diff --git a/README.Fedora b/README.Fedora index 91d1636..2c68fc5 100644 --- a/README.Fedora +++ b/README.Fedora @@ -27,3 +27,14 @@ account not logged onto the console will be used. To avoid Xorg.wrap refusing to run, put the following into /etc/X11/Xwrapper.config: allowed_users = anybody + +SELinux +======= + +Please note that you may need to add an SELinux policy module in order to run +xrdp successfully under Fedora with SELinux enabled. One way to do this is to +put SELinux into permissive mode and build the policy from the denials you see +in the audit logs. + +We are working on making this part of the default installation, but it is not +quite there yet as of this writing. diff --git a/xrdp-0.9.2-sesman.patch b/xrdp-0.9.2-sesman.patch index 571e56f..59f8deb 100644 --- a/xrdp-0.9.2-sesman.patch +++ b/xrdp-0.9.2-sesman.patch @@ -28,12 +28,3 @@ [Xvnc] param=Xvnc -@@ -71,6 +71,8 @@ - param=96 - - [Xorg] -+param=setpriv -+param=--no-new-privs - param=Xorg - param=-config - param=xrdp/xorg.conf diff --git a/xrdp-0.9.2-setpriv.patch b/xrdp-0.9.2-setpriv.patch new file mode 100644 index 0000000..64ad9bc --- /dev/null +++ b/xrdp-0.9.2-setpriv.patch @@ -0,0 +1,54 @@ +diff -ruN xrdp-0.9.2-vanilla/sesman/session.c xrdp-0.9.2/sesman/session.c +--- xrdp-0.9.2-vanilla/sesman/session.c 2017-03-30 17:18:55.000000000 +1100 ++++ xrdp-0.9.2/sesman/session.c 2017-04-08 15:51:58.738246971 +1000 +@@ -33,10 +33,6 @@ + #include "config_ac.h" + #endif + +-#ifdef HAVE_SYS_PRCTL_H +-#include +-#endif +- + #include "sesman.h" + #include "libscp_types.h" + #include "xauth.h" +@@ -641,20 +637,7 @@ + + if (type == SESMAN_SESSION_TYPE_XORG) + { +-#ifdef HAVE_SYS_PRCTL_H +- /* +- * Make sure Xorg doesn't run setuid root. Root access is not +- * needed. Xorg can fail when run as root and the user has no +- * console permissions. +- * PR_SET_NO_NEW_PRIVS requires Linux kernel 3.5 and newer. +- */ +- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) +- { +- log_message(LOG_LEVEL_WARNING, +- "Failed to disable setuid on X server: %s", +- g_get_strerror()); +- } +-#endif ++ char *setpriv = g_strdup("setpriv"); + + xserver_params = list_create(); + xserver_params->auto_free = 1; +@@ -663,6 +646,8 @@ + xserver = g_strdup((const char *)list_get_item(g_cfg->xorg_params, 0)); + + /* these are the must have parameters */ ++ list_add_item(xserver_params, (tintptr) setpriv); ++ list_add_item(xserver_params, (tintptr) g_strdup("--no-new-privs")); + list_add_item(xserver_params, (tintptr) g_strdup(xserver)); + list_add_item(xserver_params, (tintptr) g_strdup(screen)); + list_add_item(xserver_params, (tintptr) g_strdup("-auth")); +@@ -686,7 +671,7 @@ + g_setenv("XRDP_START_HEIGHT", geometry, 1); + + /* fire up Xorg */ +- g_execvp(xserver, pp1); ++ g_execvp(setpriv, pp1); + } + else if (type == SESMAN_SESSION_TYPE_XVNC) + { diff --git a/xrdp.spec b/xrdp.spec index b9ad36f..d8acd6a 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -4,7 +4,7 @@ Summary: Open source remote desktop protocol (RDP) server Name: xrdp Epoch: 1 Version: 0.9.2 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Group: Applications/Internet URL: http://www.xrdp.org/ @@ -17,6 +17,7 @@ Source5: README.Fedora Patch0: xrdp-0.9.2-sesman.patch Patch1: xrdp-0.9.2-xrdp-ini.patch Patch2: xrdp-0.9.2-service.patch +Patch3: xrdp-0.9.2-setpriv.patch BuildRequires: libX11-devel BuildRequires: libXfixes-devel @@ -63,8 +64,6 @@ echo '#!/bin/bash -l . %{_sysconfdir}/xrdp/startwm.sh' > sesman/startwm-bash.sh %build -# Do not detect prctl.h -export ac_cv_header_sys_prctl_h=no %configure --enable-fuse --enable-pixman --enable-painter %make_build @@ -192,6 +191,9 @@ chmod 400 %{_sysconfdir}/xrdp/key.pem %{_libdir}/pkgconfig/rfxcodec.pc %changelog +* Sat Apr 8 2017 Bojan Smojver - 1:0.9.2-5 +- Rework call to Xorg to use setpriv instead, properly + * Fri Apr 7 2017 Bojan Smojver - 1:0.9.2-4 - Do not call prctl() from xrdp, use setpriv instead