19 Aug
2010
19 Aug
'10
09:28
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c0
Summary: remove Xorg setuid bit
Classification: openSUSE
Product: openSUSE 11.4
Version: Factory
Platform: Other
OS/Version: Other
Status: NEEDINFO
Severity: Normal
Priority: P5 - None
Component: X.Org
AssignedTo: lnussel(a)novell.com
ReportedBy: lnussel(a)novell.com
QAContact: xorg-maintainer-bugs(a)forge.provo.novell.com
CC: security-team(a)suse.de
InfoProvider: sndirsch(a)novell.com
Found By: ---
Blocker: ---
Time to re-evaluate the need for a setuid bit on /usr/bin/Xorg.
It's needed for starting X as unprivileged user, e.g. via startx. That method
is deprecated in favor of a display manager since years. Also modern
environments rely on device ACLs and polkit privileges which in turn depend on
consolekit tracking the active console. That doesn't work with startx anyways.
So the setuid bit is of limited use by default anyways.
No setuid bit also prevents exploitation of the kernel-heap-stack overflow
problem via X as X cannot be started in a user controlled environment then.
Therefore I'd like to remove the setuid bit on Xorg for 11.4 from
/etc/permissions.easy (no packaging change in X needed). Those who really need
it can still set it again in permissions.local.
Any objections or concerns?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
19 Aug
19 Aug
10:04
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c1
Stefan Dirsch <sndirsch(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |eich(a)novell.com,
| |mhopf(a)novell.com,
| |sndirsch(a)novell.com
InfoProvider|sndirsch(a)novell.com |eich(a)novell.com
--- Comment #1 from Stefan Dirsch <sndirsch(a)novell.com> 2010-08-19 10:04:03 UTC ---
No real objections from my side, but we definitely need a section in release
notes for that change. In addition I would like to have this discussed on
opensuse-factory(a)opensuse.org first. That way we would also be able to figure
out
how many users are still using startx. I'm afraid there are more than you
think.
Next one to ask:Egbert.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
10:32
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Stefan Dirsch <sndirsch(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
InfoProvider|eich(a)novell.com |
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
10:53
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c3
--- Comment #3 from Matthias Hopf <mhopf(a)novell.com> 2010-08-19 10:53:58 UTC ---
Ludwig, Xorg s-bit is already disabled in permissions.secure for a long time.
IMHO that is good enough for people that really care for security.
There was no exploitable security hole in how many years?
The latest security issue was in fact a kernel issue AFAIU.
Egbert's right, we have a much higher risk with the fact that the Xserver is
running as root anyway, and that won't go away.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11:34
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c4
--- Comment #4 from Ludwig Nussel <lnussel(a)novell.com> 2010-08-19 13:34:13 CEST ---
(In reply to comment #1)
how many users are still using startx. I'm afraid
there are more than you
think.
Question is whether we need to have a default configuration for that
use case. Those who still use startx are hopefully smart enough to
set the setuid bit themselves anyways.
(In reply to comment #3)
Ludwig, Xorg s-bit is already disabled in
permissions.secure for a long time.
IMHO that is good enough for people that really care for security.
permissions 'secure' are not the default though.
There was no exploitable security hole in how many
years?
So it's about time that a new one is discovered you mean? :-)
Seriously, if the setuid bit isn't needed anymore by the majority of
users we should simply not enable that feature in the default
config anymore.
The latest security issue was in fact a kernel issue
AFAIU.
Yes but the exploit does not work if X is started via DM.
Egbert's right, we have a much higher risk with
the fact that the Xserver is
running as root anyway, and that won't go away.
One step at a time, low hanging fruits first :-)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15:22
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c6
--- Comment #6 from Egbert Eich <eich(a)novell.com> 2010-08-19 15:22:52 UTC ---
I wonder why comments here are set private. This is an openSUSE bug and private
comments should not exist there.
This is different if a specific security issue is discussed here however we
discuss possible security breach scenarios. This knowledge is public although
the general public may not be aware of those while every serious attacker is.
Thus making this discussion public can only serve to educate more people on the
risks.
My comment (#2) was accidentally set private because for some strange reason
the 'restrict' mark is set by default for me and I forgot to unset it before I
committed the comment and for some other odd reason did unsetting the private
bit fail.
Now to the issue at stake:
I expect to see numerous bug reports when people suddenly cannot run startx any
more as modifying /etc/permissions.local is not the first thing which comes to
their mind.
Thus if we want to do this change I strongly recommend to extend the startx
script to test if the user running it is not root and if so fail with a message
educating him why the change was made and what exactly to do to make startx
work again for him.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
16:05
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c7
--- Comment #7 from Stefan Dirsch <sndirsch(a)novell.com> 2010-08-19 16:05:32 UTC ---
I don't believe anybody here has set his comment(s) private by intenation. This
issue has been reported as Bug #631857.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
20 Aug
20 Aug
08:51
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c8
Hans-Peter Holler <holler(a)nefkom.info> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |holler(a)nefkom.info
--- Comment #8 from Hans-Peter Holler <holler(a)nefkom.info> 2010-08-20 08:51:22 UTC
---
You are not authorized to access bug #631857. Cool.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
09:09
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c9
--- Comment #9 from Stefan Dirsch <sndirsch(a)novell.com> 2010-08-20 09:09:11 UTC ---
(In reply to comment #8)
You are not authorized to access bug #631857. Cool.
That's indeed internal Novell discussion, but I believe I can share the subject
#631857 - bugzilla comments are internal per default
and the outcome. The bug has been closed as fixed (for openSUSE products if
I understood correctly).
Let's hope that this default gets reverted as soon as possible for the openSUSE
products.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
2 Dec
2 Dec
10:24
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c10
--- Comment #10 from Ludwig Nussel <lnussel(a)novell.com> 2010-12-02 11:24:15 CET ---
sr#54298
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
3 Dec
3 Dec
03:24
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c11
--- Comment #11 from Stefan Dirsch <sndirsch(a)novell.com> 2010-12-03 03:24:20 UTC
---
(In reply to comment #10)
sr#54298
------------------------------------------------------------------
Thu Dec 2 09:29:24 UTC 2010 - lnussel(a)suse.de
- print warning if xinit fails and Xorg has no setuid bit
(bnc#632737)
[...]
Thanks, Ludwig! Also forwarded as SR to openSUSE:Factory and been accepted.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
03:50
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c12
Stefan Dirsch <sndirsch(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #12 from Stefan Dirsch <sndirsch(a)novell.com> 2010-12-03 03:50:19 UTC
---
54380 State:new By:sndirsch When:2010-12-03T04:43:21
submit: X11:XOrg/xorg-x11-server -> openSUSE:Factory
Descr: - remove Xorg setuid bit (bnc #632737)
The required change in permissions package is already in openSUSE:Factory.
-------------------------------------------------------------------
Thu Dec 2 10:20:11 UTC 2010 - lnussel(a)suse.de
- remove Xorg setuid bit (bnc#632737)
==> closing as fixed.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
18 Mar
18 Mar
08:40
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c13
Will Stephenson <wstephenson(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
CC| |wstephenson(a)novell.com
Resolution|FIXED |
--- Comment #13 from Will Stephenson <wstephenson(a)novell.com> 2011-03-18 08:40:08
UTC ---
Looks like the release notes weren't updated yet
http://www.suse.de/relnotes/i386/openSUSE/11.4/RELEASE-NOTES.en.html
Could you update these, people are confused.
Is the correct way to start a session from the command line (for debugging
purposes or whatever):
(as root)
XOrg :1&
(as user)
DISPLAY=:1 eval `dbus-launch startkde`
I'd like this in the release notes.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
08:55
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Ludwig Nussel <lnussel(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lnussel(a)novell.com
AssignedTo|lnussel(a)novell.com |ke(a)novell.com
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
09:36
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c14
--- Comment #14 from Stefan Dirsch <sndirsch(a)novell.com> 2011-03-18 09:36:22 UTC
---
(In reply to comment #13)
Looks like the release notes weren't updated yet
http://www.suse.de/relnotes/i386/openSUSE/11.4/RELEASE-NOTES.en.html
Could you update these, people are confused.
Is the correct way to start a session from the command line (for debugging
purposes or whatever):
(as root)
This sounds like a weird approach. Isn't it easier to edit
/etc/permissions.local?
# setuid bit on Xorg is only needed if no display manager, ie startx
# is used. Beware of CVE-2010-2240.
#
#/usr/bin/Xorg root:root 4711
remove a "#" and run SuSEconfig afterwards? This is also the recommendation
when you run "startx".
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
XOrg :1&
(as user)
DISPLAY=:1 eval `dbus-launch startkde`
I'd like this in the release notes.
10:57
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c15
--- Comment #15 from Will Stephenson <wstephenson(a)novell.com> 2011-03-18 10:57:41
UTC ---
It is. If that's the easiest way then let's document it as that in the release
notes.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
30 Mar
30 Mar
16:07
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c16
Karl Eichwalder <ke(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |ASSIGNED
--- Comment #16 from Karl Eichwalder <ke(a)novell.com> 2011-03-30 16:07:08 UTC ---
I propose to add this snippet:
Removing the Xorg setUID Bit
============================
The setuid bit on /usr/bin/Xorg is needed for starting X as
unprivileged user, e.g. via startx. That method is deprecated in
favor of a display manager since years. Additionally modern
environments rely on device ACLs and polkit privileges, which in
turn depend on consolekit tracking the active console.
No setuid bit also prevents exploitation of the kernel-heap-stack
overflow problem via X as X cannot be started in a user
controlled environment anymore. Therefore we removed the
setuid bit on Xorg from /etc/permissions.easy.
Users who actually need it, can set it again in
/etc/permissions.local by removing the comment sign from this
line:
#/usr/bin/Xorg root:root 4711
and running SuSEconfig afterwards.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
16:10
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Karl Eichwalder <ke(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |683822
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
31 Mar
31 Mar
06:13
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c17
--- Comment #17 from Ludwig Nussel <lnussel(a)novell.com> 2011-03-31 08:13:14 CEST
---
(In reply to comment #16)
No setuid bit also prevents exploitation of the
kernel-heap-stack
overflow problem via X as X cannot be started in a user
controlled environment anymore. Therefore we removed the
setuid bit on Xorg from /etc/permissions.easy.
The actual security problem was fixed in the kernel. Removing the
setuid bit is a preventive measurement against potential similar
problems in the future.
Users who actually need it, can set it again in
/etc/permissions.local by removing the comment sign from this
line:
#/usr/bin/Xorg root:root 4711
and running SuSEconfig afterwards.
SuSEconfig --module permissions, SuSEconfig alone does not set
permissions anymore.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
07:11
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c18
--- Comment #18 from Karl Eichwalder <ke(a)novell.com> 2011-03-31 07:11:13 UTC ---
Thanks for feedback. Next try:
Removing the Xorg setUID Bit
============================
The setuid bit on /usr/bin/Xorg is needed for starting X as
unprivileged user, e.g. via startx. That method is deprecated in
favor of a display manager since years. Additionally modern
environments rely on device ACLs and polkit privileges, which in
turn depend on consolekit tracking the active console.
The actual security problem was fixed in the kernel. Removing the
setuid bit is a preventive measurement against potential similar
problems in the future.
Users who depend on the old configuration, can set the setuid again
in /etc/permissions.local by removing the comment sign from the
following line:
#/usr/bin/Xorg root:root 4711
and running 'SuSEconfig --module permissions' afterwards.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11:44
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c19
Karl Eichwalder <ke(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |683822
Depends on|683822 |
--- Comment #19 from Karl Eichwalder <ke(a)novell.com> 2011-03-31 11:44:40 UTC ---
<!-- bnc#632737 -->
With small wording changes, now in svn:
<sect3 id="tec.xorg-setUID" status="2011-03-31">
<title>Removing the Xorg setUID Bit</title>
<para>
The setUID bit on <filename>/usr/bin/Xorg</filename> is needed for starting X
as an unprivileged user, e.g., via <command>startx</command>. This method is
deprecated in favor of using a display manager since years. Additionally,
modern environments rely on device ACLs and polkit privileges, which in turn
depend on consolekit tracking the active console.</para>
<para>
The actual security problem was fixed in the kernel. Removing the
setUID bit is a preventive measurement against potential similar
problems in the future.
</para>
<para>
Users who depend on the old configuration, can set the setUID bit themself
in <filename>/etc/permissions.local</filename> by removing the comment sign
from the
following line:</para>
<screen>#/usr/bin/Xorg root:root 4711</screen>
<para>
and running <command>SuSEconfig --module permissions</command>
afterwards.</para>
</sect3>
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11:45
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c20
Karl Eichwalder <ke(a)novell.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
--- Comment #20 from Karl Eichwalder <ke(a)novell.com> 2011-03-31 11:45:07 UTC ---
I'll release it with Bug 683822.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
13:53
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c21
--- Comment #21 from Stefan Dirsch <sndirsch(a)novell.com> 2011-03-31 13:53:30 UTC
---
The actual security problem was fixed in the kernel.
Removing the
setuid bit is a preventive measurement against potential similar
problems in the future.
Why not simply removing this paragraph completely? I'm afraid people are going
to ask: "Which security problem?" after reading this.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15:49
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c22
--- Comment #22 from Will Stephenson <wstephenson(a)novell.com> 2011-03-31 15:49:47
UTC ---
Nativespeakerization, and I never saw it written 'setUID':
<sect3 id="tec.xorg-setUID" status="2011-03-31">
<title>Removing the Xorg setuid bit</title>
<para>
The setuid bit on <filename>/usr/bin/Xorg</filename> is needed for starting X
as an unprivileged user, e.g., via <command>startx</command>. This method
has
been deprecated for years in favor of using a display manager. Modern
environments rely on device ACLs and polkit privileges, which in turn
depend upon consolekit tracking the active console, which is performed by the
display manager.</para>
<para>
The actual security problem was fixed in the kernel. Removing the
setuid bit is a preventive measurement against potential similar
problems in the future.
</para>
<para>
Users who depend on the old configuration can set the setuid bit themselves
in <filename>/etc/permissions.local</filename> by removing the comment sign
from the
following line:</para>
<screen>#/usr/bin/Xorg root:root 4711</screen>
<para>
and running <command>SuSEconfig --module permissions</command>
afterwards.</para>
</sect3>
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
1 Apr
1 Apr
07:17
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c23
--- Comment #23 from Karl Eichwalder <ke(a)novell.com> 2011-04-01 07:17:21 UTC ---
Thanks for your help, Will!
Stefan, I removed the para.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
3 May
3 May
13:01
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c24
Swamp Workflow Management <swamp(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status Whiteboard| |maint:released:11.4:40494
--- Comment #24 from Swamp Workflow Management <swamp(a)suse.com> 2011-05-03 13:01:28
UTC ---
Update released for: release-notes-openSUSE
Products:
openSUSE 11.4 (i586)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15 Jun
15 Jun
21:18
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c25
--- Comment #25 from Bernhard Wiedemann <bwiedemann(a)novell.com> 2011-06-15 23:18:04
CEST ---
This is an autogenerated message for OBS integration:
This bug (632737) was mentioned in
https://build.opensuse.org/request/show/73652 11.4 / release-notes-openSUSE
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
31 Oct
31 Oct
21:03
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c26
--- Comment #26 from Bernhard Wiedemann <bwiedemann(a)suse.com> 2011-10-31 22:03:00
CET ---
This is an autogenerated message for OBS integration:
This bug (632737) was mentioned in
https://build.opensuse.org/request/show/89843 Tumbleweed / permissions
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
24 Sep
24 Sep
20:08
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c27
Christian Boltz <suse-beta(a)cboltz.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |suse-beta(a)cboltz.de
--- Comment #27 from Christian Boltz <suse-beta(a)cboltz.de> 2012-09-24 22:08:08 CEST
---
Looks like /usr/bin/Xorg was removed from /etc/permissions* in 12.2, but nobody
removed the permissions handling from the xorg-x11-server package:
# rpm -V xorg-x11-server
/usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions
A similar error happens at package installation (%set_permissions in %post).
I removed those macro calls. After this change, "verify(not mode)" for
/usr/bin/Xorg is a bad idea, so I removed it.
I sent SR 135729 with the fixes. Please double-check my changes - it's my first
permissions-related change ;-)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
20:25
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c28
--- Comment #28 from Marcus Meissner <meissner(a)suse.com> 2012-09-24 20:25:07 UTC
---
no, please revoke this sr.
this was intended.
/etc/permissions.local has this for users that want it, commented out.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
21:10
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c29
Christian Boltz <suse-beta(a)cboltz.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #29 from Christian Boltz <suse-beta(a)cboltz.de> 2012-09-24 23:10:09 CEST
---
(In reply to comment #28)
no, please revoke this sr.
OK, done for now.
this was intended.
/etc/permissions.local has this for users that want it, commented out.
OK, that's an argument - but it still leaves an error message for (guessed) 99%
of the users. Intentionally forcing an error message doesn't sound like a good
idea to me ;-)
If you don't want to drop the permissions handling in xorg-x11-server, you
should include /usr/bin/Xorg in /etc/permissions again (with mode 755 of
course) to avoid the error message.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
25 Sep
25 Sep
08:49
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c30
Stefan Dirsch <sndirsch(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |NEEDINFO
InfoProvider| |meissner(a)suse.com
--- Comment #30 from Stefan Dirsch <sndirsch(a)suse.com> 2012-09-25 08:49:12 UTC ---
(In reply to comment #27)
# rpm -V xorg-x11-server
/usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions
Sorry, no idea how to address that.
A similar error happens at package installation
(%set_permissions in %post).
Here we could first grep for ^/usr/bin/Xorg in /etc/permissions* before running
the macros. Woult this make sense, Marcus?
I removed those macro calls. After this change,
"verify(not mode)" for
/usr/bin/Xorg is a bad idea, so I removed it.
See above.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
11:44
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c31
Karl Eichwalder <ke(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ke(a)suse.com
AssignedTo|ke(a)suse.com |sndirsch(a)suse.com
--- Comment #31 from Karl Eichwalder <ke(a)suse.com> 2012-09-25 13:44:10 CEST ---
If something release notes related is needed, please clone the bug and assign
it to me.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
1 Oct
1 Oct
13:08
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c32
--- Comment #32 from Ludwig Nussel <lnussel(a)suse.com> 2012-10-01 15:08:51 CEST ---
(In reply to comment #30)
(In reply to comment #27)
Since the %verify(not mode) isn't changeable at runtime you either have to use
the permissions handling or don't. Doesn't make sense to only have the
%verifyscript macro conditional then. IMO both removing permission handling
from the package as well as adding a 0755 entry to /etc/permissions are valid
solutions. The former has the effect that rpm -V would complain if someone adds
an entry to permissions.local but maybe that is even desirable.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
# rpm -V xorg-x11-server
/usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions
Sorry, no idea how to address that.
A similar error happens at package installation
(%set_permissions in %post).
Here we could first grep for ^/usr/bin/Xorg in /etc/permissions* before running
the macros. Woult this make sense, Marcus?
15:00
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c33
Stefan Dirsch <sndirsch(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
InfoProvider|meissner(a)suse.com |suse-beta(a)cboltz.de
--- Comment #33 from Stefan Dirsch <sndirsch(a)suse.com> 2012-10-01 15:00:54 UTC ---
Ok. Christian, could you provide a proposal, i.e. an appropriate submitrequest
for openSUSE:Factory? Thanks.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
18:03
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c34
Christian Boltz <suse-beta(a)cboltz.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |REOPENED
InfoProvider|suse-beta(a)cboltz.de |
--- Comment #34 from Christian Boltz <suse-beta(a)cboltz.de> 2012-10-01 20:03:28 CEST
---
I just reopened SR 135729 to remove the permission handling from
xorg-x11-server.spec. Marcus didn't really like this (see comment 28), but it's
the best solution IMHO.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
18:11
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c35
Stefan Dirsch <sndirsch(a)suse.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
--- Comment #35 from Stefan Dirsch <sndirsch(a)suse.com> 2012-10-01 18:11:27 UTC ---
Ok. Accepted. it.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
19:00
New subject: [Bug 632737] remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c36
--- Comment #36 from Bernhard Wiedemann <bwiedemann(a)suse.com> 2012-10-01 21:00:13
CEST ---
This is an autogenerated message for OBS integration:
This bug (632737) was mentioned in
https://build.opensuse.org/request/show/136543 Factory / xorg-x11-server
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
15 Apr
15 Apr
12:59
New subject: [Bug 632737] remove Xorg setuid bit
http://bugzilla.novell.com/show_bug.cgi?id=632737
http://bugzilla.novell.com/show_bug.cgi?id=632737#c37
--- Comment #37 from Bernhard Wiedemann <bwiedemann(a)suse.com> ---
This is an autogenerated message for OBS integration:
This bug (632737) was mentioned in
https://build.opensuse.org/request/show/54322 Factory / permissions
https://build.opensuse.org/request/show/54344 Factory / xorg-x11
--
You are receiving this mail because:
You are on the CC list for the bug.
2055
days inactive
4121
days old
38 comments
1 participants
participants (1)
-
bugzilla_noreply@novell.com