[debian-edu-commits] debian-edu/pkg-team/ 143/159: document an issue with upstream hardcoding /tmp/.xrdp/ and precreate it from sysvinit script, for now

Dominik George natureshadow-guest at moszumanska.debian.org
Tue Feb 23 10:04:35 UTC 2016 

This is an automated email from the git hooks/post-receive script.

natureshadow-guest pushed a commit to branch master
in repository xrdp.

commit 7e9c5953767510d7554c51e929fc24a30578cc08
Author: mirabilos <tg at mirbsd.org>
Date:   Wed Sep 2 15:46:26 2015 +0200

    document an issue with upstream hardcoding /tmp/.xrdp/ and precreate it from sysvinit script, for now
---
 README.Debian |  7 +++++++
 changelog     |  3 ++-
 xrdp.init     | 19 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/README.Debian b/README.Debian
index b826420..58c7adf 100644
--- a/README.Debian
+++ b/README.Debian
@@ -9,6 +9,13 @@ See also: https://github.com/neutrinolabs/xrdp/issues/264
 Furthermore, the package maintainers would like to know what the log
 messages about /etc/xrdp/cert.pem and /etc/xrdp/key.pem are good for.
 
+Another security issue is the hard-coded use of /tmp/.xrdp/ which
+probably should be moved to /var/run/xrdp/sockdir/ (pre-create in
+initscript with 0:0 1777; no idea about systemd); a local patch
+could fix it with the hard-coded replacement path, but that’s
+probably okay. For now, the sysvinit script creates this path and
+sanity-checks it.
+
 The pulseaudio plugin from sesman/chansrv/pulse should be installed
 but cannot be built due to lack of a pulseaudio-modules-dev package
 in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794692
diff --git a/changelog b/changelog
index 37b6a32..629e99f 100644
--- a/changelog
+++ b/changelog
@@ -3,8 +3,9 @@ xrdp (0.9.0~git20150902-1~beta1) teckids; urgency=medium
   * New upstream snapshot, DFSG-free AFAICT TTBOMK
   * Correct missing $ in sysvinit script
   * Clean up a now-obsolete conffile from xrdp 0.6
+  * Document the /tmp/.xrdp/ issue and precreate it from sysvinit script
 
- -- Thorsten Glaser <thorsten.glaser at teckids.org>  Wed, 02 Sep 2015 15:16:02 +0200
+ -- Thorsten Glaser <thorsten.glaser at teckids.org>  Wed, 02 Sep 2015 15:45:56 +0200
 
 xrdp (0.9.0~git20150901+dfsg-1~beta1) teckids; urgency=medium
 
diff --git a/xrdp.init b/xrdp.init
index 60c7fe2..3d296cf 100644
--- a/xrdp.init
+++ b/xrdp.init
@@ -25,6 +25,15 @@ unset LANGUAGE
 # exit cleanly if disabled or not installed
 test -x /usr/sbin/xrdp || exit 0
 
+# assume superuser privs below
+case $(id -u) in
+(0) ;;
+(*)
+	echo >&2 "E: need root"
+	exit 1
+	;;
+esac
+
 # Debian/LSB init script foobar
 DESC='Remote Desktop Protocol server'
 NAME=xrdp
@@ -42,6 +51,16 @@ test -r /etc/default/xrdp && . /etc/default/xrdp
 test -d /var/run/xrdp || mkdir /var/run/xrdp || exit $?
 chown xrdp:xrdp /var/run/xrdp || exit $?
 
+# create socks directory
+test -e /tmp/.xrdp || mkdir -m1777 /tmp/.xrdp || exit $?
+case $(stat -c '%a,%u,%g,%F' /tmp/.xrdp) in
+(1777,0,0,directory) ;;
+(*)
+	echo >&2 "E: /tmp/.xrdp has wrong permissions"
+	exit 1
+	;;
+esac
+
 # take action
 rv=0
 case $1 in

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/pkg-team/xrdp.git

More information about the debian-edu-commits mailing list