pool/xorg-x11-server
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 838619 from home:sndirsch:branches:X11:XOrg

Browse Source 
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * replaced by improved version written by Matthias Gerstner of
    our security team
    + simplified the option parsing code a bit
    + changed the "ignore forbidden argument" logic into an "abort
      on forbidden argument" logic. This is safer and avoids 
      surprises on the user's end that could occur if the desired
      command line arguments aren't effective but the Xorg server is
      still started.
    + tried to adjust to the coding style present in the file 
      (mostly the function name)
    + added some logic to apply the option filtering only to 
      non-root users when Xorg is actually started as root. This
      should allow for full flexibility if root calls the wrapper or
      if the Xorg server only runs with user privileges.

- n_xorg-wrapper-rename-Xorg.patch
  * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
- change default for needs_root_rights to auto in Xwrapper.config
  (boo#1175867)

- reenabled SUID wrapper for TW (boo#1175867)
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
  * Xserver option whitelist filter (boo#1175867)

OBS-URL: https://build.opensuse.org/request/show/838619
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=779
This commit is contained in:
Stefan Dirsch 2020-09-30 01:44:07 +00:00 committed by Git OBS Bridge
parent 69975cf67c
commit b7ed257592
4 changed files with 184 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
n_xorg-wrapper-rename-Xorg.patch Normal file
View File

@ -0,0 +1,20 @@
--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old 2020-09-24 03:16:27.270885000 +0200
+++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-24 03:18:42.047597000 +0200
@@ -375,7 +375,7 @@ int main(int argc, char *argv[])
}
}
- snprintf(buf, sizeof(buf), "%s/Xorg", SUID_WRAPPER_DIR);
+ snprintf(buf, sizeof(buf), "%s/Xorg.bin", SUID_WRAPPER_DIR);
/* Check if the server is executable by our real uid */
if (access(buf, X_OK) != 0) {
--- xserver-1.20.9/hw/xfree86/Xorg.sh.in.orig 2020-09-24 03:36:20.690412000 +0200
+++ xserver-1.20.9/hw/xfree86/Xorg.sh.in 2020-09-24 03:36:37.594497000 +0200
@@ -7,5 +7,5 @@
if [ -x "$basedir"/Xorg.wrap ]; then
exec "$basedir"/Xorg.wrap "$@"
else
- exec "$basedir"/Xorg "$@"
+ exec "$basedir"/Xorg.bin "$@"
fi

96
u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch Normal file
View File

@ -0,0 +1,96 @@
--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c
+++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-29 12:52:59.256970275 +0200
@@ -191,6 +191,60 @@
return 0;
}
+static int check_vt_range(long int vt)
+{
+ if (vt >= 2 && vt <= 7 ) {
+ return 1;
+ }
+
+ return 0;
+}
+
+/* Xserver option whitelist filter (boo#1175867) */
+static int option_filter(int argc, char* argv[]){
+
+ for(int pos=1; pos<argc; pos++) {
+ const char *arg = argv[pos];
+
+ if (strlen(arg) == 3 && !strncmp(arg,"vt", 2) && check_vt_range(strtol(arg+2, NULL, 10)) == 1) {
+ /* vtX (vt2-vt7) */
+ continue;
+ } else if(!strcmp(arg,"-displayfd") ||
+ !strcmp(arg,"-auth") ||
+ !strcmp(arg,"-background") ||
+ !strcmp(arg,"-verbose") ||
+ !strcmp(arg,"-listen")) {
+ /* -displayfd x
+ -auth xxxx
+ -backgound none
+ -verbose 7 (7 or 3)
+ -listen tcp
+ */
+ if ((pos+1) < argc) {
+ pos++;
+ } else {
+ fprintf(stderr, "%s: Missing argument for Xserver option \"%s\". Aborting.\n",
+ progname, arg);
+ return 0;
+ }
+ } else if (!strcmp(arg,"-noreset") ||
+ !strcmp(arg,"-keeptty") ||
+ !strcmp(arg,"-core")) {
+ /* -noreset
+ -keeptty
+ -core
+ */
+ continue;
+ } else {
+ fprintf(stderr, "%s: Xserver option \"%s\" invalid or not in whitelist. Aborting.\n",
+ progname, arg);
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
int main(int argc, char *argv[])
{
#ifdef WITH_LIBDRM
@@ -250,11 +304,14 @@
close(fd);
}
+ /* If we've found cards, and all cards support kms, drop root rights */
+ if (total_cards && kms_cards == total_cards) {
+ needs_root_rights = 0;
+ }
}
#endif
- /* If we've found cards, and all cards support kms, drop root rights */
- if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
+ if (needs_root_rights == 0) {
gid_t realgid = getgid();
uid_t realuid = getuid();
int ngroups = 0;
@@ -326,6 +383,15 @@
}
argv[0] = buf;
+
+ if (needs_root_rights == 1 && getuid() != 0)
+ {
+ /* Xserver option whitelist filter (boo#1175867) */
+ if (option_filter(argc, argv) == 0) {
+ exit(1);
+ }
+ }
+
if (getuid() == geteuid())
(void) execv(argv[0], argv);
else

34
xorg-x11-server.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Tue Sep 29 14:47:48 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
* replaced by improved version written by Matthias Gerstner of
our security team
+ simplified the option parsing code a bit
+ changed the "ignore forbidden argument" logic into an "abort
on forbidden argument" logic. This is safer and avoids
surprises on the user's end that could occur if the desired
command line arguments aren't effective but the Xorg server is
still started.
+ tried to adjust to the coding style present in the file
(mostly the function name)
+ added some logic to apply the option filtering only to
non-root users when Xorg is actually started as root. This
should allow for full flexibility if root calls the wrapper or
if the Xorg server only runs with user privileges.
-------------------------------------------------------------------
Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
@ -7,6 +26,21 @@ Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
U_Revert-linux-Make-platform-device-probe-less-fragile.patch
* fix Xserver startup on Raspberry Pi 3 (boo#1176203)
-------------------------------------------------------------------
Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
- n_xorg-wrapper-rename-Xorg.patch
* moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
- change default for needs_root_rights to auto in Xwrapper.config
(boo#1175867)
-------------------------------------------------------------------
Wed Sep 16 10:54:32 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
- reenabled SUID wrapper for TW (boo#1175867)
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
* Xserver option whitelist filter (boo#1175867)
-------------------------------------------------------------------
Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse <mgorse@suse.com>

49
xorg-x11-server.spec
View File

@ -26,19 +26,18 @@
%define have_wayland 1
%endif
%define build_suid_wrapper 0
%if 0%{!?build_suid_wrapper:1}
%ifarch s390 s390x
%define build_suid_wrapper 0
%else
%if 0%{?suse_version} >= 1330
%define build_suid_wrapper 1
%define suid_wrapper_dir %{_libexecdir}
%else
%define build_suid_wrapper 0
%endif
%endif
%if 0%{?build_suid_wrapper:1}
%ifarch s390 s390x
%define build_suid_wrapper 0
%else
%if 0%{?suse_version} >= 1550
%define suid_wrapper_dir %{_bindir}
%else
%define build_suid_wrapper 0
%endif
%endif
%endif
Name: xorg-x11-server
@ -213,6 +212,8 @@ Patch6: N_fix-dpi-values.diff
Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch
Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch
Patch9: u_xorg-wrapper-build-Build-position-independent-code.patch
Patch10: u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
Patch11: n_xorg-wrapper-rename-Xorg.patch
Patch100: u_01-Improved-ConfineToShape.patch
Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
# PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
@ -305,8 +306,6 @@ Summary: Xserver SUID Wrapper
Group: System/X11/Servers/XF86_4
PreReq: permissions
Requires: xorg-x11-server == %{version}
Provides: xorg-x11-server-wayland = 7.6_%{version}
Obsoletes: xorg-x11-server-wayland < 7.6_%{version}
%description wrapper
This package contains an SUID wrapper for the Xserver.
@ -377,6 +376,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
#
%patch100 -p1
#%patch101 -p1
@ -493,6 +494,12 @@ chmod u-s %{buildroot}%{_bindir}/Xorg
%__mkdir_p %{buildroot}%{pci_ids_dir}
install -m 644 %{S:6} %{buildroot}%{pci_ids_dir}
%endif
%if 0%{?build_suid_wrapper} == 1
mv %{buildroot}%{_bindir}/Xorg \
%{buildroot}%{_bindir}/Xorg.bin
mv %{buildroot}%{_bindir}/Xorg.sh \
%{buildroot}%{_bindir}/Xorg
%endif
ln -snf Xorg %{buildroot}%{_bindir}/X
%if 0%{?suse_version} > 1120
%{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d
@ -536,6 +543,16 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module
mkdir -p %{buildroot}/usr/src/xserver
xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list
%if 0%{?build_suid_wrapper} == 1
mkdir -p %{buildroot}%{_sysconfdir}/X11
cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF
# rootonly, console, anybody
allowed_users=anybody
# yes, no, auto
needs_root_rights=auto
EOF
%endif
%post
%tmpfiles_create xbb.conf
%ifnarch s390 s390x
@ -616,7 +633,7 @@ fi
%ifnarch s390 s390x
%{_bindir}/Xorg
%if 0%{?build_suid_wrapper} == 1
%{suid_wrapper_dir}/Xorg
%{_bindir}/Xorg.bin
%endif
%{_bindir}/X
@ -641,6 +658,8 @@ fi
%files wrapper
%defattr(-,root,root)
%attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap
%dir %{_sysconfdir}/X11
%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config
%endif
%files extra