From e3f225daecfd5cfea4af1a4e8ac4b6c46c7ec363 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 21 May 2013 00:28:39 -0700 Subject: Tue May 21 00:28:39 PDT 2013 --- extra/x2goserver/PKGBUILD | 20 +++-- extra/x2goserver/revert.patch | 152 ++++++++++++++++++++++++++++++++++++ extra/x2goserver/x2goserver.install | 2 +- 3 files changed, 166 insertions(+), 8 deletions(-) create mode 100644 extra/x2goserver/revert.patch (limited to 'extra/x2goserver') diff --git a/extra/x2goserver/PKGBUILD b/extra/x2goserver/PKGBUILD index 92b719de6..064bd2c71 100644 --- a/extra/x2goserver/PKGBUILD +++ b/extra/x2goserver/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 185846 2013-05-19 15:18:38Z andyrtr $ +# $Id: PKGBUILD 186036 2013-05-20 18:09:21Z andyrtr $ # Maintainer: AndyRTR # Contributor: Gerhard Brauer @@ -8,7 +8,7 @@ pkgname=x2goserver pkgver=4.0.0.2 -pkgrel=1 +pkgrel=2 pkgdesc="Open source terminal server" arch=('i686' 'x86_64') url="http://www.x2go.org/" @@ -19,13 +19,20 @@ makedepends=('man2html') options=('emptydirs') install=x2goserver.install backup=('etc/x2go/x2goserver.conf' 'etc/x2go/x2gosql/sql') -source=(http://code.x2go.org/releases/source/${pkgname}/${pkgname}-${pkgver}.tar.gz x2goserver.service) +source=(http://code.x2go.org/releases/source/${pkgname}/${pkgname}-${pkgver}.tar.gz + x2goserver.service + revert.patch) md5sums=('6b8cecfdd31a8877203f50d3666c265f' - 'f76081c01e40b6206895d194dc949707') + 'f76081c01e40b6206895d194dc949707' + 'c487c31e7c0aa9a73323313007497764') build() { cd "${srcdir}/${pkgname}-${pkgver}" -#return 1 + + # revert an upstream commit that breaks sessions showing up + # http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=011d14ae076ba6fec96cd1e019c4f82444ab0f9f + patch -Rp1 -i ${srcdir}/revert.patch + # -r option does not exist in Arch linux # (However, html man pages do not get installed anyway...) for Makefile in $(find . -type f -name Makefile); do @@ -49,9 +56,8 @@ package() { install -Dm 644 "$srcdir/x2goserver.service" "$pkgdir/usr/lib/systemd/system/x2goserver.service" # X2go homedir + printing spool dir - #install -dm 755 $pkgdir/var/lib/x2go install -dm 770 $pkgdir/var/lib/x2go - install -dm 755 $pkgdir/var/spool/x2go + install -dm 770 $pkgdir/var/spool/x2go # load fuse module at system start install -dm755 $pkgdir/lib/modules-load.d diff --git a/extra/x2goserver/revert.patch b/extra/x2goserver/revert.patch new file mode 100644 index 000000000..023bbd18c --- /dev/null +++ b/extra/x2goserver/revert.patch @@ -0,0 +1,152 @@ +From 011d14ae076ba6fec96cd1e019c4f82444ab0f9f Mon Sep 17 00:00:00 2001 +From: Mike Gabriel +Date: Sun, 19 May 2013 00:41:32 +0200 +Subject: [PATCH] Security fix for setgid wrapper x2gosqlitewrapper.c. + Hard-code path to x2gosqlitewrapper.pl during build via + defining a macro in the Makefile. Thanks to Richard + Weinberger for spotting this!!! + +--- + Makefile | 2 +- + debian/changelog | 3 +++ + debian/rules | 4 +-- + x2goserver/Makefile | 4 +-- + x2goserver/x2gosqlitewrapper.c | 54 +++------------------------------------- + 5 files changed, 12 insertions(+), 55 deletions(-) + +diff --git a/Makefile b/Makefile +index 3be40f9..588084f 100755 +--- a/Makefile ++++ b/Makefile +@@ -4,7 +4,7 @@ RM_FILE=rm -f + RM_DIR=rmdir -p --ignore-fail-on-non-empty + + DESTDIR= +-PREFIX=/usr/local ++PREFIX ?= /usr/local + ETCDIR=/etc/x2go + LIBDIR=$(PREFIX)/lib/x2go + SHAREDIR=$(PREFIX)/share/x2go +diff --git a/debian/changelog b/debian/changelog +index 470a502..2cf2dde 100644 +--- a/debian/changelog ++++ b/debian/changelog +@@ -12,6 +12,9 @@ x2goserver (4.0.0.2-0~x2go1) UNRELEASED; urgency=low + * New upstream version (4.0.0.2): + - Use make_path from File::Path in x2godbadmin to create user directory if + not present. (Fixes: #200). ++ - Security fix for setgid wrapper x2gosqlitewrapper.c. Hard-code path to ++ x2gosqlitewrapper.pl during build via defining a macro in the Makefile. ++ Thanks to Richard Weinberger for spotting this!!! + /debian/control: + + Let x2goserver bin:package depend on xfonts-base and fontconfig. (Fixes: + #163). +diff --git a/debian/rules b/debian/rules +index b32e08d..5bb94b2 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -1,10 +1,10 @@ + #!/usr/bin/make -f + + %: +- dh $@ ++ PREFIX=/usr dh $@ + + override_dh_auto_install: +- make -f Makefile build-arch ++ PREFIX=/usr make -f Makefile build-arch + + override_dh_auto_clean: + rm -fv x2gosqlitewrapper +diff --git a/x2goserver/Makefile b/x2goserver/Makefile +index 4287478..e9d56e6 100755 +--- a/x2goserver/Makefile ++++ b/x2goserver/Makefile +@@ -15,7 +15,7 @@ RM_FILE=rm -f + RM_DIR=rmdir -p --ignore-fail-on-non-empty + + DESTDIR= +-PREFIX=/usr/local ++PREFIX ?= /usr/local + ETCDIR=/etc/x2go + BINDIR=$(PREFIX)/bin + SBINDIR=$(PREFIX)/sbin +@@ -41,7 +41,7 @@ build: build-arch build-indep + build-arch: build_setgidwrappers + + build_setgidwrappers: +- $(CC) $(CFLAGS) $(LDFLAGS) -o x2gosqlitewrapper x2gosqlitewrapper.c ++ $(CC) $(CFLAGS) $(LDFLAGS) -DTRUSTED_BINARY=\"$(DESTDIR)$(LIBDIR)/x2gosqlitewrapper.pl\" -o x2gosqlitewrapper x2gosqlitewrapper.c + + build-indep: build_man2html + +diff --git a/x2goserver/x2gosqlitewrapper.c b/x2goserver/x2gosqlitewrapper.c +index a134efc..ad95eff 100644 +--- a/x2goserver/x2gosqlitewrapper.c ++++ b/x2goserver/x2gosqlitewrapper.c +@@ -21,58 +21,12 @@ + * + */ + +-#include +-#include +-#include +-#include +-#include +- + int main( int argc, char *argv[] ) { +- char * x2gosqlitewrapper = NULL; +- size_t path_max; +- +-/* +- The following snippet is taken from the realpath manpage +-*/ +-#ifdef PATH_MAX +- path_max = PATH_MAX; +-#else +- path_max = pathconf (".", _PC_PATH_MAX); +- if (path_max <= 0){ +- path_max = 4096; +- } +-#endif +- { +- // allocate dynamic buffer in stack: this needs C99 or gnu?? +- char buffer[path_max]; +- ssize_t rvrl; +- int rvap; +- +- // resolve link of /proc/self/exe to find out where we are +- rvrl = readlink("/proc/self/exe", buffer, path_max); +- if(rvrl == -1){ +- perror("readlink(\"/proc/self/exe\",buffer,path_max)"); +- exit(EXIT_FAILURE); +- } +- if(rvrl >= path_max){ +- fprintf(stderr, "Could not resolve the path of this file using \"/proc/self/exe\". The path is too long (> %i)", path_max); +- exit(EXIT_FAILURE); +- } +- +- // derive the full path of x2gosqlitewrapper.pl from path of this binary +- rvap = asprintf(&x2gosqlitewrapper, "%s/%s", dirname(buffer), "x2gosqlitewrapper.pl"); +- if(rvap == -1){ +- fprintf(stderr, "Failed to allocate memory calling asprintf\n"); +- exit(EXIT_FAILURE); +- } +- +- // execute the script, running with user-rights of this binary +- execv(x2gosqlitewrapper, argv); + +- } ++ char x2gosqlitewrapper[] = TRUSTED_BINARY; + +- // ...fail +- fprintf(stderr, "Failed to execute %s: %s\n", x2gosqlitewrapper, strerror(errno)); +- return EXIT_FAILURE; ++ argv[0] = "x2gosqlitewrapper.pl"; ++ // execute the script, running with user-rights of this binary ++ execv(x2gosqlitewrapper, argv); + + } +-- +1.7.9.5 + diff --git a/extra/x2goserver/x2goserver.install b/extra/x2goserver/x2goserver.install index cac06dac8..223eaac62 100644 --- a/extra/x2goserver/x2goserver.install +++ b/extra/x2goserver/x2goserver.install @@ -39,7 +39,7 @@ post_install() { # fix permissions - see INSTALL file chown -R x2goprint:x2goprint /var/spool/x2go chmod 0770 /var/spool/x2go - + chown root:x2gouser /usr/lib/x2go/x2gosqlitewrapper chmod 2755 /usr/lib/x2go/x2gosqlitewrapper -- cgit v1.2.3-54-g00ecf