https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|eich@novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c4 --- Comment #4 from Ludwig Nussel 2010-08-19 13:34:13 CEST --- (In reply to comment #1)

how many users are still using startx. I'm afraid there are more than you think.

Question is whether we need to have a default configuration for that use case. Those who still use startx are hopefully smart enough to set the setuid bit themselves anyways. (In reply to comment #3)

Ludwig, Xorg s-bit is already disabled in permissions.secure for a long time. IMHO that is good enough for people that really care for security.

permissions 'secure' are not the default though.

There was no exploitable security hole in how many years?

So it's about time that a new one is discovered you mean? :-) Seriously, if the setuid bit isn't needed anymore by the majority of users we should simply not enable that feature in the default config anymore.

The latest security issue was in fact a kernel issue AFAIU.

Yes but the exploit does not work if X is started via DM.

Egbert's right, we have a much higher risk with the fact that the Xserver is running as root anyway, and that won't go away.

One step at a time, low hanging fruits first :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c7 --- Comment #7 from Stefan Dirsch 2010-08-19 16:05:32 UTC --- I don't believe anybody here has set his comment(s) private by intenation. This issue has been reported as Bug #631857. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c9 --- Comment #9 from Stefan Dirsch 2010-08-20 09:09:11 UTC --- (In reply to comment #8)

You are not authorized to access bug #631857. Cool.

That's indeed internal Novell discussion, but I believe I can share the subject #631857 - bugzilla comments are internal per default and the outcome. The bug has been closed as fixed (for openSUSE products if I understood correctly). Let's hope that this default gets reverted as soon as possible for the openSUSE products. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c11 --- Comment #11 from Stefan Dirsch 2010-12-03 03:24:20 UTC --- (In reply to comment #10)

sr#54298

------------------------------------------------------------------ Thu Dec 2 09:29:24 UTC 2010 - lnussel@suse.de - print warning if xinit fails and Xorg has no setuid bit (bnc#632737) [...] Thanks, Ludwig! Also forwarded as SR to openSUSE:Factory and been accepted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c13 Will Stephenson changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |wstephenson@novell.com Resolution|FIXED | --- Comment #13 from Will Stephenson 2011-03-18 08:40:08 UTC --- Looks like the release notes weren't updated yet http://www.suse.de/relnotes/i386/openSUSE/11.4/RELEASE-NOTES.en.html Could you update these, people are confused. Is the correct way to start a session from the command line (for debugging purposes or whatever): (as root)

XOrg :1&

(as user)

DISPLAY=:1 eval `dbus-launch startkde`

I'd like this in the release notes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c14 --- Comment #14 from Stefan Dirsch 2011-03-18 09:36:22 UTC --- (In reply to comment #13)

Looks like the release notes weren't updated yet http://www.suse.de/relnotes/i386/openSUSE/11.4/RELEASE-NOTES.en.html Could you update these, people are confused.

Is the correct way to start a session from the command line (for debugging purposes or whatever):

(as root)

...

XOrg :1&

(as user)

...

DISPLAY=:1 eval `dbus-launch startkde`

I'd like this in the release notes.

This sounds like a weird approach. Isn't it easier to edit /etc/permissions.local? # setuid bit on Xorg is only needed if no display manager, ie startx # is used. Beware of CVE-2010-2240. # #/usr/bin/Xorg root:root 4711 remove a "#" and run SuSEconfig afterwards? This is also the recommendation when you run "startx". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c16 Karl Eichwalder changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED --- Comment #16 from Karl Eichwalder 2011-03-30 16:07:08 UTC --- I propose to add this snippet: Removing the Xorg setUID Bit ============================ The setuid bit on /usr/bin/Xorg is needed for starting X as unprivileged user, e.g. via startx. That method is deprecated in favor of a display manager since years. Additionally modern environments rely on device ACLs and polkit privileges, which in turn depend on consolekit tracking the active console. No setuid bit also prevents exploitation of the kernel-heap-stack overflow problem via X as X cannot be started in a user controlled environment anymore. Therefore we removed the setuid bit on Xorg from /etc/permissions.easy. Users who actually need it, can set it again in /etc/permissions.local by removing the comment sign from this line: #/usr/bin/Xorg root:root 4711 and running SuSEconfig afterwards. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c17 --- Comment #17 from Ludwig Nussel 2011-03-31 08:13:14 CEST --- (In reply to comment #16)

No setuid bit also prevents exploitation of the kernel-heap-stack overflow problem via X as X cannot be started in a user controlled environment anymore. Therefore we removed the setuid bit on Xorg from /etc/permissions.easy.

The actual security problem was fixed in the kernel. Removing the setuid bit is a preventive measurement against potential similar problems in the future.

Users who actually need it, can set it again in /etc/permissions.local by removing the comment sign from this line:

#/usr/bin/Xorg root:root 4711

and running SuSEconfig afterwards.

SuSEconfig --module permissions, SuSEconfig alone does not set permissions anymore. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c19 Karl Eichwalder changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |683822 Depends on|683822 | --- Comment #19 from Karl Eichwalder 2011-03-31 11:44:40 UTC --- <!-- bnc#632737 --> With small wording changes, now in svn: <sect3 id="tec.xorg-setUID" status="2011-03-31"> <title>Removing the Xorg setUID Bit</title> <para> The setUID bit on <filename>/usr/bin/Xorg</filename> is needed for starting X as an unprivileged user, e.g., via <command>startx</command>. This method is deprecated in favor of using a display manager since years. Additionally, modern environments rely on device ACLs and polkit privileges, which in turn depend on consolekit tracking the active console.</para> <para> The actual security problem was fixed in the kernel. Removing the setUID bit is a preventive measurement against potential similar problems in the future. </para> <para> Users who depend on the old configuration, can set the setUID bit themself in <filename>/etc/permissions.local</filename> by removing the comment sign from the following line:</para> <screen>#/usr/bin/Xorg root:root 4711</screen> <para> and running <command>SuSEconfig --module permissions</command> afterwards.</para> </sect3> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c21 --- Comment #21 from Stefan Dirsch 2011-03-31 13:53:30 UTC ---

The actual security problem was fixed in the kernel. Removing the setuid bit is a preventive measurement against potential similar problems in the future.

Why not simply removing this paragraph completely? I'm afraid people are going to ask: "Which security problem?" after reading this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c23 --- Comment #23 from Karl Eichwalder 2011-04-01 07:17:21 UTC --- Thanks for your help, Will! Stefan, I removed the para. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c25 --- Comment #25 from Bernhard Wiedemann 2011-06-15 23:18:04 CEST --- This is an autogenerated message for OBS integration: This bug (632737) was mentioned in https://build.opensuse.org/request/show/73652 11.4 / release-notes-openSUSE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c27 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #27 from Christian Boltz 2012-09-24 22:08:08 CEST --- Looks like /usr/bin/Xorg was removed from /etc/permissions* in 12.2, but nobody removed the permissions handling from the xorg-x11-server package: # rpm -V xorg-x11-server /usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions A similar error happens at package installation (%set_permissions in %post). I removed those macro calls. After this change, "verify(not mode)" for /usr/bin/Xorg is a bad idea, so I removed it. I sent SR 135729 with the fixes. Please double-check my changes - it's my first permissions-related change ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c29 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #29 from Christian Boltz 2012-09-24 23:10:09 CEST --- (In reply to comment #28)

no, please revoke this sr.

OK, done for now.

this was intended.

/etc/permissions.local has this for users that want it, commented out.

OK, that's an argument - but it still leaves an error message for (guessed) 99% of the users. Intentionally forcing an error message doesn't sound like a good idea to me ;-) If you don't want to drop the permissions handling in xorg-x11-server, you should include /usr/bin/Xorg in /etc/permissions again (with mode 755 of course) to avoid the error message. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c31 Karl Eichwalder changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ke@suse.com AssignedTo|ke@suse.com |sndirsch@suse.com --- Comment #31 from Karl Eichwalder 2012-09-25 13:44:10 CEST --- If something release notes related is needed, please clone the bug and assign it to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c33 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|meissner@suse.com |suse-beta@cboltz.de --- Comment #33 from Stefan Dirsch 2012-10-01 15:00:54 UTC --- Ok. Christian, could you provide a proposal, i.e. an appropriate submitrequest for openSUSE:Factory? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c35 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #35 from Stefan Dirsch 2012-10-01 18:11:27 UTC --- Ok. Accepted. it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=632737 http://bugzilla.novell.com/show_bug.cgi?id=632737#c37 --- Comment #37 from Bernhard Wiedemann --- This is an autogenerated message for OBS integration: This bug (632737) was mentioned in https://build.opensuse.org/request/show/54322 Factory / permissions https://build.opensuse.org/request/show/54344 Factory / xorg-x11 -- You are receiving this mail because: You are on the CC list for the bug.