diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 04291ae..be8b1b9 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 12 15:33:45 UTC 2016 - eich@suse.com + +- Add permission verification for SUID wrapper +- Disable SUID wrapper per default until reviewed + ------------------------------------------------------------------- Tue Apr 12 13:59:48 UTC 2016 - eich@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index 52d3c85..de43113 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -24,12 +24,21 @@ %define have_wayland 1 %endif %endif + +%define build_suid_wrapper 0 + +%if 0%{!?build_suid_wrapper:1} +%ifarch s390 s390x +%define build_suid_wrapper 0 +%else %if 0%{?suse_version} >= 1330 %define build_suid_wrapper 1 %define suid_wrapper_dir %{_libexecdir} %else %define build_suid_wrapper 0 %endif +%endif +%endif Name: xorg-x11-server @@ -242,6 +251,7 @@ This package contains the Xserver running on the Wayland Display Server. %package wrapper Summary: Xserver SUID Wrapper Group: System/X11/Servers/XF86_4 +PreReq: permissions Requires: xorg-x11-server == %{version} %description wrapper @@ -518,6 +528,14 @@ fi %endif %endif +%if 0%{?build_suid_wrapper} == 1 +%post wrapper +%set_permissions %{suid_wrapper_dir}/Xorg.wrap + +%verifyscript wrapper +%verify_permissions -e %{suid_wrapper_dir}/Xorg.wrap +%endif + %files %defattr(-,root,root) %ifnarch s390 s390x