Add XorgNoNewPrivileges configuration option
This allows Linux's no_new_privs restriction to be disabled when starting the X server, which may be desirable if xrdp is running inside a kernel confinement framework such as AppArmor or SELinux.
This commit is contained in:
parent
b191d87e33
commit
fdfe47668b
@ -303,6 +303,15 @@ if the group specified in \fBTerminalServerUsers\fR doesn't exist.
|
||||
\fBAllowAlternateShell\fR=\fI[true|false]\fR
|
||||
If set to \fB0\fR, \fBfalse\fR or \fBno\fR, prevent usage of alternate shells by users.
|
||||
|
||||
.TP
|
||||
\fBXorgNoNewPrivileges\fR=\fI[true|false]\fR
|
||||
Only applicable on Linux. If set to \fB0\fR, \fBfalse\fR or \fBno\fR, do
|
||||
not use the kernel's \fIno_new_privs\fR restriction when invoking the Xorg
|
||||
X11 server. The use of \fIno_new_privs\fR is intended to prevent issues due
|
||||
to a setuid Xorg executable. However, if a kernel security module (such as
|
||||
AppArmor) is used to confine xrdp, \fIno_new_privs\fR may interfere with
|
||||
transitions between confinement domains.
|
||||
|
||||
.SH "X11 SERVER"
|
||||
Following parameters can be used in the \fB[Xvnc]\fR and
|
||||
\fB[Xorg]\fR sections.
|
||||
|
@ -70,6 +70,7 @@
|
||||
#define SESMAN_CFG_SEC_RESTRICT_OUTBOUND_CLIPBOARD "RestrictOutboundClipboard"
|
||||
#define SESMAN_CFG_SEC_RESTRICT_INBOUND_CLIPBOARD "RestrictInboundClipboard"
|
||||
#define SESMAN_CFG_SEC_ALLOW_ALTERNATE_SHELL "AllowAlternateShell"
|
||||
#define SESMAN_CFG_SEC_XORG_NO_NEW_PRIVILEGES "XorgNoNewPrivileges"
|
||||
|
||||
#define SESMAN_CFG_SESSIONS "Sessions"
|
||||
#define SESMAN_CFG_SESS_MAX "MaxSessions"
|
||||
@ -310,6 +311,7 @@ config_read_security(int file, struct config_security *sc,
|
||||
sc->restrict_outbound_clipboard = 0;
|
||||
sc->restrict_inbound_clipboard = 0;
|
||||
sc->allow_alternate_shell = 1;
|
||||
sc->xorg_no_new_privileges = 1;
|
||||
|
||||
file_read_section(file, SESMAN_CFG_SECURITY, param_n, param_v);
|
||||
|
||||
@ -383,6 +385,11 @@ config_read_security(int file, struct config_security *sc,
|
||||
g_text2bool((char *)list_get_item(param_v, i));
|
||||
}
|
||||
|
||||
if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_XORG_NO_NEW_PRIVILEGES))
|
||||
{
|
||||
sc->xorg_no_new_privileges =
|
||||
g_text2bool((char *)list_get_item(param_v, i));
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -670,6 +677,9 @@ config_dump(struct config_sesman *config)
|
||||
g_writeln(" MaxLoginRetry: %d", sc->login_retry);
|
||||
g_writeln(" AlwaysGroupCheck: %d", sc->ts_always_group_check);
|
||||
g_writeln(" AllowAlternateShell: %d", sc->allow_alternate_shell);
|
||||
#ifdef HAVE_SYS_PRCTL_H
|
||||
g_writeln(" XorgNoNewPrivileges: %d", sc->xorg_no_new_privileges);
|
||||
#endif
|
||||
sesman_clip_restrict_mask_to_string(sc->restrict_outbound_clipboard,
|
||||
restrict_s, sizeof(restrict_s));
|
||||
g_writeln(" RestrictOutboundClipboard: %s", restrict_s);
|
||||
|
@ -103,6 +103,12 @@ struct config_security
|
||||
* If not specified, 'YES' is assumed.
|
||||
*/
|
||||
int allow_alternate_shell;
|
||||
|
||||
/*
|
||||
* @var xorg_no_new_privileges
|
||||
* @brief if the Xorg X11 server should be started with no_new_privs (Linux only)
|
||||
*/
|
||||
int xorg_no_new_privileges;
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -344,7 +344,7 @@ prepare_xorg_xserver_params(const struct session_parameters *s,
|
||||
* needed. Xorg can fail when run as root and the user has no
|
||||
* console permissions.
|
||||
*/
|
||||
if (g_no_new_privs() != 0)
|
||||
if (g_cfg->sec.xorg_no_new_privileges && g_no_new_privs() != 0)
|
||||
{
|
||||
LOG(LOG_LEVEL_WARNING,
|
||||
"[session start] (display %u): Failed to disable "
|
||||
|
@ -39,6 +39,11 @@ RestrictOutboundClipboard=none
|
||||
RestrictInboundClipboard=none
|
||||
; Set to 'no' to prevent users from logging in with alternate shells
|
||||
#AllowAlternateShell=true
|
||||
; On Linux systems, the Xorg X11 server is normally invoked using
|
||||
; no_new_privs to avoid problems if the executable is suid. This may,
|
||||
; however, interfere with the use of security modules such as AppArmor.
|
||||
; Leave this unset unless you need to disable it.
|
||||
#XorgNoNewPrivileges=true
|
||||
|
||||
[Sessions]
|
||||
;; X11DisplayOffset - x11 display number offset
|
||||
|
Loading…
Reference in New Issue
Block a user