_warning, "Could not allocate memory for scriptName: %s", + sLog(log_warning, "Could not allocate memory for scriptName: %s.", strerror(errno)); break; } @@ -145,3 +174,106 @@ return scriptName; } +/** + *---------------------------------------------------------------------------- + * + * GetDisableVMwareCustomizationFlagStatus + * + * Function to get status code of the flag 'disable_vmware_customization' from + * a cloud-init config file. + * Essentially it does + * - Read a cloud-init config file + * - Get status code of the flag according to its value + * + * @param [IN] cloudInitConfigFilePath path of a cloud-int config file + * @returns The status code of this particular flag + * + *---------------------------------------------------------------------------- + **/ +static DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE +GetDisableVMwareCustomizationFlagStatus(const char* cloudInitConfigFilePath) +{ + DISABLE_VMWARE_CUSTIOMIZATION_FLAG_STATUS_CODE flagStatus = + DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + FILE *cloudInitConfigFile; + char line[256]; + regex_t regex; + size_t maxGroups = 2, flagValueLength = 0; + regmatch_t groupArray[maxGroups]; + const char *flagPattern = + "^\\s*disable_vmware_customization\\s*:\\s*(true|false)\\s*$"; + int reti; + + cloudInitConfigFile = fopen(cloudInitConfigFilePath, "r"); + if (cloudInitConfigFile == NULL) { + sLog(log_warning, "Could not open file: %s.", strerror(errno)); + return flagStatus; + } + + reti = regcomp(®ex, flagPattern, REG_EXTENDED); + if (reti != 0) { + char buf[256]; + regerror(reti, ®ex, buf, sizeof(buf)); + sLog(log_error, "Error compiling regex for cloud-init flag: %s.", buf); + goto done; + } + + while (fgets(line, sizeof(line), cloudInitConfigFile) != NULL) { + if (regexec(®ex, line, maxGroups, groupArray, 0) == 0) { + flagValueLength = groupArray[1].rm_eo - groupArray[1].rm_so; + if (flagValueLength > 0) { + char flagValue[flagValueLength + 1]; + Str_Strncpy(flagValue, flagValueLength + 1, + line + groupArray[1].rm_so, flagValueLength); + sLog(log_info, + "Flag 'disable_vmware_customization' set in %s with value: %s.", + cloudInitConfigFilePath, flagValue); + if (Str_Strequal(flagValue, "false")) { + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_FALSE; + } else if (Str_Strequal(flagValue, "true")) { + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_SET_TRUE; + } + } + } + } + if (ferror(cloudInitConfigFile) != 0) { + sLog(log_warning, "Error reading file: %s.", strerror(errno)); + flagStatus = DISABLE_VMWARE_CUSTOMIZATION_FLAG_UNSET; + } + regfree(®ex); + +done: + fclose(cloudInitConfigFile); + return flagStatus; +} + +/** + *----------------------------------------------------------------------------- + * + * FilterCfgExt + * + * Filter files with .cfg extension when calling scandir. + * + * @param [IN] dir struct dirent of a directory entry + * @returns 1 if dir is a regular file and its file extension is .cfg + * 0 otherwise + * + * ---------------------------------------------------------------------------- + **/ +static int +FilterCfgExt(const struct dirent *dir) +{ + if (!dir) + return 0; + + if (dir->d_type == DT_REG) { + const char *ext = Str_Strrchr(dir->d_name, '.'); + if ((!ext) || (ext == dir->d_name)) { + return 0; + } else if (Str_Strequal(ext, ".cfg")) { + return 1; + } + } + + return 0; +} diff -Nru open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h --- open-vm-tools-12.3.0/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/libDeployPkg/linuxDeploymentUtilities.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2016-2019 VMware, Inc. All rights reserved. + * Copyright (c) 2016-2019, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -24,7 +24,7 @@ #include "imgcust-common/imgcust-api.h" IMGCUST_API bool -IsCloudInitEnabled(const char* configFile); +IsCloudInitCustomizationEnabled(); IMGCUST_API char * GetCustomScript(const char* dirPath); diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h --- open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryInt.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2020-2021 VMware, Inc. All rights reserved. + * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c --- open-vm-tools-12.3.0/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/serviceDiscovery/serviceDiscoveryPosix.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2020-2021 VMware, Inc. All rights reserved. + * Copyright (C) 2020-2021,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h --- open-vm-tools-12.3.0/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/vix/vixToolsInt.h 2023-10-26 15:39:15.000000000 +0000 @@ -204,9 +204,7 @@ const char *token, const char *username, char *serviceUsername, -#ifdef VMTOOLS_FS_VGAUTH_HOST_VERIFICATION Bool hostVerified, -#endif void **userToken, VGAuthUserHandle **curUserHandle); #endif // _WIN32 diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c --- open-vm-tools-12.3.0/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/services/plugins/vmbackup/scriptOps.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2007-2019, 2021 VMware, Inc. All rights reserved. + * Copyright (c) 2007-2019, 2021, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -157,7 +157,7 @@ if (File_IsFile(scripts[index].path)) { char *cmd; - if (op->state->scriptArg != NULL) { + if (op->state->scriptArg != NULL && op->state->scriptArg[0] != '\0') { cmd = Str_Asprintf(NULL, "\"%s\" %s \"%s\"", scripts[index].path, scriptOp, op->state->scriptArg); } else { diff -Nru open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c --- open-vm-tools-12.3.0/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/services/vmtoolsd/mainPosix.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2008-2020,2022 VMware, Inc. All rights reserved. + * Copyright (c) 2008-2020,2022-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -28,10 +28,12 @@ #include #include #include +#include #include #include "file.h" #include "guestApp.h" #include "hostinfo.h" +#include "su.h" #include "system.h" #include "unicode.h" #include "util.h" @@ -155,6 +157,59 @@ /** + * Tools function to set close-on-exec flg for the fd. + * + * @param[in] fd open file descriptor. + * + * @return TRUE on success, FALSE otherwise. + */ + +static gboolean +ToolsSetCloexecFlag(int fd) +{ + int flags; + + if (fd == -1) { + /* fd is not present, no need to manipulate */ + return TRUE; + } + + flags = fcntl(fd, F_GETFD, 0); + if (flags < 0) { + g_printerr("Couldn't get the flags set for fd %d, error %u.", fd, errno); + return FALSE; + } + flags |= FD_CLOEXEC; + if (fcntl(fd, F_SETFD, flags) < 0) { + g_printerr("Couldn't set close-on-exec for fd %d, error %u.", fd, errno); + return FALSE; + } + + return TRUE; +} + + +/** + * Tools function to close the fds. + */ + +static void +ToolsCloseFds(void) +{ + if (gState.ctx.blockFD != -1) { + close(gState.ctx.blockFD); + } + + /* + * uinputFD will be available only for wayland. + */ + if (gState.ctx.uinputFD != -1) { + close(gState.ctx.uinputFD); + } +} + + +/** * Tools daemon entry function. * * @param[in] argc Argument count. @@ -210,6 +265,27 @@ g_free(argvCopy); argvCopy = NULL; + /* + * Drops privilege to the real uid and gid of the process + * for the "vmusr" service. + */ + if (TOOLS_IS_USER_SERVICE(&gState)) { + uid_t uid = getuid(); + gid_t gid = getgid(); + + if ((Id_SetREUid(uid, uid) != 0) || + (Id_SetREGid(gid, gid) != 0)) { + g_printerr("could not drop privileges: %s", strerror(errno)); + ToolsCloseFds(); + goto exit; + } + if (!ToolsSetCloexecFlag(gState.ctx.blockFD) || + !ToolsSetCloexecFlag(gState.ctx.uinputFD)) { + ToolsCloseFds(); + goto exit; + } + } + if (gState.pidFile != NULL) { /* * If argv[0] is not an absolute path, make it so; all other path diff -Nru open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am --- open-vm-tools-12.3.0/open-vm-tools/tests/Makefile.am 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/tests/Makefile.am 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ ################################################################################ -### Copyright (c) 2009-2016,2022 VMware, Inc. All rights reserved. +### Copyright (c) 2009-2016,2022,2023 VMware, Inc. All rights reserved. ### ### This program is free software; you can redistribute it and/or modify ### it under the terms of version 2 of the GNU General Public License as diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h --- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/VGAuthProto.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/VGAuthProto.h 2023-10-26 15:39:15.000000000 +0000 @@ -622,7 +622,6 @@ #define VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME "ValidateSamlBToken" - #define VGAUTH_VALIDATESAMLBEARERTOKEN_REQUEST_FORMAT \ VGAUTH_REQUEST_FORMAT_START \ "<"VGAUTH_REQUESTNAME_ELEMENT_NAME">"VGAUTH_REQUESTVALIDATESAMLBEARERTOKEN_ELEMENT_NAME"" \ @@ -632,7 +631,6 @@ "<"VGAUTH_HOST_VERIFIED_ELEMENT_NAME">%s" \ VGAUTH_REQUEST_FORMAT_END - #define VGAUTH_VALIDATESAMLBEARERTOKEN_REPLY_FORMAT_START \ VGAUTH_REPLY_FORMAT_START \ "<"VGAUTH_USERNAME_ELEMENT_NAME">%s" \ diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c --- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2011-2016, 2018-2019, 2021-2022 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2016, 2018-2019, 2021-2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -914,3 +914,148 @@ return err; } + + +/* + * Finds a cert with a subject (if checkSubj is set) or issuer (if + * checkSUbj is unset), matching 'val' in the list + * of certs. Returns a match or NULL. + */ + +static X509 * +FindCert(GList *cList, + X509_NAME *val, + int checkSubj) +{ + GList *l; + X509 *c; + X509_NAME *v; + + l = cList; + while (l != NULL) { + c = (X509 *) l->data; + if (checkSubj) { + v = X509_get_subject_name(c); + } else { + v = X509_get_issuer_name(c); + } + if (X509_NAME_cmp(val, v) == 0) { + return c; + } + l = l->next; + } + return NULL; +} + + +/* + ****************************************************************************** + * CertVerify_CheckForUnrelatedCerts -- */ /** + * + * Looks over a list of certs. If it finds that they are not all + * part of the same chain, returns failure. + * + * @param[in] numCerts The number of certs in the chain. + * @param[in] pemCerts The chain of certificates to verify. + * + * @return VGAUTH_E_OK on success, VGAUTH_E_FAIL if unrelated certs are found. + * + ****************************************************************************** + */ + +VGAuthError +CertVerify_CheckForUnrelatedCerts(int numCerts, + const char **pemCerts) +{ + VGAuthError err = VGAUTH_E_FAIL; + int chainLen = 0; + int i; + X509 **certs = NULL; + GList *rawList = NULL; + X509 *baseCert; + X509 *curCert; + X509_NAME *subject; + X509_NAME *issuer; + + /* common single cert case; nothing to do */ + if (numCerts == 1) { + return VGAUTH_E_OK; + } + + /* convert all PEM to X509 objects */ + certs = g_malloc0(numCerts * sizeof(X509 *)); + for (i = 0; i < numCerts; i++) { + certs[i] = CertStringToX509(pemCerts[i]); + if (NULL == certs[i]) { + g_warning("%s: failed to convert cert to X509\n", __FUNCTION__); + goto done; + } + } + + /* choose the cert to start the chain. shouldn't matter which */ + baseCert = certs[0]; + + /* put the rest into a list */ + for (i = 1; i < numCerts; i++) { + rawList = g_list_append(rawList, certs[i]); + } + + /* now chase down to a leaf, looking for certs the baseCert issued */ + subject = X509_get_subject_name(baseCert); + while ((curCert = FindCert(rawList, subject, 0)) != NULL) { + /* pull it from the list */ + rawList = g_list_remove(rawList, curCert); + /* set up the next find */ + subject = X509_get_subject_name(curCert); + } + + /* + * walk up to the root cert, by finding a cert where the + * issuer equals the subject of the current + */ + issuer = X509_get_issuer_name(baseCert); + while ((curCert = FindCert(rawList, issuer, 1)) != NULL) { + /* pull it from the list */ + rawList = g_list_remove(rawList, curCert); + /* set up the next find */ + issuer = X509_get_issuer_name(curCert); + } + + /* + * At this point, anything on the list should be certs that are not part + * of the chain that includes the original 'baseCert'. + * + * For a valid token, the list should be empty. + */ + chainLen = g_list_length(rawList); + if (chainLen != 0 ) { + GList *l; + + g_warning("%s: %d unrelated certs found in list\n", + __FUNCTION__, chainLen); + + /* debug helper */ + l = rawList; + while (l != NULL) { + X509* c = (X509 *) l->data; + char *s = X509_NAME_oneline(X509_get_subject_name(c), NULL, 0); + + g_debug("%s: unrelated cert subject: %s\n", __FUNCTION__, s); + free(s); + l = l->next; + } + + goto done; + } + + g_debug("%s: Success! no unrelated certs found\n", __FUNCTION__); + err = VGAUTH_E_OK; + +done: + g_list_free(rawList); + for (i = 0; i < numCerts; i++) { + X509_free(certs[i]); + } + g_free(certs); + return err; +} diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h --- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/certverify.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/certverify.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2011-2016, 2020 VMware, Inc. All rights reserved. + * Copyright (C) 2011-2016, 2020, 2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -67,6 +67,10 @@ size_t signatureLen, const unsigned char *signature); + +VGAuthError CertVerify_CheckForUnrelatedCerts(int numCerts, + const char **pemCerts); + gchar * CertVerify_StripPEMCert(const gchar *pemCert); gchar * CertVerify_CertToX509String(const gchar *pemCert); diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h --- open-vm-tools-12.3.0/open-vm-tools/vgauth/common/prefs.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/common/prefs.h 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2011-2019 VMware, Inc. All rights reserved. + * Copyright (C) 2011-2019,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -136,6 +136,8 @@ #define VGAUTH_PREF_ALIASSTORE_DIR "aliasStoreDir" /** The number of seconds slack allowed in either direction in SAML token date checks. */ #define VGAUTH_PREF_CLOCK_SKEW_SECS "clockSkewAdjustment" +/** If unrelated certificates are allowed in a SAML token */ +#define VGAUTH_PREF_ALLOW_UNRELATED_CERTS "allowUnrelatedCerts" /** Ticket group name. */ #define VGAUTH_PREF_GROUP_NAME_TICKET "ticket" diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h --- open-vm-tools-12.3.0/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/public/VGAuthAuthentication.h 2023-10-26 15:39:15.000000000 +0000 @@ -198,7 +198,7 @@ #define VGAUTH_PARAM_VALIDATE_INFO_ONLY "validateInfoOnly" -# define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified" +#define VGAUTH_PARAM_SAML_HOST_VERIFIED "hostVerified" VGAuthError VGAuth_ValidateSamlBearerToken(VGAuthContext *ctx, const char *samlToken, diff -Nru open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c --- open-vm-tools-12.3.0/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vgauth/serviceImpl/saml-xmlsec1.c 2023-10-26 15:39:15.000000000 +0000 @@ -49,6 +49,7 @@ #include "vmxlog.h" static int gClockSkewAdjustment = VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS; +static gboolean gAllowUnrelatedCerts = FALSE; static xmlSchemaPtr gParsedSchemas = NULL; static xmlSchemaValidCtxtPtr gSchemaValidateCtx = NULL; @@ -369,6 +370,10 @@ VGAUTH_PREF_DEFAULT_CLOCK_SKEW_SECS); Log("%s: Allowing %d of clock skew for SAML date validation\n", __FUNCTION__, gClockSkewAdjustment); + gAllowUnrelatedCerts = Pref_GetBool(gPrefs, + VGAUTH_PREF_ALLOW_UNRELATED_CERTS, + VGAUTH_PREF_GROUP_NAME_SERVICE, + FALSE); } @@ -1697,6 +1702,15 @@ return VGAUTH_E_AUTHENTICATION_DENIED; } + if (!gAllowUnrelatedCerts) { + err = CertVerify_CheckForUnrelatedCerts(num, (const char **) certChain); + if (err != VGAUTH_E_OK) { + VMXLog_Log(VMXLOG_LEVEL_WARNING, + "Unrelated certs found in SAML token, failing\n"); + return VGAUTH_E_AUTHENTICATION_DENIED; + } + } + subj.type = SUBJECT_TYPE_NAMED; subj.name = *subjNameOut; err = ServiceVerifyAndCheckTrustCertChainForSubject(num, diff -Nru open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c --- open-vm-tools-12.3.0/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-08-31 14:38:59.000000000 +0000 +++ open-vm-tools-12.3.5/open-vm-tools/vmware-user-suid-wrapper/main.c 2023-10-26 15:39:15.000000000 +0000 @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (C) 2007-2018 VMware, Inc. All rights reserved. + * Copyright (C) 2007-2018,2023 VMware, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -156,8 +156,7 @@ * * Obtains the library directory from the Tools locations database, then * opens a file descriptor (while still root) to add and remove blocks, - * drops privilege to the real uid of this process, and finally starts - * vmware-user. + * and finally starts vmware-user. * * Results: * Parent: TRUE on success, FALSE on failure. @@ -173,8 +172,6 @@ StartVMwareUser(char *const envp[]) { pid_t pid; - uid_t uid; - gid_t gid; int blockFd = -1; char blockFdStr[8]; int uinputFd = -1; @@ -191,8 +188,8 @@ } /* - * Now create a child process, obtain a file descriptor as root, downgrade - * privilege, and run vmware-user. + * Now create a child process, obtain a file descriptor as root and + * run vmware-user. */ pid = fork(); if (pid == -1) { @@ -229,23 +226,6 @@ } } - uid = getuid(); - gid = getgid(); - - if ((setreuid(uid, uid) != 0) || - (setregid(gid, gid) != 0)) { - Error("could not drop privileges: %s\n", strerror(errno)); - if (blockFd != -1) { - close(blockFd); - } - if (useWayland) { - if (uinputFd != -1) { - close(uinputFd); - } - } - return FALSE; - } - /* * Since vmware-user provides features that don't depend on vmblock, we * invoke vmware-user even if we couldn't obtain a file descriptor or we