xorg: Changes to 'debian-unstable'
debian/changelog | 10 ++++++++++
debian/control | 1 +
debian/local/xserver-wrapper.c | 16 +++++++---------
debian/rules | 9 ++++++++-
4 files changed, 26 insertions(+), 10 deletions(-)
New commits:
commit 0ebabb840bf52e5e5347414487668ae26ec16332
Author: Julien Cristau <jcristau@debian.org>
Date: Thu Dec 15 21:22:22 2011 +0100
Build the X wrapper with hardening enabled.
diff --git a/debian/changelog b/debian/changelog
index 20d3f7f..13dc513 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,7 @@ xorg (1:7.6+10) UNRELEASED; urgency=low
things like /dev/tty and /dev/ptmx, which are world-readable (closes:
#652249). Thanks to vladz for the report.
- use major() and minor() macros instead of manually extracting them
+ * Build the X wrapper with hardening enabled.
-- Julien Cristau <jcristau@debian.org> Tue, 01 Nov 2011 15:13:52 +0100
diff --git a/debian/control b/debian/control
index b825221..dfa7aa4 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,7 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Drew Parsons <dparsons@debian.org>, Cyril Brulebois <kibi@debian.org>
Standards-Version: 3.9.2
Build-Depends:
+ dpkg (>= 1.16.1),
debhelper (>= 7),
po-debconf,
# xsf-docs:
diff --git a/debian/rules b/debian/rules
index 861737a..8d2c970 100755
--- a/debian/rules
+++ b/debian/rules
@@ -19,6 +19,13 @@ CC=$(DEB_HOST_GNU_TYPE)-gcc
else
CC ?=gcc
endif
+CFLAGS = \
+ -Wall \
+ $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get CFLAGS)
+CPPFLAGS = \
+ $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get CPPFLAGS)
+LDFLAGS = \
+ $(shell DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags --get LDFLAGS)
# debhelper
export DH_OPTIONS
@@ -49,7 +56,7 @@ build: build-stamp
build-stamp: scripts-stamp
dh_testdir
# build Debian's X server wrapper
- $(CC) -Wall -g -O2 -o debian/local/X debian/local/xserver-wrapper.c
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o debian/local/X debian/local/xserver-wrapper.c
$(MAKE) -C xsf-docs
touch $@
commit 1d5cfd6fe0d46fcfcb6f79316cdc600f6da77f54
Author: Julien Cristau <jcristau@debian.org>
Date: Thu Dec 15 21:06:31 2011 +0100
xserver-wrapper: use major() and minor() macros instead of manually extracting them
diff --git a/debian/changelog b/debian/changelog
index ac28258..20d3f7f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,12 @@
xorg (1:7.6+10) UNRELEASED; urgency=low
- * xserver-wrapper: when we drop privileges, don't forget to also reset
- effective group id, since we're installed setgid root.
- * xserver-wrapper: revert change to allow devices with major 5 as consoles.
- This includes things like /dev/tty and /dev/ptmx, which are
- world-readable (closes: #652249). Thanks to vladz for the report.
+ * Fixes for xserver-wrapper:
+ - when we drop privileges, don't forget to also reset effective group id,
+ since we're installed setgid root.
+ - revert change to allow devices with major 5 as consoles. This includes
+ things like /dev/tty and /dev/ptmx, which are world-readable (closes:
+ #652249). Thanks to vladz for the report.
+ - use major() and minor() macros instead of manually extracting them
-- Julien Cristau <jcristau@debian.org> Tue, 01 Nov 2011 15:13:52 +0100
diff --git a/debian/local/xserver-wrapper.c b/debian/local/xserver-wrapper.c
index 1e0d416..d4a6ab8 100644
--- a/debian/local/xserver-wrapper.c
+++ b/debian/local/xserver-wrapper.c
@@ -162,8 +162,8 @@ onConsole()
return FALSE;
}
if (S_ISCHR(s.st_mode) &&
- (((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
- (s.st_rdev & 0xff) < 64)) {
+ (major(s.st_rdev) == TTY_MAJOR_DEV &&
+ minor(s.st_rdev) < 64)) {
return TRUE;
}
#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
commit acc6eda78b98d8a7af554bc578f5fdc21ec934bb
Author: Julien Cristau <jcristau@debian.org>
Date: Thu Dec 15 21:02:12 2011 +0100
xserver-wrapper: revert change to allow devices with major 5 as consoles.
This includes things like /dev/tty and /dev/ptmx, which are
world-readable (closes: #652249). Thanks to vladz for the report.
diff --git a/debian/changelog b/debian/changelog
index 475555f..ac28258 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ xorg (1:7.6+10) UNRELEASED; urgency=low
* xserver-wrapper: when we drop privileges, don't forget to also reset
effective group id, since we're installed setgid root.
+ * xserver-wrapper: revert change to allow devices with major 5 as consoles.
+ This includes things like /dev/tty and /dev/ptmx, which are
+ world-readable (closes: #652249). Thanks to vladz for the report.
-- Julien Cristau <jcristau@debian.org> Tue, 01 Nov 2011 15:13:52 +0100
diff --git a/debian/local/xserver-wrapper.c b/debian/local/xserver-wrapper.c
index bfb28d4..1e0d416 100644
--- a/debian/local/xserver-wrapper.c
+++ b/debian/local/xserver-wrapper.c
@@ -83,6 +83,7 @@
* Julien Cristau: don't check the mode of the DRI device directory
* (11 Aug 2009)
* Julien Cristau: also drop group privileges (1 Nov 2011)
+ * Julien Cristau: disallow major 5 again for consoles (15 Dec 2011)
*
* This is free software; you may redistribute it and/or modify
* it under the terms of the GNU General Public License as
@@ -113,7 +114,6 @@
#if defined(__linux__)
#define TTY_MAJOR_DEV 4
-#define ALT_TTY_MAJOR_DEV 5
#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
#include <sys/consio.h>
#endif
@@ -162,11 +162,8 @@ onConsole()
return FALSE;
}
if (S_ISCHR(s.st_mode) &&
- ((((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
- (s.st_rdev & 0xff) < 64) ||
- (((s.st_rdev >> 8) & 0xff) == ALT_TTY_MAJOR_DEV &&
- (s.st_rdev & 0xff) < 64)
- )) {
+ (((s.st_rdev >> 8) & 0xff) == TTY_MAJOR_DEV &&
+ (s.st_rdev & 0xff) < 64)) {
return TRUE;
}
#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
commit e81b3943be75ca6674867fc7756905490e979522
Author: Julien Cristau <jcristau@debian.org>
Date: Tue Nov 1 15:15:04 2011 +0100
Fix privileges dropping in the X wrapper
xserver-wrapper: when we drop privileges, don't forget to also reset
effective group id, since we're installed setgid root.
diff --git a/debian/changelog b/debian/changelog
index f2198f9..475555f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+xorg (1:7.6+10) UNRELEASED; urgency=low
+
+ * xserver-wrapper: when we drop privileges, don't forget to also reset
+ effective group id, since we're installed setgid root.
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 01 Nov 2011 15:13:52 +0100
+
xorg (1:7.6+9) unstable; urgency=low
[ Julien Cristau ]
diff --git a/debian/local/xserver-wrapper.c b/debian/local/xserver-wrapper.c
index db503b5..bfb28d4 100644
--- a/debian/local/xserver-wrapper.c
+++ b/debian/local/xserver-wrapper.c
@@ -82,6 +82,7 @@
* -showDefaultLibPath options (11 Aug 2009)
* Julien Cristau: don't check the mode of the DRI device directory
* (11 Aug 2009)
+ * Julien Cristau: also drop group privileges (1 Nov 2011)
*
* This is free software; you may redistribute it and/or modify
* it under the terms of the GNU General Public License as
@@ -313,12 +314,12 @@ main(int argc, char **argv)
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-config") || !strcmp(argv[i], "-xf86config")) {
- if (setuid(getuid())) {
+ if (setgid(getgid()) || setuid(getuid())) {
perror("X unable to drop setuid privileges for alternate config");
exit(1);
}
} else if (strlen(argv[i]) > 256) {
- if (setuid(getuid())) {
+ if (setgid(getgid()) || setuid(getuid())) {
perror("X unable to drop setuid privileges for suspiciously long "
"argument");
exit(1);
@@ -354,7 +355,7 @@ main(int argc, char **argv)
(strcmp(argv[1], "-version") == 0) ||
(strcmp(argv[1], "-showDefaultModulePath") == 0) ||
(strcmp(argv[1], "-showDefaultLibPath") == 0) ) ) {
- if (setuid(getuid())) {
+ if (setgid(getgid()) || setuid(getuid())) {
perror("X unable to drop setuid privileges");
exit(1);
}
Reply to: