[Bug 1175867] New: Security Review requested of using Xorg.wrap to start X server by default
https://bugzilla.suse.com/show_bug.cgi?id=1175867 Bug ID: 1175867 Summary: Security Review requested of using Xorg.wrap to start X server by default Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: xiaoguang.wang@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Some time the X server need root rights to function properly, like the issue we meet in https://bugzilla.suse.com/show_bug.cgi?id=1075805. By default Xorg.wrap will auto detect if root rights are necessary, and if not it will drop its elevated rights before starting the real X server. On Fedora and Ubuntu distro they use Xorg.wrap to start X server. We hope security team can review the Xorg.wrap and we want to know whether openSUSE distro can use Xorg.wrap to start X server. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c1
Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c2
--- Comment #2 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c3
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c4
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c5
--- Comment #5 from Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c6
--- Comment #6 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c7
--- Comment #7 from xiaoguang wang
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c8
--- Comment #8 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c9
--- Comment #9 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c10
--- Comment #10 from xiaoguang wang
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c11
--- Comment #11 from Matthias Gerstner
Matthias, have you also checked the patches we're already applying against the wrapper in the xorg-x11-server specfile, i.e.
I looked at the fully patched version of the wrapper. But I can have a look at the individual patches, too. One seems to affect the build process. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c12
--- Comment #12 from Matthias Gerstner
There is no whitelist in gdm. If we want a normal user is not shown in login user list, we have a trick way to do it.
We are not takling about whitelisting users, we are are talking about whitelisting command line arguments passed from the Xorg.wrap setuid-root program to the Xorg server. So that when a non-root user invokes Xorg.wrap, and the Xorg server needs to be run with root privileges, that only a subset of the supported command line arguments will be allowed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c13
--- Comment #13 from xiaoguang wang
We are not takling about whitelisting users, we are are talking about whitelisting command line arguments passed from the Xorg.wrap setuid-root program to the Xorg server.
So that when a non-root user invokes Xorg.wrap, and the Xorg server needs to be run with root privileges, that only a subset of the supported command line arguments will be allowed.
Sorry, my bad, I misunderstand whitelist before. gdm starts X server with fix arguments, if you need I can show it here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c14
--- Comment #14 from Matthias Gerstner
Matthias, have you also checked the patches we're already applying against the wrapper in the xorg-x11-server specfile, i.e.
N_Install-Avoid-failure-on-wrapper-installation.patch u_xorg-wrapper-Drop-supplemental-group-IDs.patch u_xorg-wrapper-build-Build-position-independent-code.patch
The patches are okay. The N_Install-Avoid-failure-on-wrapper-installation.patch is a bit strange (why should a user with UID!=0 && EUID==0 be building this package? That would be unwise. But I guess the intention is simply to avoid error output here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c15
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c16
xiaoguang wang
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c17
Stefan Dirsch
The X arguments in gdm:
/usr/bin/X vt2 (could be vt2-7) -displayfd x -auth xxxx -background none -noreset -keeptty -verbose 7 (could be 7 or 3) -core
Ok
-listen tcp -nolisten tcp
Both? Please explain. "-nolisten tcp" is the default since xorg-server 1.17. So when are you using "-listen tcp"? Hope it's not the default. Otherwise I would expect a security ticket to be opened immediately against gdm. ;-) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c18
xiaoguang wang
-listen tcp -nolisten tcp
Both? Please explain. "-nolisten tcp" is the default since xorg-server 1.17. So when are you using "-listen tcp"? Hope it's not the default. Otherwise I would expect a security ticket to be opened immediately against gdm. ;-)
The default is no "-nolisten" and no "-listen". When defined "HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY"(sorry I'm not clear what is used for), and allowing remote connection, add "-listen tcp". or not allowing remote connection, add "-nolisten tcp". -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c19
--- Comment #19 from Stefan Dirsch
(In reply to Stefan Dirsch from comment #17)
-listen tcp -nolisten tcp
Both? Please explain. "-nolisten tcp" is the default since xorg-server 1.17. So when are you using "-listen tcp"? Hope it's not the default. Otherwise I would expect a security ticket to be opened immediately against gdm. ;-)
The default is no "-nolisten" and no "-listen".
? Not sure I undesrtood that ;-)
When defined "HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY"(sorry I'm not clear what is used for),
I don't knnow where one can find this in gdm, but from the meaning this would be set to "yes" for all xservers since version 1.17, i.e. sle12-sp2. There is also ## Type: yesno ## Default: no # # TCP port 6000 of Xserver. When set to "no" (default) Xserver is # started with "-nolisten tcp". Only set this to "yes" if you really # need to. Remote X service should run only on trusted networks and # you have to disable firewall for interfaces, where you want to # provide this service. Use ssh X11 port forwarding whenever possible. # DISPLAYMANAGER_XSERVER_TCP_PORT_6000_OPEN="no" in /etc/sysconfig/displaymanager, but I'm not sure whether this is uses by gdm. Maybe only by xdm and other DMs.
and allowing remote connection, add "-listen tcp". or not allowing remote connection, add "-nolisten tcp".
Ok. Where is this being configured? config file? gdm UI? Somewhere else? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c20
--- Comment #20 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c21
--- Comment #21 from xiaoguang wang
/* If we were compiled with Xserver >= 1.17 we need to specify * '-listen tcp' as the X server dosen't listen on tcp sockets * by default anymore. In older versions we need to pass * -nolisten tcp to disable listening on tcp sockets. */ #ifdef HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY if (allow_remote_connections) { g_ptr_array_add (arguments, "-listen"); g_ptr_array_add (arguments, "tcp"); } #else if (!allow_remote_connections) { g_ptr_array_add (arguments, "-nolisten"); g_ptr_array_add (arguments, "tcp"); } #endif
When Xserver >= 1.17, the HAVE_XSERVER_THAT_DEFAULTS_TO_LOCAL_ONLY is defined. Then when allow_remote_connections is true, add '-listen tcp'. The allow_remote_connections is from DisallowTCP in file /etc/gdm/custom.conf, and the default value of allow_remote_connections is false. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c22
--- Comment #22 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c23
--- Comment #23 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c24
--- Comment #24 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c25
--- Comment #25 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c26
--- Comment #26 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c27
--- Comment #27 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c28
--- Comment #28 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c29
--- Comment #29 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c30
--- Comment #30 from Stefan Dirsch
Unfortunately running Xorg via Xwrapper does not really work for me as normal user.
# Xorg.wrap -displayfd 2 Xorg.wrap: /usr/bin/Xorg -displayfd 2 [...] (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)
Without Egbert's patch u_xorg-wrapper-Drop-supplemental-group-IDs.patch this changes to Fatal server error: (EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied) Xwrapper completely unpatched gives the same result. Seems this Wrapper simply doesn't work and probably never did. No idea what other distributors, which are claimed to be using it, are doing. Maybe they are heavily patching it, Who knows ... I need more than "Debian and Fedora are using it since years sucessfully"! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c31
--- Comment #31 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c32
--- Comment #32 from Stefan Dirsch
One minor suggestion is to skip the root detection and privdrop logic if the wrapper already runs as root:
``` --- xserver-1.20.9.orig/hw/xfree86/xorg-wrapper.c +++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c @@ -231,6 +231,10 @@ int main(int argc, char *argv[]) break; } } + else { + // don't perform any checks or privdrops if we're root anyway + needs_root_rights = 1; + }
#ifdef WITH_LIBDRM /* Detect if we need root rights, except when overriden by the config */ ```
I don't see what this alone would change. The value of needs_root_rights is checked against 0 and -1 but nowhere against 1.
I think there was a CVE a couple of years ago regarding local exploits using this switch. `man Xserver` lists more interesting switches that could escalate privileges:
-displayfd fd -auth authorization-file
Unfortunately both are needed by gdm.
-listen trans-type
This as well. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c33
--- Comment #33 from Matthias Gerstner
Ouch. I understood this wrong. It needs to be
needs_root_rights=yes
in /etc/X11/Xwrapper.config. Then it works also as regular user.
This means that the auto detection is overridden and the Xserver is always started as root. No surprise this works ;-). But then we also wouldn't need the wrapper in the first place. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c36
Stefan Dirsch
(In reply to sndirsch@suse.com from comment #31)
Ouch. I understood this wrong. It needs to be
needs_root_rights=yes
in /etc/X11/Xwrapper.config. Then it works also as regular user.
This means that the auto detection is overridden and the Xserver is always started as root. No surprise this works ;-). But then we also wouldn't need the wrapper in the first place.
Well, I was testing with needs_root_rights=no. ;-) But indeed you're right. The same happens with "auto", so autodetection apparently does not check for access to /dev/ttyX. :-( But who knows. Maybe gdm gets access via ACLs to /dev/ttyX via systemd when gdm gets started. @xiaoguang Could you please test this with the current packages from https://build.opensuse.org/package/show/home:sndirsch:branches:X11:XOrg/xorg... Plesae play around with "auto" and "yes" for needs_root_rights in /etc/X11/Xwrapper.config when using gdm. gdm needs to use Xorw.wrap instead of Xorg now. Xorg.sh may also work. Of course Xorg.wrap should be started as user gdm for testing, not any longer as user root. Let's do some testing as long as Matthias is on vacation. ;-) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c37
--- Comment #37 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c38
--- Comment #38 from xiaoguang wang
Plesae play around with "auto" and "yes" for needs_root_rights in /etc/X11/Xwrapper.config when using gdm. gdm needs to use Xorw.wrap instead of Xorg now. Xorg.sh may also work. Of course Xorg.wrap should be started as user gdm for testing, not any longer as user root. For my understanding, that means I need to add patch on gdm to change X command from '/usr/bin/X' to '/usr/bin/Xorg.wrap', is that right?
On other distros(Fedaro, Ubuntu), the `/usr/bin/Xorg' was replaced by Xorg.sh, they needn't to change X server command on gdm. I will link `/usr/bin/X` to `/usr/bin/Xorg.sh` to do the test. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c39
xiaoguang wang
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c40
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c41
xiaoguang wang
Looks. good. I'm wondering which driver you were using. I'm using qemu with "-vga qxl" and qxl X driver and needs_root_rights=auto doesn't work for me (same issue with modeset X driver). I need to set needs_root_rights=yes. Otherwise I'm getting
(EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)
I use virtio. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c42
--- Comment #42 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c43
--- Comment #43 from xiaoguang wang
Same issue with virtio. Maybe gdm gets access to /dev/tty0 somehow. You could figure out with
getfacl /dev/tty0
suse@localhost:~> getfacl /dev/tty0 getfacl: Removing leading '/' from absolute path names # file: dev/tty0 # owner: root # group: tty user::rw- group::-w- other::--- -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c44
--- Comment #44 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c45
Stefan Dirsch
Then I don't know. Maybe the wrapper is still being started as root and not by gdm itself ...
Could you please verify that? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c46
xiaoguang wang
(In reply to Stefan Dirsch from comment #44)
Then I don't know. Maybe the wrapper is still being started as root and not by gdm itself ...
Could you please verify that?
1. needs_root_rights=auto without nomodeset
root 1006 0.0 0.4 236156 8604 ? Sl Sep23 0:00 /usr/sbin/gdm root 1483 0.0 0.5 167940 11896 ? Sl Sep23 0:00 \_ gdm-session-worker [pam/gdm-password] suse 1511 0.0 0.2 158200 5472 tty2 Ssl+ Sep23 0:00 \_ /usr/libexec/gdm/gdm-x-session --run-script /usr/bin/gnome-session suse 1513 0.0 3.8 238768 77112 tty2 Sl+ Sep23 0:05 \_ /usr/bin/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -norese suse 1518 0.0 0.7 258272 15244 tty2 Sl+ Sep23 0:00 \_ /usr/libexec/gnome-session-binary
2. needs_root_rights=auto with nomodeset
root 1031 0.0 0.4 236156 8612 ? Sl 08:01 0:00 /usr/sbin/gdm root 1521 0.0 0.6 167940 12188 ? Sl 08:02 0:00 \_ gdm-session-worker [pam/gdm-password] suse 1548 0.0 0.2 158200 5468 tty2 Ssl+ 08:02 0:00 \_ /usr/libexec/gdm/gdm-x-session --run-script /usr/bin/gnome-session root 1550 1.5 2.8 222652 58196 tty2 Sl+ 08:02 0:01 \_ /usr/bin/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -nore suse 1555 0.0 0.7 258272 15268 tty2 Sl+ 08:02 0:00 \_ /usr/libexec/gnome-session-binary
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c47
--- Comment #47 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c48
--- Comment #48 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c49
--- Comment #49 from Matthias Gerstner
(In reply to Matthias Gerstner from comment #5)
One minor suggestion is to skip the root detection and privdrop logic if the wrapper already runs as root:
``` --- xserver-1.20.9.orig/hw/xfree86/xorg-wrapper.c +++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c @@ -231,6 +231,10 @@ int main(int argc, char *argv[]) break; } } + else { + // don't perform any checks or privdrops if we're root anyway + needs_root_rights = 1; + }
#ifdef WITH_LIBDRM /* Detect if we need root rights, except when overriden by the config */ ```
I don't see what this alone would change. The value of needs_root_rights is checked against 0 and -1 but nowhere against 1.
it would simply skip the checks like ``` if (needs_root_rights == -1) { // checks DRM stuff } ``` will not be executed when root is running the wrapper. Would be pointless anyways. Even worse for the privilege drop logic, root dropping privileges to root is not very sensible :-P
I think there was a CVE a couple of years ago regarding local exploits using this switch. `man Xserver` lists more interesting switches that could escalate privileges:
-displayfd fd -auth authorization-file
Unfortunately both are needed by gdm.
-listen trans-type
This as well.
Okay if this is the case we can either drop the idea of whitelisting parameters altogether, or grant a rather generous whitelist. I still need to review your patch in attachment 841748, I will do some in the next couple of days.
but building still includes a warning:
[ 138s] xorg-x11-server-wrapper.x86_64: E: permissions-file-setuid-bit (Badness: 10) /usr/bin/Xorg.wrap is packaged with setuid/setgid bits (04755)
The warning will vanish once I whitelist /usr/bin/Xorg.wrap via the permissions package. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c50
--- Comment #50 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c51
--- Comment #51 from Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c52
--- Comment #52 from Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c53
Stefan Dirsch
Index: xserver-1.20.9/hw/xfree86/xorg-wrapper.c =================================================================== --- +++ hw/xfree86/xorg-wrapper.c 2020-09-29 12:52:59.256970275 +0200 @@ -191,6 +191,60 @@ return 0; }
+static int check_vt_range(long int vt) +{ + if (vt >= 2 && vt <= 7 ) { + return 1; + } + + return 0; +} + +/* Xserver option whitelist filter (boo#1175867) */ +static int option_filter(int argc, char* argv[]){ + + for(int pos=1; pos
close(fd); } + /* If we've found cards, and all cards support kms, drop root rights */ + if (total_cards && kms_cards == total_cards) { + needs_root_rights = 0; + } } #endif
- /* If we've found cards, and all cards support kms, drop root rights */ - if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) { + if (needs_root_rights == 0) { gid_t realgid = getgid(); uid_t realuid = getuid(); int ngroups = 0; @@ -326,6 +383,15 @@ }
argv[0] = buf; + + if (needs_root_rights == 1 && getuid() != 0) + { + /* Xserver option whitelist filter (boo#1175867) */ + if (option_filter(argc, argv) == 0) { + exit(1); + } + } + if (getuid() == geteuid()) (void) execv(argv[0], argv); else
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c54
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c55
xiaoguang wang
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c56
--- Comment #56 from Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c57
--- Comment #57 from Matthias Gerstner
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c58
--- Comment #58 from OBSbugzilla Bot
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c59
--- Comment #59 from OBSbugzilla Bot
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c60
Stefan Dirsch
https://bugzilla.suse.com/show_bug.cgi?id=1175867
https://bugzilla.suse.com/show_bug.cgi?id=1175867#c64
--- Comment #64 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com