rpm/gdm
SHA256
1
0
Fork 0
forked from pool/gdm
Code Pull Requests Activity

Accepting request 737520 from home:zhangxiaofei:branches:GNOME:Factory

Browse Source 
- Add gdm-initial-setup-hardening.patch: Introduce a persistent
  state file to prevent gnome-initial-setup from running if any
  regular users has previously logged into the system, replacing
  the current runtime state file that pervents initial-setup from
  running more than once per boot, so as to reduce the security
  attack surface.
  Make this fix openSUSE only for now as upstream discussion is
  heading another way involving more complicated mechanisms
  (boo#1140851, glgo#GNOME/gnome-initial-setup#76).
- Rebase gdm-disable-gnome-initial-setup.patch.

OBS-URL: https://build.opensuse.org/request/show/737520
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdm?expand=0&rev=432
This commit is contained in:
Bjørn Lie 2019-10-11 20:06:13 +00:00 committed by Git OBS Bridge
parent 2fa9b9ed10
commit 30e8aa75e1
4 changed files with 118 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
gdm-disable-gnome-initial-setup.patch
View File

@ -1,6 +1,7 @@
diff -urp gdm-3.33.90.orig/daemon/gdm-display.c gdm-3.33.90/daemon/gdm-display.c
--- gdm-3.33.90.orig/daemon/gdm-display.c 2019-08-02 14:44:35.000000000 -0500
+++ gdm-3.33.90/daemon/gdm-display.c 2019-08-31 21:53:53.968826727 -0500
Index: b/daemon/gdm-display.c
===================================================================
--- a/daemon/gdm-display.c 2019-10-11 21:11:39.925180538 +0800
+++ b/daemon/gdm-display.c 2019-10-11 21:14:23.866397460 +0800
@@ -570,7 +570,7 @@ gdm_display_prepare (GdmDisplay *self)
*/
look_for_existing_users_sync (self);
@ -18,19 +19,7 @@ diff -urp gdm-3.33.90.orig/daemon/gdm-display.c gdm-3.33.90/daemon/gdm-display.c
static gboolean
can_create_environment (const char *session_id)
{
@@ -1522,9 +1523,11 @@ can_create_environment (const char *sess
return session_exists;
}
+#endif
#define ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT GDM_RUN_DIR "/gdm.ran-initial-setup"
+#if 0
static gboolean
already_done_initial_setup_on_this_boot (void)
{
@@ -1660,6 +1663,7 @@ wants_initial_setup (GdmDisplay *self)
@@ -1660,6 +1661,7 @@ wants_initial_setup (GdmDisplay *self)
return enabled;
}
@ -38,9 +27,10 @@ diff -urp gdm-3.33.90.orig/daemon/gdm-display.c gdm-3.33.90/daemon/gdm-display.c
void
gdm_display_start_greeter_session (GdmDisplay *self)
diff -urp gdm-3.33.90.orig/data/gdm.schemas.in gdm-3.33.90/data/gdm.schemas.in
--- gdm-3.33.90.orig/data/gdm.schemas.in 2019-08-02 14:44:36.000000000 -0500
+++ gdm-3.33.90/data/gdm.schemas.in 2019-08-31 21:54:38.225061313 -0500
Index: b/data/gdm.schemas.in
===================================================================
--- a/data/gdm.schemas.in 2019-10-11 21:11:39.925180538 +0800
+++ b/data/gdm.schemas.in 2019-10-11 21:11:43.473206874 +0800
@@ -50,7 +50,7 @@
<schema>
<key>daemon/InitialSetupEnable</key>

92
gdm-initial-setup-hardening.patch Normal file
View File

@ -0,0 +1,92 @@
Index: b/daemon/gdm-display.c
===================================================================
--- a/daemon/gdm-display.c 2019-10-07 16:56:30.000000000 +0800
+++ b/daemon/gdm-display.c 2019-10-11 18:32:02.962410140 +0800
@@ -1523,12 +1523,12 @@ can_create_environment (const char *sess
return session_exists;
}
-#define ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT GDM_RUN_DIR "/gdm.ran-initial-setup"
+#define BLOCK_INITIAL_SETUP LOCALSTATEDIR "/lib/gdm/block-initial-setup"
static gboolean
-already_done_initial_setup_on_this_boot (void)
+already_done_initial_setup (void)
{
- if (g_file_test (ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT, G_FILE_TEST_EXISTS))
+ if (g_file_test (BLOCK_INITIAL_SETUP, G_FILE_TEST_EXISTS))
return TRUE;
return FALSE;
@@ -1624,7 +1624,7 @@ wants_initial_setup (GdmDisplay *self)
priv = gdm_display_get_instance_private (self);
- if (already_done_initial_setup_on_this_boot ()) {
+ if (already_done_initial_setup ()) {
return FALSE;
}
Index: b/daemon/gdm-manager.c
===================================================================
--- a/daemon/gdm-manager.c 2019-10-07 16:56:30.000000000 +0800
+++ b/daemon/gdm-manager.c 2019-10-11 18:32:26.370601206 +0800
@@ -62,7 +62,7 @@
#define GDM_MANAGER_DISPLAYS_PATH GDM_DBUS_PATH "/Displays"
#define INITIAL_SETUP_USERNAME "gnome-initial-setup"
-#define ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT GDM_RUN_DIR "/gdm.ran-initial-setup"
+#define BLOCK_INITIAL_SETUP LOCALSTATEDIR "/lib/gdm/block-initial-setup"
typedef struct
{
@@ -1781,6 +1781,7 @@ on_start_user_session (StartUserSessionO
gboolean doing_initial_setup = FALSE;
GdmDisplay *display;
const char *session_id;
+ int fd = -1;
#if defined(ENABLE_WAYLAND_SUPPORT) && defined(ENABLE_USER_DISPLAY_SERVER)
g_autofree char *display_session_type = NULL;
#endif
@@ -1813,6 +1814,15 @@ on_start_user_session (StartUserSessionO
#endif
NULL);
+ fd = open(BLOCK_INITIAL_SETUP, O_RDONLY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC, 0644);
+ if (fd == -1 && errno != EEXIST) {
+ g_warning ("GdmDisplay: Could not write initial-setup-done marker to %s: %s",
+ BLOCK_INITIAL_SETUP,
+ strerror(errno));
+ }
+ else {
+ close(fd);
+ }
if (doing_initial_setup)
chown_initial_setup_home_dir ();
@@ -1833,8 +1843,6 @@ on_start_user_session (StartUserSessionO
g_object_ref (display);
if (doing_initial_setup) {
- g_autoptr(GError) error = NULL;
-
#if defined(ENABLE_WAYLAND_SUPPORT) && defined(ENABLE_USER_DISPLAY_SERVER)
if (g_strcmp0 (display_session_type, "wayland") == 0) {
g_debug ("GdmManager: closing down initial setup display in background");
@@ -1847,16 +1855,6 @@ on_start_user_session (StartUserSessionO
gdm_display_unmanage (display);
gdm_display_finish (display);
}
-
- if (!g_file_set_contents (ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT,
- "1",
- 1,
- &error)) {
- g_warning ("GdmDisplay: Could not write initial-setup-done marker to %s: %s",
- ALREADY_RAN_INITIAL_SETUP_ON_THIS_BOOT,
- error->message);
- g_clear_error (&error);
- }
} else {
g_debug ("GdmManager: session has its display server, reusing our server for another login screen");
}

14
gdm.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Oct 8 11:37:53 UTC 2019 - Felix Zhang <fezhang@suse.com>
- Add gdm-initial-setup-hardening.patch: Introduce a persistent
state file to prevent gnome-initial-setup from running if any
regular users has previously logged into the system, replacing
the current runtime state file that pervents initial-setup from
running more than once per boot, so as to reduce the security
attack surface.
Make this fix openSUSE only for now as upstream discussion is
heading another way involving more complicated mechanisms
(boo#1140851, glgo#GNOME/gnome-initial-setup#76).
- Rebase gdm-disable-gnome-initial-setup.patch.
-------------------------------------------------------------------
Mon Oct 7 10:02:43 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>

3
gdm.spec
View File

@ -57,6 +57,8 @@ Patch4: gdm-xauthlocalhostname.patch
Patch6: gdm-switch-to-tty1.patch
# PATCH-FIX-OPENSUSE gdm-add-runtime-option-to-disable-starting-X-server-as-u.patch bnc#1075805 bgo#793255 msrb@suse.com -- Add runtime option to start X under root instead of regular user. Necessary if no DRI drivers are present. rejected upstream
Patch8: gdm-add-runtime-option-to-disable-starting-X-server-as-u.patch
# PATCH-FIX-OPENSUSE gdm-initial-setup-hardening.patch boo#1140851, glgo#GNOME/gnome-initial-setup#76 fezhang@suse.com -- Prevent gnome-initial-setup running if any regular user has perviously logged into the system
Patch9: gdm-initial-setup-hardening.patch
# PATCH-FIX-OPENSUSE gdm-s390-not-require-g-s-d_wacom.patch bsc#1129412 yfjiang@suse.com -- Remove the runtime requirement of g-s-d Wacom plugin
Patch13: gdm-s390-not-require-g-s-d_wacom.patch
### NOTE: Keep please SLE-only patches at bottom (starting on 1000).
@ -210,6 +212,7 @@ cp %{SOURCE8} .
%patch4 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1
%ifarch s390 s390x
%patch13 -p1
%endif