Rework starting of Xorg to use setpriv, directly from xrdp.

Document SELinux deficiencies.
2017-04-08 16:24:24 +10:00 · 2017-04-08 16:24:24 +10:00 · c89b807752
commit c89b807752
parent 0e2197f37f
4 changed files with 70 additions and 12 deletions
--- a/README.Fedora
+++ b/README.Fedora
@ -27,3 +27,14 @@ account not logged onto the console will be used. To avoid Xorg.wrap refusing
 to run, put the following into /etc/X11/Xwrapper.config:
 allowed_users = anybody
 SELinux
 =======
 Please note that you may need to add an SELinux policy module in order to run
 xrdp successfully under Fedora with SELinux enabled. One way to do this is to
 put SELinux into permissive mode and build the policy from the denials you see
 in the audit logs.
 We are working on making this part of the default installation, but it is not
 quite there yet as of this writing.
--- a/xrdp-0.9.2-sesman.patch
+++ b/xrdp-0.9.2-sesman.patch
@ -28,12 +28,3 @@
 [Xvnc]
 param=Xvnc
@@ -71,6 +71,8 @@
 param=96
 [Xorg]
 +param=setpriv
 +param=--no-new-privs
 param=Xorg
 param=-config
 param=xrdp/xorg.conf
--- a/xrdp-0.9.2-setpriv.patch
+++ b/xrdp-0.9.2-setpriv.patch
@ -0,0 +1,54 @@
 diff -ruN xrdp-0.9.2-vanilla/sesman/session.c xrdp-0.9.2/sesman/session.c
 --- xrdp-0.9.2-vanilla/sesman/session.c	2017-03-30 17:18:55.000000000 +1100
 +++ xrdp-0.9.2/sesman/session.c	2017-04-08 15:51:58.738246971 +1000
@@ -33,10 +33,6 @@
 #include "config_ac.h"
 #endif
 -#ifdef HAVE_SYS_PRCTL_H
 -#include <sys/prctl.h>
 -#endif
 -
 #include "sesman.h"
 #include "libscp_types.h"
 #include "xauth.h"
@@ -641,20 +637,7 @@
                 if (type == SESMAN_SESSION_TYPE_XORG)
                 {
 -#ifdef HAVE_SYS_PRCTL_H
 -                    /*
 -                     * Make sure Xorg doesn't run setuid root. Root access is not
 -                     * needed. Xorg can fail when run as root and the user has no
 -                     * console permissions.
 -                     * PR_SET_NO_NEW_PRIVS requires Linux kernel 3.5 and newer.
 -                     */
 -                    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
 -                    {
 -                        log_message(LOG_LEVEL_WARNING,
 -                                    "Failed to disable setuid on X server: %s",
 -                                    g_get_strerror());
 -                    }
 -#endif
 +                    char *setpriv = g_strdup("setpriv");
                     xserver_params = list_create();
                     xserver_params->auto_free = 1;
@@ -663,6 +646,8 @@
                     xserver = g_strdup((const char *)list_get_item(g_cfg->xorg_params, 0));
                     /* these are the must have parameters */
 +                    list_add_item(xserver_params, (tintptr) setpriv);
 +                    list_add_item(xserver_params, (tintptr) g_strdup("--no-new-privs"));
                     list_add_item(xserver_params, (tintptr) g_strdup(xserver));
                     list_add_item(xserver_params, (tintptr) g_strdup(screen));
                     list_add_item(xserver_params, (tintptr) g_strdup("-auth"));
@@ -686,7 +671,7 @@
                     g_setenv("XRDP_START_HEIGHT", geometry, 1);
                     /* fire up Xorg */
 -                    g_execvp(xserver, pp1);
 +                    g_execvp(setpriv, pp1);
                 }
                 else if (type == SESMAN_SESSION_TYPE_XVNC)
                 {
--- a/xrdp.spec
+++ b/xrdp.spec
@ -4,7 +4,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.2
-Release:   4%{?dist}
+Release:   5%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@ -17,6 +17,7 @@ Source5:   README.Fedora
 Patch0:    xrdp-0.9.2-sesman.patch
 Patch1:    xrdp-0.9.2-xrdp-ini.patch
 Patch2:    xrdp-0.9.2-service.patch
 Patch3:    xrdp-0.9.2-setpriv.patch
 BuildRequires: libX11-devel
 BuildRequires: libXfixes-devel
@ -63,8 +64,6 @@ echo '#!/bin/bash -l
 . %{_sysconfdir}/xrdp/startwm.sh' > sesman/startwm-bash.sh
 %build
 # Do not detect prctl.h
 export ac_cv_header_sys_prctl_h=no
 %configure --enable-fuse --enable-pixman --enable-painter
 %make_build
@ -192,6 +191,9 @@ chmod 400 %{_sysconfdir}/xrdp/key.pem
 %{_libdir}/pkgconfig/rfxcodec.pc
 %changelog
 * Sat Apr  8 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.2-5
 - Rework call to Xorg to use setpriv instead, properly
 * Fri Apr  7 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.2-4
 - Do not call prctl() from xrdp, use setpriv instead