- release 2, disallow root logins and use xrdp group instead of users

diff --git a/config.patch b/config.patch
index 553344cdb740de1114be8a1212ee9d54a6b7a69b..e27fb639df9183a42d3600a66a82809e17e0bb5f 100644 (file)
--- a/config.patch
+++ b/config.patch
@@ -1,13 +1,16 @@
 diff -ur xrdp-0.9.7.orig/sesman/sesman.ini xrdp-0.9.7/sesman/sesman.ini
 --- xrdp-0.9.7.orig/sesman/sesman.ini  2018-06-29 08:18:27.000000000 +0000
-+++ xrdp-0.9.7/sesman/sesman.ini       2018-07-04 18:54:10.174090693 +0000
-@@ -14,11 +14,11 @@
++++ xrdp-0.9.7/sesman/sesman.ini       2018-09-06 09:10:42.289218472 +0000
+@@ -12,13 +12,13 @@
+ ReconnectScript=reconnectwm.sh
+ 
  [Security]
- AllowRootLogin=true
+-AllowRootLogin=true
++AllowRootLogin=false
  MaxLoginRetry=4
 -TerminalServerUsers=tsusers
 -TerminalServerAdmins=tsadmins
-+TerminalServerUsers=users
++TerminalServerUsers=xrdp
 +TerminalServerAdmins=root
  ; When AlwaysGroupCheck=false access will be permitted
  ; if the group TerminalServerUsers is not defined.
@@ -43,8 +46,17 @@ diff -ur xrdp-0.9.7.orig/sesman/sesman.ini xrdp-0.9.7/sesman/sesman.ini
  param=X11rdp
 diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini
 --- xrdp-0.9.7.orig/xrdp/xrdp.ini      2018-06-29 08:18:27.000000000 +0000
-+++ xrdp-0.9.7/xrdp/xrdp.ini   2018-07-04 18:55:55.985084386 +0000
-@@ -118,10 +118,10 @@
++++ xrdp-0.9.7/xrdp/xrdp.ini   2018-09-06 09:13:13.540216769 +0000
+@@ -4,6 +4,8 @@
+ 
+ ; fork a new process for each incoming connection
+ fork=true
++; IP address to listen
++;address=127.0.0.1
+ ; tcp port to listen
+ port=3389
+ ; 'port' above should be connected to with vsock instead of tcp
+@@ -118,10 +120,10 @@
  ls_btn_cancel_height=30
  
  [Logging]
@@ -58,7 +70,7 @@ diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini
  ; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug
  
  [Channels]
-@@ -153,24 +153,24 @@
+@@ -153,24 +155,24 @@
  ; Some session types such as Xorg, X11rdp and Xvnc start a display server.
  ; Startup command-line parameters for the display server are configured
  ; in sesman.ini. See and configure also sesman.ini.
@@ -101,7 +113,7 @@ diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini
  
  [Xvnc]
  name=Xvnc
-@@ -182,43 +182,43 @@
+@@ -182,43 +184,43 @@
  #xserverbpp=24
  #delay_ms=2000
  

diff --git a/xrdp.spec b/xrdp.spec
index 757d9de6b22823af8ee5ad4b6fa3d75771ccfb6b..15d527b47db3254f20c23d47c7e66319219e3bb0 100644 (file)
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -2,7 +2,7 @@ Summary:        Remote desktop server
 Summary(pl.UTF-8):     Serwer remote desktop
 Name:          xrdp
 Version:       0.9.7
-Release:       1
+Release:       2
 License:       GPL
 Group:         X11/Applications/Networking
 Source0:       https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/%{name}-%{version}.tar.gz
@@ -27,6 +27,9 @@ Requires(post,preun): /sbin/chkconfig
 Requires:      /usr/bin/Xvnc
 Requires:      rc-scripts
 Requires:      xinitrc-ng
+Requires(postun):       /usr/sbin/groupdel
+Requires(pre):  /usr/bin/getgid
+Requires(pre):  /usr/sbin/groupadd
 BuildRoot:     %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 
 %description
@@ -118,6 +121,9 @@ install %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/xrdp/startwm.sh
 
 :> $RPM_BUILD_ROOT/etc/security/blacklist.sesman
 
+%pre
+%groupadd -g 183 xrdp
+
 %post
 /sbin/chkconfig --add xrdp
 %service xrdp restart "xrdp server"
@@ -128,6 +134,11 @@ if [ "$1" = "0" ]; then
        /sbin/chkconfig --del xrdp
 fi
 
+%postun
+if [ "$1" = "0" ]; then
+       %groupremove xrdp
+fi
+
 %clean
 rm -rf $RPM_BUILD_ROOT