rpms/gdm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Only allow adding -nocursor in Xorg

Browse Source 
Instead of allowing adding custom parameters to Xorg,
only allow adding -nocursor. Allowing adding custom parameters
is a potential security issue.

Related: RHEL-81194
This commit is contained in:
Joan Torres Lopez 2025-07-16 11:12:11 +02:00
parent 05a5d6db39
commit a0d07b8b41
2 changed files with 61 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch → 0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
View File

@ -1,51 +1,41 @@
From e879ecad55b43157122b782039881f7264236f98 Mon Sep 17 00:00:00 2001
From: Joan Torres Lopez <joantolo@redhat.com>
Date: Wed, 16 Jul 2025 16:11:22 +0200
Subject: [PATCH] gdm-x-session: Allow adding custom arguments to Xorg
Subject: [PATCH] gdm-x-session: Allow adding -nocursor argument to Xorg
Use Command option in xorg section in custom.conf to add custom arguments
Use NoCursor option in xorg section in custom.conf to add -nocursor argument
to Xorg.
---
common/gdm-settings-keys.h | 2 ++
daemon/gdm-session.c | 13 +++++++++++--
daemon/gdm-x-session.c | 10 +++++++++-
data/gdm.schemas.in | 6 ++++++
4 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/common/gdm-settings-keys.h b/common/gdm-settings-keys.h
index 4b3a1ff..ce875eb 100644
index 4b3a1ff..08015a2 100644
--- a/common/gdm-settings-keys.h
+++ b/common/gdm-settings-keys.h
@@ -59,6 +59,8 @@ G_BEGIN_DECLS
#define GDM_KEY_WILLING "xdmcp/Willing"
#define GDM_KEY_ALLOW_MULTIPLE_SESSIONS_PER_USER "xdmcp/AllowMultipleSessionsPerUser"
+#define GDM_KEY_XORG_COMMAND "xorg/Command"
+#define GDM_KEY_XORG_NOCURSOR "xorg/NoCursor"
+
#define GDM_KEY_MULTICAST "chooser/Multicast"
#define GDM_KEY_MULTICAST_ADDR "chooser/MulticastAddr"
diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c
index e6febeb..77e8023 100644
index 12ce720..fc871b2 100644
--- a/daemon/gdm-session.c
+++ b/daemon/gdm-session.c
@@ -2945,6 +2945,8 @@ gdm_session_start_session (GdmSession *self,
@@ -2943,6 +2943,7 @@ gdm_session_start_session (GdmSession *self,
gboolean run_launcher = FALSE;
gboolean allow_remote_connections = FALSE;
gboolean run_separate_bus = FALSE;
+ gboolean xorg_nocursor = FALSE;
char *command;
char *program;
gboolean register_session;
+ g_autofree char *xorg_option = NULL;
+ g_autofree char *xorg_command = NULL;
g_return_if_fail (GDM_IS_SESSION (self));
g_return_if_fail (self->session_conversation == NULL);
@@ -2991,12 +2993,18 @@ gdm_session_start_session (GdmSession *self,
@@ -2992,12 +2993,15 @@ gdm_session_start_session (GdmSession *self,
allow_remote_connections = TRUE;
}
+ gdm_settings_direct_get_string (GDM_KEY_XORG_COMMAND, &xorg_option);
+ if (xorg_option != NULL && *xorg_option != '\0') {
+ xorg_command = g_strdup_printf ("--xorg-command \"%s\" ", xorg_option);
+ }
+ gdm_settings_direct_get_boolean (GDM_KEY_XORG_NOCURSOR, &xorg_nocursor);
+
if (run_launcher) {
if (is_x11) {
@ -54,30 +44,30 @@ index e6febeb..77e8023 100644
register_session ? "--register-session " : "",
run_xsession_script? "--run-script " : "",
allow_remote_connections? "--allow-remote-connections " : "",
+ xorg_command? xorg_command : "",
+ xorg_nocursor? "--xorg-nocursor " : "",
command);
} else {
program = g_strdup_printf (LIBEXECDIR "/gdm-wayland-session %s\"%s\"",
@@ -3031,8 +3039,9 @@ gdm_session_start_session (GdmSession *self,
@@ -3032,8 +3036,9 @@ gdm_session_start_session (GdmSession *self,
*/
if (run_launcher) {
if (is_x11) {
- program = g_strdup_printf (LIBEXECDIR "/gdm-x-session %s\"dbus-run-session -- %s\"",
+ program = g_strdup_printf (LIBEXECDIR "/gdm-x-session %s%s\"dbus-run-session -- %s\"",
register_session ? "--register-session " : "",
+ xorg_command? xorg_command : "",
+ xorg_nocursor ? "--xorg-nocursor " : "",
self->selected_program);
} else {
program = g_strdup_printf (LIBEXECDIR "/gdm-wayland-session %s\"dbus-run-session -- %s\"",
diff --git a/daemon/gdm-x-session.c b/daemon/gdm-x-session.c
index 0b07ab5..5e25d77 100644
index 0b07ab5..c3c9a89 100644
--- a/daemon/gdm-x-session.c
+++ b/daemon/gdm-x-session.c
@@ -197,6 +197,7 @@ out:
static gboolean
spawn_x_server (State *state,
gboolean allow_remote_connections,
+ const char *xorg_command,
+ gboolean nocursor,
GCancellable *cancellable)
{
GPtrArray *arguments = NULL;
@ -86,8 +76,8 @@ index 0b07ab5..5e25d77 100644
g_ptr_array_add (arguments, "-core");
}
+
+ if (xorg_command != NULL && *xorg_command != '\0') {
+ g_ptr_array_add (arguments, (void *)xorg_command);
+ if (nocursor) {
+ g_ptr_array_add (arguments, "-nocursor");
+ }
+
g_ptr_array_add (arguments, NULL);
@ -97,13 +87,13 @@ index 0b07ab5..5e25d77 100644
gboolean ret;
int exit_status = EX_OK;
static gboolean register_session = FALSE;
+ static const char *xorg_command = NULL;
+ static gboolean xorg_nocursor = FALSE;
static GOptionEntry entries [] = {
{ "run-script", 'r', 0, G_OPTION_ARG_NONE, &run_script, N_("Run program through /etc/gdm/Xsession wrapper script"), NULL },
{ "allow-remote-connections", 'a', 0, G_OPTION_ARG_NONE, &allow_remote_connections, N_("Listen on TCP socket"), NULL },
{ "register-session", 0, 0, G_OPTION_ARG_NONE, &register_session, "Register session after a delay", NULL },
+ { "xorg-command", 0, 0, G_OPTION_ARG_STRING, &xorg_command, "Add extra arguments to Xorg command", NULL },
+ { "xorg-nocursor", 0, 0, G_OPTION_ARG_NONE, &xorg_nocursor, "Add -nocursor argument to Xorg command", NULL },
{ G_OPTION_REMAINING, 0, 0, G_OPTION_ARG_STRING_ARRAY, &args, "", "" },
{ NULL }
};
@ -112,12 +102,12 @@ index 0b07ab5..5e25d77 100644
g_unix_signal_add (SIGTERM, (GSourceFunc) on_sigterm, state);
- ret = spawn_x_server (state, allow_remote_connections, state->cancellable);
+ ret = spawn_x_server (state, allow_remote_connections, xorg_command, state->cancellable);
+ ret = spawn_x_server (state, allow_remote_connections, xorg_nocursor, state->cancellable);
if (!ret) {
g_printerr ("Unable to run X server\n");
diff --git a/data/gdm.schemas.in b/data/gdm.schemas.in
index 929d13d..b862887 100644
index 929d13d..bcf19ba 100644
--- a/data/gdm.schemas.in
+++ b/data/gdm.schemas.in
@@ -144,6 +144,12 @@
@ -126,11 +116,37 @@ index 929d13d..b862887 100644
</schema>
+
+ <schema>
+ <key>xorg/Command</key>
+ <signature>s</signature>
+ <default></default>
+ <key>xorg/NoCursor</key>
+ <signature>b</signature>
+ <default>false</default>
+ </schema>
</schemalist>
</gdmschemafile>
2.49.0
diff --git a/docs/C/index.docbook b/docs/C/index.docbook
index 134b9bc..aaf285e 100644
--- a/docs/C/index.docbook
+++ b/docs/C/index.docbook
@@ -1601,6 +1601,22 @@ gdm:.my.domain
</varlistentry>
</variablelist>
</sect3>
+
+ <sect3 id="xorgsection">
+ <title>[xorg]</title>
+ <variablelist>
+ <varlistentry>
+ <term>NoCursor</term>
+ <listitem>
+ <synopsis>NoCursor=true</synopsis>
+ <para>
+ If true the Xorg server launched to start a user session will
+ be have the -nocursor argument.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect3>
</sect2>
<sect2 id="greeterconfiguration">

10
gdm.spec
View File

@ -11,7 +11,7 @@
Name: gdm
Epoch: 1
Version: 40.1
Release: 34%{?dist}
Release: 35%{?dist}
Summary: The GNOME Display Manager
License: GPLv2+
@ -83,7 +83,7 @@ Patch99930001: 0001-data-add-system-dconf-databases-to-gdm-profile.patch
Patch99950001: 0001-data-Disable-network-configuration-on-login-screen.patch
Patch99960001: 0001-gdm-x-session-Allow-adding-custom-arguments-to-Xorg.patch
Patch99960001: 0001-gdm-x-session-Allow-adding-nocursor-argument-to-Xorg.patch
BuildRequires: accountsservice-devel
BuildRequires: audit-libs-devel >= %{libauditver}
@ -373,6 +373,12 @@ dconf update || :
%{_libdir}/pkgconfig/gdm-pam-extensions.pc
%changelog
* Wed Jul 16 2025 Joan Torres <joantolo@redhat.com> - 40.1-35
- Instead of allowing adding custom parameters to Xorg,
only allow adding -nocursor. Allowing adding custom parameters
is a potential security issue.
Related: RHEL-81194
* Mon Jul 14 2025 Joan Torres <joantolo@redhat.com> - 40.1-34
- Allow adding custom parameters to Xorg
Resolves: RHEL-81194