[Bug 632737] New: remove Xorg setuid bit
https://bugzilla.novell.com/show_bug.cgi?id=632737 https://bugzilla.novell.com/show_bug.cgi?id=632737#c0 Summary: remove Xorg setuid bit Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: Other OS/Version: Other Status: NEEDINFO Severity: Normal Priority: P5 - None Component: X.Org AssignedTo: lnussel@novell.com ReportedBy: lnussel@novell.com QAContact: xorg-maintainer-bugs@forge.provo.novell.com CC: security-team@suse.de InfoProvider: sndirsch@novell.com Found By: --- Blocker: --- Time to re-evaluate the need for a setuid bit on /usr/bin/Xorg. It's needed for starting X as unprivileged user, e.g. via startx. That method is deprecated in favor of a display manager since years. Also modern environments rely on device ACLs and polkit privileges which in turn depend on consolekit tracking the active console. That doesn't work with startx anyways. So the setuid bit is of limited use by default anyways. No setuid bit also prevents exploitation of the kernel-heap-stack overflow problem via X as X cannot be started in a user controlled environment then. Therefore I'd like to remove the setuid bit on Xorg for 11.4 from /etc/permissions.easy (no packaging change in X needed). Those who really need it can still set it again in permissions.local. Any objections or concerns? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c1
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c3
--- Comment #3 from Matthias Hopf
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c4
--- Comment #4 from Ludwig Nussel
how many users are still using startx. I'm afraid there are more than you think.
Question is whether we need to have a default configuration for that use case. Those who still use startx are hopefully smart enough to set the setuid bit themselves anyways. (In reply to comment #3)
Ludwig, Xorg s-bit is already disabled in permissions.secure for a long time. IMHO that is good enough for people that really care for security.
permissions 'secure' are not the default though.
There was no exploitable security hole in how many years?
So it's about time that a new one is discovered you mean? :-) Seriously, if the setuid bit isn't needed anymore by the majority of users we should simply not enable that feature in the default config anymore.
The latest security issue was in fact a kernel issue AFAIU.
Yes but the exploit does not work if X is started via DM.
Egbert's right, we have a much higher risk with the fact that the Xserver is running as root anyway, and that won't go away.
One step at a time, low hanging fruits first :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c6
--- Comment #6 from Egbert Eich
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c7
--- Comment #7 from Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c8
Hans-Peter Holler
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c9
--- Comment #9 from Stefan Dirsch
You are not authorized to access bug #631857. Cool.
That's indeed internal Novell discussion, but I believe I can share the subject #631857 - bugzilla comments are internal per default and the outcome. The bug has been closed as fixed (for openSUSE products if I understood correctly). Let's hope that this default gets reverted as soon as possible for the openSUSE products. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c10
--- Comment #10 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c11
--- Comment #11 from Stefan Dirsch
sr#54298
------------------------------------------------------------------ Thu Dec 2 09:29:24 UTC 2010 - lnussel@suse.de - print warning if xinit fails and Xorg has no setuid bit (bnc#632737) [...] Thanks, Ludwig! Also forwarded as SR to openSUSE:Factory and been accepted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c12
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c13
Will Stephenson
XOrg :1&
(as user)
DISPLAY=:1 eval `dbus-launch startkde`
I'd like this in the release notes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c14
--- Comment #14 from Stefan Dirsch
Looks like the release notes weren't updated yet http://www.suse.de/relnotes/i386/openSUSE/11.4/RELEASE-NOTES.en.html Could you update these, people are confused.
Is the correct way to start a session from the command line (for debugging purposes or whatever):
(as root)
XOrg :1&
(as user)
DISPLAY=:1 eval `dbus-launch startkde`
I'd like this in the release notes.
This sounds like a weird approach. Isn't it easier to edit /etc/permissions.local? # setuid bit on Xorg is only needed if no display manager, ie startx # is used. Beware of CVE-2010-2240. # #/usr/bin/Xorg root:root 4711 remove a "#" and run SuSEconfig afterwards? This is also the recommendation when you run "startx". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c15
--- Comment #15 from Will Stephenson
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c16
Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c
Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c17
--- Comment #17 from Ludwig Nussel
No setuid bit also prevents exploitation of the kernel-heap-stack overflow problem via X as X cannot be started in a user controlled environment anymore. Therefore we removed the setuid bit on Xorg from /etc/permissions.easy.
The actual security problem was fixed in the kernel. Removing the setuid bit is a preventive measurement against potential similar problems in the future.
Users who actually need it, can set it again in /etc/permissions.local by removing the comment sign from this line:
#/usr/bin/Xorg root:root 4711
and running SuSEconfig afterwards.
SuSEconfig --module permissions, SuSEconfig alone does not set permissions anymore. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c18
--- Comment #18 from Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c19
Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c20
Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c21
--- Comment #21 from Stefan Dirsch
The actual security problem was fixed in the kernel. Removing the setuid bit is a preventive measurement against potential similar problems in the future.
Why not simply removing this paragraph completely? I'm afraid people are going to ask: "Which security problem?" after reading this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c22
--- Comment #22 from Will Stephenson
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c23
--- Comment #23 from Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c24
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c25
--- Comment #25 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c26
--- Comment #26 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c27
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c28
--- Comment #28 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c29
Christian Boltz
no, please revoke this sr.
OK, done for now.
this was intended.
/etc/permissions.local has this for users that want it, commented out.
OK, that's an argument - but it still leaves an error message for (guessed) 99% of the users. Intentionally forcing an error message doesn't sound like a good idea to me ;-) If you don't want to drop the permissions handling in xorg-x11-server, you should include /usr/bin/Xorg in /etc/permissions again (with mode 755 of course) to avoid the error message. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c30
Stefan Dirsch
# rpm -V xorg-x11-server /usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions
Sorry, no idea how to address that.
A similar error happens at package installation (%set_permissions in %post).
Here we could first grep for ^/usr/bin/Xorg in /etc/permissions* before running the macros. Woult this make sense, Marcus?
I removed those macro calls. After this change, "verify(not mode)" for /usr/bin/Xorg is a bad idea, so I removed it.
See above. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c31
Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c32
--- Comment #32 from Ludwig Nussel
(In reply to comment #27)
# rpm -V xorg-x11-server /usr/bin/Xorg: cannot verify root:root 0755 - not listed in /etc/permissions
Sorry, no idea how to address that.
A similar error happens at package installation (%set_permissions in %post).
Here we could first grep for ^/usr/bin/Xorg in /etc/permissions* before running the macros. Woult this make sense, Marcus?
Since the %verify(not mode) isn't changeable at runtime you either have to use the permissions handling or don't. Doesn't make sense to only have the %verifyscript macro conditional then. IMO both removing permission handling from the package as well as adding a 0755 entry to /etc/permissions are valid solutions. The former has the effect that rpm -V would complain if someone adds an entry to permissions.local but maybe that is even desirable. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c33
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c34
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c35
Stefan Dirsch
https://bugzilla.novell.com/show_bug.cgi?id=632737
https://bugzilla.novell.com/show_bug.cgi?id=632737#c36
--- Comment #36 from Bernhard Wiedemann
http://bugzilla.novell.com/show_bug.cgi?id=632737
http://bugzilla.novell.com/show_bug.cgi?id=632737#c37
--- Comment #37 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com