- Add permission verification for SUID wrapper

- Disable SUID wrapper per default until reviewed

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=628

xorg-x11-server.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Apr 12 15:33:45 UTC 2016 - eich@suse.com
+
+- Add permission verification for SUID wrapper
+- Disable SUID wrapper per default until reviewed
+
 -------------------------------------------------------------------
 Tue Apr 12 13:59:48 UTC 2016 - eich@suse.com
 

xorg-x11-server.spec

@@ -24,12 +24,21 @@
 %define have_wayland 1
 %endif
 %endif
+
+%define build_suid_wrapper 0
+
+%if 0%{!?build_suid_wrapper:1}
+%ifarch s390 s390x
+%define build_suid_wrapper 0
+%else
 %if 0%{?suse_version} >= 1330
 %define build_suid_wrapper 1
 %define suid_wrapper_dir %{_libexecdir}
 %else
 %define build_suid_wrapper 0
 %endif
+%endif
+%endif
 
 Name:           xorg-x11-server
 
@@ -242,6 +251,7 @@ This package contains the Xserver running on the Wayland Display Server.
 %package wrapper
 Summary:        Xserver SUID Wrapper
 Group:          System/X11/Servers/XF86_4
+PreReq:         permissions
 Requires:       xorg-x11-server == %{version}
 
 %description wrapper
@@ -518,6 +528,14 @@ fi
 %endif
 %endif
 
+%if 0%{?build_suid_wrapper} == 1
+%post wrapper
+%set_permissions %{suid_wrapper_dir}/Xorg.wrap
+
+%verifyscript wrapper
+%verify_permissions -e %{suid_wrapper_dir}/Xorg.wrap
+%endif
+
 %files
 %defattr(-,root,root)
 %ifnarch s390 s390x