forked from pool/xorg-x11-server
Accepting request 838619 from home:sndirsch:branches:X11:XOrg
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch * replaced by improved version written by Matthias Gerstner of our security team + simplified the option parsing code a bit + changed the "ignore forbidden argument" logic into an "abort on forbidden argument" logic. This is safer and avoids surprises on the user's end that could occur if the desired command line arguments aren't effective but the Xorg server is still started. + tried to adjust to the coding style present in the file (mostly the function name) + added some logic to apply the option filtering only to non-root users when Xorg is actually started as root. This should allow for full flexibility if root calls the wrapper or if the Xorg server only runs with user privileges. - n_xorg-wrapper-rename-Xorg.patch * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867) - change default for needs_root_rights to auto in Xwrapper.config (boo#1175867) - reenabled SUID wrapper for TW (boo#1175867) - u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch * Xserver option whitelist filter (boo#1175867) OBS-URL: https://build.opensuse.org/request/show/838619 OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=779
This commit is contained in:
parent
69975cf67c
commit
b7ed257592
20
n_xorg-wrapper-rename-Xorg.patch
Normal file
20
n_xorg-wrapper-rename-Xorg.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old 2020-09-24 03:16:27.270885000 +0200
|
||||||
|
+++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-24 03:18:42.047597000 +0200
|
||||||
|
@@ -375,7 +375,7 @@ int main(int argc, char *argv[])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- snprintf(buf, sizeof(buf), "%s/Xorg", SUID_WRAPPER_DIR);
|
||||||
|
+ snprintf(buf, sizeof(buf), "%s/Xorg.bin", SUID_WRAPPER_DIR);
|
||||||
|
|
||||||
|
/* Check if the server is executable by our real uid */
|
||||||
|
if (access(buf, X_OK) != 0) {
|
||||||
|
--- xserver-1.20.9/hw/xfree86/Xorg.sh.in.orig 2020-09-24 03:36:20.690412000 +0200
|
||||||
|
+++ xserver-1.20.9/hw/xfree86/Xorg.sh.in 2020-09-24 03:36:37.594497000 +0200
|
||||||
|
@@ -7,5 +7,5 @@
|
||||||
|
if [ -x "$basedir"/Xorg.wrap ]; then
|
||||||
|
exec "$basedir"/Xorg.wrap "$@"
|
||||||
|
else
|
||||||
|
- exec "$basedir"/Xorg "$@"
|
||||||
|
+ exec "$basedir"/Xorg.bin "$@"
|
||||||
|
fi
|
96
u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
Normal file
96
u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c
|
||||||
|
+++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c 2020-09-29 12:52:59.256970275 +0200
|
||||||
|
@@ -191,6 +191,60 @@
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int check_vt_range(long int vt)
|
||||||
|
+{
|
||||||
|
+ if (vt >= 2 && vt <= 7 ) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Xserver option whitelist filter (boo#1175867) */
|
||||||
|
+static int option_filter(int argc, char* argv[]){
|
||||||
|
+
|
||||||
|
+ for(int pos=1; pos<argc; pos++) {
|
||||||
|
+ const char *arg = argv[pos];
|
||||||
|
+
|
||||||
|
+ if (strlen(arg) == 3 && !strncmp(arg,"vt", 2) && check_vt_range(strtol(arg+2, NULL, 10)) == 1) {
|
||||||
|
+ /* vtX (vt2-vt7) */
|
||||||
|
+ continue;
|
||||||
|
+ } else if(!strcmp(arg,"-displayfd") ||
|
||||||
|
+ !strcmp(arg,"-auth") ||
|
||||||
|
+ !strcmp(arg,"-background") ||
|
||||||
|
+ !strcmp(arg,"-verbose") ||
|
||||||
|
+ !strcmp(arg,"-listen")) {
|
||||||
|
+ /* -displayfd x
|
||||||
|
+ -auth xxxx
|
||||||
|
+ -backgound none
|
||||||
|
+ -verbose 7 (7 or 3)
|
||||||
|
+ -listen tcp
|
||||||
|
+ */
|
||||||
|
+ if ((pos+1) < argc) {
|
||||||
|
+ pos++;
|
||||||
|
+ } else {
|
||||||
|
+ fprintf(stderr, "%s: Missing argument for Xserver option \"%s\". Aborting.\n",
|
||||||
|
+ progname, arg);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ } else if (!strcmp(arg,"-noreset") ||
|
||||||
|
+ !strcmp(arg,"-keeptty") ||
|
||||||
|
+ !strcmp(arg,"-core")) {
|
||||||
|
+ /* -noreset
|
||||||
|
+ -keeptty
|
||||||
|
+ -core
|
||||||
|
+ */
|
||||||
|
+ continue;
|
||||||
|
+ } else {
|
||||||
|
+ fprintf(stderr, "%s: Xserver option \"%s\" invalid or not in whitelist. Aborting.\n",
|
||||||
|
+ progname, arg);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
#ifdef WITH_LIBDRM
|
||||||
|
@@ -250,11 +304,14 @@
|
||||||
|
|
||||||
|
close(fd);
|
||||||
|
}
|
||||||
|
+ /* If we've found cards, and all cards support kms, drop root rights */
|
||||||
|
+ if (total_cards && kms_cards == total_cards) {
|
||||||
|
+ needs_root_rights = 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- /* If we've found cards, and all cards support kms, drop root rights */
|
||||||
|
- if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
|
||||||
|
+ if (needs_root_rights == 0) {
|
||||||
|
gid_t realgid = getgid();
|
||||||
|
uid_t realuid = getuid();
|
||||||
|
int ngroups = 0;
|
||||||
|
@@ -326,6 +383,15 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
argv[0] = buf;
|
||||||
|
+
|
||||||
|
+ if (needs_root_rights == 1 && getuid() != 0)
|
||||||
|
+ {
|
||||||
|
+ /* Xserver option whitelist filter (boo#1175867) */
|
||||||
|
+ if (option_filter(argc, argv) == 0) {
|
||||||
|
+ exit(1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (getuid() == geteuid())
|
||||||
|
(void) execv(argv[0], argv);
|
||||||
|
else
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 29 14:47:48 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
|
||||||
|
* replaced by improved version written by Matthias Gerstner of
|
||||||
|
our security team
|
||||||
|
+ simplified the option parsing code a bit
|
||||||
|
+ changed the "ignore forbidden argument" logic into an "abort
|
||||||
|
on forbidden argument" logic. This is safer and avoids
|
||||||
|
surprises on the user's end that could occur if the desired
|
||||||
|
command line arguments aren't effective but the Xorg server is
|
||||||
|
still started.
|
||||||
|
+ tried to adjust to the coding style present in the file
|
||||||
|
(mostly the function name)
|
||||||
|
+ added some logic to apply the option filtering only to
|
||||||
|
non-root users when Xorg is actually started as root. This
|
||||||
|
should allow for full flexibility if root calls the wrapper or
|
||||||
|
if the Xorg server only runs with user privileges.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
@ -7,6 +26,21 @@ Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
|||||||
U_Revert-linux-Make-platform-device-probe-less-fragile.patch
|
U_Revert-linux-Make-platform-device-probe-less-fragile.patch
|
||||||
* fix Xserver startup on Raspberry Pi 3 (boo#1176203)
|
* fix Xserver startup on Raspberry Pi 3 (boo#1176203)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- n_xorg-wrapper-rename-Xorg.patch
|
||||||
|
* moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
|
||||||
|
- change default for needs_root_rights to auto in Xwrapper.config
|
||||||
|
(boo#1175867)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 16 10:54:32 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
|
||||||
|
|
||||||
|
- reenabled SUID wrapper for TW (boo#1175867)
|
||||||
|
- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
|
||||||
|
* Xserver option whitelist filter (boo#1175867)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse <mgorse@suse.com>
|
Wed Sep 9 18:50:37 UTC 2020 - Michael Gorse <mgorse@suse.com>
|
||||||
|
|
||||||
|
@ -26,15 +26,14 @@
|
|||||||
%define have_wayland 1
|
%define have_wayland 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%define build_suid_wrapper 0
|
%define build_suid_wrapper 1
|
||||||
|
|
||||||
%if 0%{!?build_suid_wrapper:1}
|
%if 0%{?build_suid_wrapper:1}
|
||||||
%ifarch s390 s390x
|
%ifarch s390 s390x
|
||||||
%define build_suid_wrapper 0
|
%define build_suid_wrapper 0
|
||||||
%else
|
%else
|
||||||
%if 0%{?suse_version} >= 1330
|
%if 0%{?suse_version} >= 1550
|
||||||
%define build_suid_wrapper 1
|
%define suid_wrapper_dir %{_bindir}
|
||||||
%define suid_wrapper_dir %{_libexecdir}
|
|
||||||
%else
|
%else
|
||||||
%define build_suid_wrapper 0
|
%define build_suid_wrapper 0
|
||||||
%endif
|
%endif
|
||||||
@ -213,6 +212,8 @@ Patch6: N_fix-dpi-values.diff
|
|||||||
Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch
|
Patch7: N_Install-Avoid-failure-on-wrapper-installation.patch
|
||||||
Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch
|
Patch8: u_xorg-wrapper-Drop-supplemental-group-IDs.patch
|
||||||
Patch9: u_xorg-wrapper-build-Build-position-independent-code.patch
|
Patch9: u_xorg-wrapper-build-Build-position-independent-code.patch
|
||||||
|
Patch10: u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
|
||||||
|
Patch11: n_xorg-wrapper-rename-Xorg.patch
|
||||||
Patch100: u_01-Improved-ConfineToShape.patch
|
Patch100: u_01-Improved-ConfineToShape.patch
|
||||||
Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
|
Patch101: u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
|
||||||
# PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
|
# PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
|
||||||
@ -305,8 +306,6 @@ Summary: Xserver SUID Wrapper
|
|||||||
Group: System/X11/Servers/XF86_4
|
Group: System/X11/Servers/XF86_4
|
||||||
PreReq: permissions
|
PreReq: permissions
|
||||||
Requires: xorg-x11-server == %{version}
|
Requires: xorg-x11-server == %{version}
|
||||||
Provides: xorg-x11-server-wayland = 7.6_%{version}
|
|
||||||
Obsoletes: xorg-x11-server-wayland < 7.6_%{version}
|
|
||||||
|
|
||||||
%description wrapper
|
%description wrapper
|
||||||
This package contains an SUID wrapper for the Xserver.
|
This package contains an SUID wrapper for the Xserver.
|
||||||
@ -377,6 +376,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
#
|
#
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
#%patch101 -p1
|
#%patch101 -p1
|
||||||
@ -493,6 +494,12 @@ chmod u-s %{buildroot}%{_bindir}/Xorg
|
|||||||
%__mkdir_p %{buildroot}%{pci_ids_dir}
|
%__mkdir_p %{buildroot}%{pci_ids_dir}
|
||||||
install -m 644 %{S:6} %{buildroot}%{pci_ids_dir}
|
install -m 644 %{S:6} %{buildroot}%{pci_ids_dir}
|
||||||
%endif
|
%endif
|
||||||
|
%if 0%{?build_suid_wrapper} == 1
|
||||||
|
mv %{buildroot}%{_bindir}/Xorg \
|
||||||
|
%{buildroot}%{_bindir}/Xorg.bin
|
||||||
|
mv %{buildroot}%{_bindir}/Xorg.sh \
|
||||||
|
%{buildroot}%{_bindir}/Xorg
|
||||||
|
%endif
|
||||||
ln -snf Xorg %{buildroot}%{_bindir}/X
|
ln -snf Xorg %{buildroot}%{_bindir}/X
|
||||||
%if 0%{?suse_version} > 1120
|
%if 0%{?suse_version} > 1120
|
||||||
%{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d
|
%{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d
|
||||||
@ -536,6 +543,16 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module
|
|||||||
mkdir -p %{buildroot}/usr/src/xserver
|
mkdir -p %{buildroot}/usr/src/xserver
|
||||||
xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list
|
xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list
|
||||||
|
|
||||||
|
%if 0%{?build_suid_wrapper} == 1
|
||||||
|
mkdir -p %{buildroot}%{_sysconfdir}/X11
|
||||||
|
cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF
|
||||||
|
# rootonly, console, anybody
|
||||||
|
allowed_users=anybody
|
||||||
|
# yes, no, auto
|
||||||
|
needs_root_rights=auto
|
||||||
|
EOF
|
||||||
|
%endif
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%tmpfiles_create xbb.conf
|
%tmpfiles_create xbb.conf
|
||||||
%ifnarch s390 s390x
|
%ifnarch s390 s390x
|
||||||
@ -616,7 +633,7 @@ fi
|
|||||||
%ifnarch s390 s390x
|
%ifnarch s390 s390x
|
||||||
%{_bindir}/Xorg
|
%{_bindir}/Xorg
|
||||||
%if 0%{?build_suid_wrapper} == 1
|
%if 0%{?build_suid_wrapper} == 1
|
||||||
%{suid_wrapper_dir}/Xorg
|
%{_bindir}/Xorg.bin
|
||||||
%endif
|
%endif
|
||||||
%{_bindir}/X
|
%{_bindir}/X
|
||||||
|
|
||||||
@ -641,6 +658,8 @@ fi
|
|||||||
%files wrapper
|
%files wrapper
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap
|
%attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap
|
||||||
|
%dir %{_sysconfdir}/X11
|
||||||
|
%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files extra
|
%files extra
|
||||||
|
Loading…
Reference in New Issue
Block a user