rpms/gdm/F-12 fix-run-dir-permissions.patch, NONE, 1.1 gdm.spec, 1.507, 1.508
Ray Strode
rstrode at fedoraproject.org
Tue Oct 27 15:53:46 UTC 2009
- Previous message (by thread): rpms/asterisk/F-11 0008-Revert-changes-to-pbx_lua-from-rev-126363-that-cause.patch, NONE, 1.1 0005-Build-using-external-libedit.patch, 1.7, 1.8 asterisk.spec, 1.55, 1.56 sources, 1.23, 1.24
- Next message (by thread): rpms/rygel/devel .cvsignore, 1.5, 1.6 rygel.spec, 1.15, 1.16 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rstrode
Update of /cvs/pkgs/rpms/gdm/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13596
Modified Files:
gdm.spec
Added Files:
fix-run-dir-permissions.patch
Log Message:
- Tighten permissions on /var/run/gdm (bug 531063)
fix-run-dir-permissions.patch:
b/configure.ac | 17 +++++++++++++++++
b/daemon/Makefile.am | 1 +
b/daemon/gdm-display-access-file.c | 14 +++++++-------
b/daemon/gdm-greeter-session.c | 1 +
b/daemon/gdm-welcome-session.c | 33 ++++++++++++++++++++++++++++++++-
b/data/Makefile.am | 8 ++++++++
b/utils/Makefile.am | 1 +
b/utils/gdm-screenshot.c | 6 +-----
configure.ac | 3 +--
data/Makefile.am | 3 +--
10 files changed, 70 insertions(+), 17 deletions(-)
--- NEW FILE fix-run-dir-permissions.patch ---
>From 5475c0a823cf94f817821105b40760d902d9ace5 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode at redhat.com>
Date: Tue, 27 Oct 2009 10:40:55 -0400
Subject: [PATCH 1/4] Make screenshot dir a configure argument
This provides a little more flexibility to distributors,
but more importantly makes it less hard coded in gdm-screenshot.c
---
configure.ac | 17 +++++++++++++++++
data/Makefile.am | 8 ++++++++
utils/Makefile.am | 1 +
utils/gdm-screenshot.c | 5 +----
4 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 4fe4430..0dd2658 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1237,6 +1237,23 @@ fi
AC_SUBST(GDM_XAUTH_DIR)
dnl ---------------------------------------------------------------------------
+dnl - Directory for greeter screenshot
+dnl ---------------------------------------------------------------------------
+
+AC_ARG_WITH(screenshot-dir,
+ AS_HELP_STRING([--with-screenshot-dir=<dir>],
+ [directory to store greeter screenshot]))
+
+if ! test -z "$with_screenshot_dir"; then
+ GDM_SCREENSHOT_DIR=$with_screenshot_dir
+else
+ GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm
+fi
+
+AC_SUBST(GDM_SCREENSHOT_DIR)
+
+
+dnl ---------------------------------------------------------------------------
dnl - Finish
dnl ---------------------------------------------------------------------------
diff --git a/data/Makefile.am b/data/Makefile.am
index 73fa106..608194d 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -13,6 +13,7 @@ predir = $(gdmconfdir)/PreSession
postlogindir = $(gdmconfdir)/PostLogin
workingdir = $(GDM_WORKING_DIR)
xauthdir = $(GDM_XAUTH_DIR)
+screenshotdir = $(GDM_SCREENSHOT_DIR)
cachedir = $(localstatedir)/cache/gdm
Xsession: $(srcdir)/Xsession.in
@@ -123,6 +124,7 @@ uninstall-hook:
-rf \
$(DESTDIR)$(workingdir)/.gconf.mandatory \
$(DESTDIR)$(xauthdir)
+ $(DESTDIR)$(screenshotdir)
install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.path
if test '!' -d $(DESTDIR)$(gdmconfdir); then \
@@ -204,6 +206,12 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa
chown root:gdm $(DESTDIR)$(xauthdir) || : ; \
fi
+ if test '!' -d $(DESTDIR)$(screenshotdir); then \
+ $(mkinstalldirs) $(DESTDIR)$(screenshotdir); \
+ chmod 0755 $(DESTDIR)$(screenshotdir); \
+ chown gdm:gdm $(DESTDIR)$(screenshotdir) || : ; \
+ fi
+
if test '!' -d $(DESTDIR)$(workingdir); then \
$(mkinstalldirs) $(DESTDIR)$(workingdir); \
chmod 1770 $(DESTDIR)$(workingdir); \
diff --git a/utils/Makefile.am b/utils/Makefile.am
index 0b6ea04..f1ff331 100644
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -4,6 +4,7 @@ AM_CPPFLAGS = \
-I. \
-I.. \
-DLOCALSTATEDIR=\""$(localstatedir)"\" \
+ -DGDM_SCREENSHOT_DIR=\""$(GDM_SCREENSHOT_DIR)"\"\
-DGNOMELOCALEDIR=\""$(datadir)/locale"\" \
$(UTILS_CFLAGS) \
$(CANBERRA_GTK_CFLAGS) \
diff --git a/utils/gdm-screenshot.c b/utils/gdm-screenshot.c
index f66de46..12102f2 100644
--- a/utils/gdm-screenshot.c
+++ b/utils/gdm-screenshot.c
@@ -163,11 +163,8 @@ screenshot_save (GdkPixbuf *pixbuf)
char *filename;
gboolean res;
GError *error;
- const char *save_dir;
- save_dir = LOCALSTATEDIR "/run/gdm";
-
- filename = g_build_filename (save_dir,
+ filename = g_build_filename (GDM_SCREENSHOT_DIR,
"GDM-Screenshot.png",
NULL);
--
1.6.5.1
>From 1fe51c8f69dc93033d2035c27389377090f21b78 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode at redhat.com>
Date: Tue, 27 Oct 2009 11:25:19 -0400
Subject: [PATCH 2/4] Create screenshot dir at runtime if not available
We want the screenshot dir to be owned by the GDM user,
so the greeter can write screenshots to it.
---
daemon/Makefile.am | 1 +
daemon/gdm-greeter-session.c | 1 +
daemon/gdm-welcome-session.c | 32 ++++++++++++++++++++++++++++++++
3 files changed, 34 insertions(+), 0 deletions(-)
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index a122a15..ab10dc5 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -15,6 +15,7 @@ AM_CPPFLAGS = \
-DSBINDIR=\"$(sbindir)\" \
-DGNOMELOCALEDIR=\""$(datadir)/locale"\" \
-DGDM_XAUTH_DIR=\"$(GDM_XAUTH_DIR)\" \
+ -DGDM_SCREENSHOT_DIR=\"$(GDM_SCREENSHOT_DIR)\" \
-DGDM_CACHE_DIR=\""$(localstatedir)/cache/gdm"\" \
-DGDM_SESSION_DEFAULT_PATH=\"$(GDM_SESSION_DEFAULT_PATH)\" \
$(DISABLE_DEPRECATED_CFLAGS) \
diff --git a/daemon/gdm-greeter-session.c b/daemon/gdm-greeter-session.c
index aae1928..994acbc 100644
--- a/daemon/gdm-greeter-session.c
+++ b/daemon/gdm-greeter-session.c
@@ -156,6 +156,7 @@ gdm_greeter_session_new (const char *display_name,
"x11-display-device", display_device,
"x11-display-hostname", display_hostname,
"x11-display-is-local", display_is_local,
+ "runtime-dir", GDM_SCREENSHOT_DIR,
NULL);
return GDM_GREETER_SESSION (object);
diff --git a/daemon/gdm-welcome-session.c b/daemon/gdm-welcome-session.c
index b58e855..f340660 100644
--- a/daemon/gdm-welcome-session.c
+++ b/daemon/gdm-welcome-session.c
@@ -63,6 +63,7 @@ struct GdmWelcomeSessionPrivate
char *user_name;
char *group_name;
+ char *runtime_dir;
char *x11_display_name;
char *x11_display_device;
@@ -91,6 +92,7 @@ enum {
PROP_X11_DISPLAY_IS_LOCAL,
PROP_USER_NAME,
PROP_GROUP_NAME,
+ PROP_RUNTIME_DIR,
PROP_SERVER_ADDRESS,
PROP_COMMAND,
PROP_SERVER_DBUS_PATH,
@@ -408,6 +410,7 @@ rotate_logs (const char *path,
typedef struct {
const char *user_name;
const char *group_name;
+ const char *runtime_dir;
const char *log_file;
} SpawnChildData;
@@ -435,6 +438,10 @@ spawn_child_setup (SpawnChildData *data)
_exit (1);
}
+ g_debug ("GdmWelcomeSession: Setting up run time dir %s", data->runtime_dir);
+ g_mkdir (data->runtime_dir, 0755);
+ chown (data->runtime_dir, pwent->pw_uid, pwent->pw_gid);
+
g_debug ("GdmWelcomeSession: Changing (uid:gid) for child process to (%d:%d)",
pwent->pw_uid,
grent->gr_gid);
@@ -552,6 +559,7 @@ static gboolean
spawn_command_line_async_as_user (const char *command_line,
const char *user_name,
const char *group_name,
+ const char *runtime_dir,
const char *log_file,
char **env,
GPid *child_pid,
@@ -575,6 +583,7 @@ spawn_command_line_async_as_user (const char *command_line,
data.user_name = user_name;
data.group_name = group_name;
+ data.runtime_dir = runtime_dir;
data.log_file = log_file;
local_error = NULL;
@@ -756,6 +765,7 @@ gdm_welcome_session_spawn (GdmWelcomeSession *welcome_session)
ret = spawn_command_line_async_as_user (welcome_session->priv->command,
welcome_session->priv->user_name,
welcome_session->priv->group_name,
+ welcome_session->priv->runtime_dir,
log_path,
(char **)env->pdata,
&welcome_session->priv->pid,
@@ -928,6 +938,14 @@ _gdm_welcome_session_set_group_name (GdmWelcomeSession *welcome_session,
}
static void
+_gdm_welcome_session_set_runtime_dir (GdmWelcomeSession *welcome_session,
+ const char *dir)
+{
+ g_free (welcome_session->priv->runtime_dir);
+ welcome_session->priv->runtime_dir = g_strdup (dir);
+}
+
+static void
_gdm_welcome_session_set_server_dbus_path (GdmWelcomeSession *welcome_session,
const char *name)
{
@@ -998,6 +1016,9 @@ gdm_welcome_session_set_property (GObject *object,
case PROP_GROUP_NAME:
_gdm_welcome_session_set_group_name (self, g_value_get_string (value));
break;
+ case PROP_RUNTIME_DIR:
+ _gdm_welcome_session_set_runtime_dir (self, g_value_get_string (value));
+ break;
case PROP_SERVER_ADDRESS:
gdm_welcome_session_set_server_address (self, g_value_get_string (value));
break;
@@ -1054,6 +1075,9 @@ gdm_welcome_session_get_property (GObject *object,
case PROP_GROUP_NAME:
g_value_set_string (value, self->priv->group_name);
break;
+ case PROP_RUNTIME_DIR:
+ g_value_set_string (value, self->priv->runtime_dir);
+ break;
case PROP_SERVER_ADDRESS:
g_value_set_string (value, self->priv->server_address);
break;
@@ -1154,6 +1178,13 @@ gdm_welcome_session_class_init (GdmWelcomeSessionClass *klass)
GDM_GROUPNAME,
G_PARAM_READWRITE | G_PARAM_CONSTRUCT));
g_object_class_install_property (object_class,
+ PROP_RUNTIME_DIR,
+ g_param_spec_string ("runtime-dir",
+ "runtime dir",
+ "runtime dir",
+ NULL,
+ G_PARAM_READWRITE | G_PARAM_CONSTRUCT));
+ g_object_class_install_property (object_class,
PROP_SERVER_ADDRESS,
g_param_spec_string ("server-address",
"server address",
@@ -1267,6 +1298,7 @@ gdm_welcome_session_finalize (GObject *object)
g_free (welcome_session->priv->command);
g_free (welcome_session->priv->user_name);
g_free (welcome_session->priv->group_name);
+ g_free (welcome_session->priv->runtime_dir);
g_free (welcome_session->priv->x11_display_name);
g_free (welcome_session->priv->x11_display_device);
g_free (welcome_session->priv->x11_display_hostname);
--
1.6.5.1
>From 81870b019c929694ea392359b0a66b0a500c7d5c Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode at redhat.com>
Date: Tue, 27 Oct 2009 11:43:15 -0400
Subject: [PATCH 3/4] Move default screenshot dir to it's own subdirectory
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0dd2658..93917e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1247,7 +1247,7 @@ AC_ARG_WITH(screenshot-dir,
if ! test -z "$with_screenshot_dir"; then
GDM_SCREENSHOT_DIR=$with_screenshot_dir
else
- GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm
+ GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm/greeter
fi
AC_SUBST(GDM_SCREENSHOT_DIR)
--
1.6.5.1
>From c96697431529ed87dbdbb987ed92ac2286b247b7 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode at redhat.com>
Date: Tue, 27 Oct 2009 10:35:37 -0400
Subject: [PATCH 4/4] Lock down /var/run/gdm
We don't need it so open now that screenshots are written to their
own directory, and having it open has implications for quota abuse.
---
daemon/gdm-display-access-file.c | 14 +++++++-------
data/Makefile.am | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/daemon/gdm-display-access-file.c b/daemon/gdm-display-access-file.c
index a3d3e2f..1b52f15 100644
--- a/daemon/gdm-display-access-file.c
+++ b/daemon/gdm-display-access-file.c
@@ -268,10 +268,10 @@ _create_xauth_file_for_user (const char *username,
fp = NULL;
fd = -1;
- /* Create directory if not exist, then set permission 01775 and ownership root:gdm */
+ /* Create directory if not exist, then set permission 0711 and ownership root:gdm */
if (g_file_test (GDM_XAUTH_DIR, G_FILE_TEST_IS_DIR) == FALSE) {
g_unlink (GDM_XAUTH_DIR);
- if (g_mkdir (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH) != 0) {
+ if (g_mkdir (GDM_XAUTH_DIR, 0711) != 0) {
g_set_error (error,
G_FILE_ERROR,
g_file_error_from_errno (errno),
@@ -279,15 +279,15 @@ _create_xauth_file_for_user (const char *username,
goto out;
}
- g_chmod (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH);
+ g_chmod (GDM_XAUTH_DIR, 0711);
_get_uid_and_gid_for_user (GDM_USERNAME, &uid, &gid);
if (chown (GDM_XAUTH_DIR, 0, gid) != 0) {
g_warning ("Unable to change owner of '%s'",
GDM_XAUTH_DIR);
}
} else {
- /* if it does exist make sure it has correct mode 01775 */
- g_chmod (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU |S_IRWXG | S_IROTH | S_IXOTH);
+ /* if it does exist make sure it has correct mode 0711 */
+ g_chmod (GDM_XAUTH_DIR, 0711);
/* and clean up any stale auth subdirs */
clean_up_stale_auth_subdirs ();
@@ -368,8 +368,8 @@ _create_xauth_file_for_user (const char *username,
}
/* now open up permissions on per-session directory */
- g_debug ("GdmDisplayAccessFile: chmoding %s to 1777", dir_name);
- g_chmod (dir_name, S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO);
+ g_debug ("GdmDisplayAccessFile: chmoding %s to 0711", dir_name);
+ g_chmod (dir_name, 0711);
errno = 0;
fp = fdopen (fd, "w");
diff --git a/data/Makefile.am b/data/Makefile.am
index 608194d..dfbd096 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -202,7 +202,7 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa
if test '!' -d $(DESTDIR)$(xauthdir); then \
$(mkinstalldirs) $(DESTDIR)$(xauthdir); \
- chmod 1777 $(DESTDIR)$(xauthdir); \
+ chmod 0711 $(DESTDIR)$(xauthdir); \
chown root:gdm $(DESTDIR)$(xauthdir) || : ; \
fi
--
1.6.5.1
Index: gdm.spec
===================================================================
RCS file: /cvs/pkgs/rpms/gdm/F-12/gdm.spec,v
retrieving revision 1.507
retrieving revision 1.508
diff -u -p -r1.507 -r1.508
--- gdm.spec 26 Oct 2009 19:14:39 -0000 1.507
+++ gdm.spec 27 Oct 2009 15:53:46 -0000 1.508
@@ -16,7 +16,7 @@
Summary: The GNOME Display Manager
Name: gdm
Version: 2.28.1
-Release: 10%{?dist}
+Release: 11%{?dist}
Epoch: 1
License: GPLv2+
Group: User Interface/X
@@ -105,6 +105,7 @@ Patch21: fix-clock.patch
Patch22: fix-timer.patch
Patch23: fix-na-tray.patch
Patch24: fix-computer-info.patch
+Patch25: fix-run-dir-permissions.patch
Patch97: gdm-multistack.patch
# Fedora-specific
@@ -155,6 +156,7 @@ The GDM fingerprint plugin provides func
%patch22 -p1 -b .fix-timer
%patch23 -p1 -b .fix-na-tray
%patch24 -p1 -b .fix-computer-info
+%patch25 -p1 -b .fix-run-dir-permission
%patch97 -p1 -b .multistack
%patch98 -p1 -b .bubble-location
@@ -226,6 +228,8 @@ mkdir -p $RPM_BUILD_ROOT%{_datadir}/gdm/
# temporarily manually copy this
cp -f %{SOURCE10} $RPM_BUILD_ROOT%{_datadir}/gdm/autostart/LoginWindow/polkit-gnome-authentication-agent-1.desktop
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/gdm/greeter
+
rm -rf $RPM_BUILD_ROOT%{_localstatedir}/scrollkeeper
find $RPM_BUILD_ROOT -name '*.a' -delete
@@ -379,10 +383,12 @@ fi
%config %{_datadir}/gdm/autostart/LoginWindow/*
%dir %{_localstatedir}/log/gdm
%dir %{_localstatedir}/spool/gdm
+%dir %{_localstatedir}/run/gdm/greeter
%attr(1770, gdm, gdm) %dir %{_localstatedir}/lib/gdm
%attr(1750, gdm, gdm) %dir %{_localstatedir}/lib/gdm/.gconf.mandatory
%attr(1640, gdm, gdm) %dir %{_localstatedir}/lib/gdm/.gconf.mandatory/*.xml
%attr(1640, gdm, gdm) %dir %{_localstatedir}/lib/gdm/.gconf.path
+%attr(1755, gdm, gdm) %dir %{_localstatedir}/run/gdm/greeter
%attr(1770, root, gdm) %dir %{_localstatedir}/gdm
%attr(1777, root, gdm) %dir %{_localstatedir}/run/gdm
%attr(1755, root, gdm) %dir %{_localstatedir}/cache/gdm
@@ -407,6 +413,9 @@ fi
%{_libdir}/gdm/simple-greeter/plugins/fingerprint.so
%changelog
+* Tue Oct 27 2009 Ray Strode <rstrode at redhat.com> 2.28.1-11
+- Tighten permissions on /var/run/gdm (bug 531063)
+
* Mon Oct 26 2009 Ray Strode <rstrode at redhat.com> 2.28.1-10
- Position shutdown menu properly on multihead machines
- Previous message (by thread): rpms/asterisk/F-11 0008-Revert-changes-to-pbx_lua-from-rev-126363-that-cause.patch, NONE, 1.1 0005-Build-using-external-libedit.patch, 1.7, 1.8 asterisk.spec, 1.55, 1.56 sources, 1.23, 1.24
- Next message (by thread): rpms/rygel/devel .cvsignore, 1.5, 1.6 rygel.spec, 1.15, 1.16 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list