From e83231907966040d11dfbdc9d55e10e5461e75ed3c24f13efb8fef1e0928f7b7 Mon Sep 17 00:00:00 2001 From: Egbert Eich Date: Tue, 12 Apr 2016 15:37:50 +0000 Subject: [PATCH] - Add permission verification for SUID wrapper - Disable SUID wrapper per default until reviewed OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=628 --- xorg-x11-server.changes | 6 ++++++ xorg-x11-server.spec | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 04291ae..be8b1b9 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 12 15:33:45 UTC 2016 - eich@suse.com + +- Add permission verification for SUID wrapper +- Disable SUID wrapper per default until reviewed + ------------------------------------------------------------------- Tue Apr 12 13:59:48 UTC 2016 - eich@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 52d3c85..de43113 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -24,12 +24,21 @@ %define have_wayland 1 %endif %endif + +%define build_suid_wrapper 0 + +%if 0%{!?build_suid_wrapper:1} +%ifarch s390 s390x +%define build_suid_wrapper 0 +%else %if 0%{?suse_version} >= 1330 %define build_suid_wrapper 1 %define suid_wrapper_dir %{_libexecdir} %else %define build_suid_wrapper 0 %endif +%endif +%endif Name: xorg-x11-server @@ -242,6 +251,7 @@ This package contains the Xserver running on the Wayland Display Server. %package wrapper Summary: Xserver SUID Wrapper Group: System/X11/Servers/XF86_4 +PreReq: permissions Requires: xorg-x11-server == %{version} %description wrapper @@ -518,6 +528,14 @@ fi %endif %endif +%if 0%{?build_suid_wrapper} == 1 +%post wrapper +%set_permissions %{suid_wrapper_dir}/Xorg.wrap + +%verifyscript wrapper +%verify_permissions -e %{suid_wrapper_dir}/Xorg.wrap +%endif + %files %defattr(-,root,root) %ifnarch s390 s390x