From c1ce194b640288fb6c5c6d201154637d1293efa2 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Thu, 6 Sep 2018 09:26:14 +0000 Subject: [PATCH] - release 2, disallow root logins and use xrdp group instead of users --- config.patch | 28 ++++++++++++++++++++-------- xrdp.spec | 13 ++++++++++++- 2 files changed, 32 insertions(+), 9 deletions(-) diff --git a/config.patch b/config.patch index 553344c..e27fb63 100644 --- a/config.patch +++ b/config.patch @@ -1,13 +1,16 @@ diff -ur xrdp-0.9.7.orig/sesman/sesman.ini xrdp-0.9.7/sesman/sesman.ini --- xrdp-0.9.7.orig/sesman/sesman.ini 2018-06-29 08:18:27.000000000 +0000 -+++ xrdp-0.9.7/sesman/sesman.ini 2018-07-04 18:54:10.174090693 +0000 -@@ -14,11 +14,11 @@ ++++ xrdp-0.9.7/sesman/sesman.ini 2018-09-06 09:10:42.289218472 +0000 +@@ -12,13 +12,13 @@ + ReconnectScript=reconnectwm.sh + [Security] - AllowRootLogin=true +-AllowRootLogin=true ++AllowRootLogin=false MaxLoginRetry=4 -TerminalServerUsers=tsusers -TerminalServerAdmins=tsadmins -+TerminalServerUsers=users ++TerminalServerUsers=xrdp +TerminalServerAdmins=root ; When AlwaysGroupCheck=false access will be permitted ; if the group TerminalServerUsers is not defined. @@ -43,8 +46,17 @@ diff -ur xrdp-0.9.7.orig/sesman/sesman.ini xrdp-0.9.7/sesman/sesman.ini param=X11rdp diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini --- xrdp-0.9.7.orig/xrdp/xrdp.ini 2018-06-29 08:18:27.000000000 +0000 -+++ xrdp-0.9.7/xrdp/xrdp.ini 2018-07-04 18:55:55.985084386 +0000 -@@ -118,10 +118,10 @@ ++++ xrdp-0.9.7/xrdp/xrdp.ini 2018-09-06 09:13:13.540216769 +0000 +@@ -4,6 +4,8 @@ + + ; fork a new process for each incoming connection + fork=true ++; IP address to listen ++;address=127.0.0.1 + ; tcp port to listen + port=3389 + ; 'port' above should be connected to with vsock instead of tcp +@@ -118,10 +120,10 @@ ls_btn_cancel_height=30 [Logging] @@ -58,7 +70,7 @@ diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini ; LogLevel and SysLogLevel could by any of: core, error, warning, info or debug [Channels] -@@ -153,24 +153,24 @@ +@@ -153,24 +155,24 @@ ; Some session types such as Xorg, X11rdp and Xvnc start a display server. ; Startup command-line parameters for the display server are configured ; in sesman.ini. See and configure also sesman.ini. @@ -101,7 +113,7 @@ diff -ur xrdp-0.9.7.orig/xrdp/xrdp.ini xrdp-0.9.7/xrdp/xrdp.ini [Xvnc] name=Xvnc -@@ -182,43 +182,43 @@ +@@ -182,43 +184,43 @@ #xserverbpp=24 #delay_ms=2000 diff --git a/xrdp.spec b/xrdp.spec index 757d9de..15d527b 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -2,7 +2,7 @@ Summary: Remote desktop server Summary(pl.UTF-8): Serwer remote desktop Name: xrdp Version: 0.9.7 -Release: 1 +Release: 2 License: GPL Group: X11/Applications/Networking Source0: https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/%{name}-%{version}.tar.gz @@ -27,6 +27,9 @@ Requires(post,preun): /sbin/chkconfig Requires: /usr/bin/Xvnc Requires: rc-scripts Requires: xinitrc-ng +Requires(postun): /usr/sbin/groupdel +Requires(pre): /usr/bin/getgid +Requires(pre): /usr/sbin/groupadd BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %description @@ -118,6 +121,9 @@ install %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/xrdp/startwm.sh :> $RPM_BUILD_ROOT/etc/security/blacklist.sesman +%pre +%groupadd -g 183 xrdp + %post /sbin/chkconfig --add xrdp %service xrdp restart "xrdp server" @@ -128,6 +134,11 @@ if [ "$1" = "0" ]; then /sbin/chkconfig --del xrdp fi +%postun +if [ "$1" = "0" ]; then + %groupremove xrdp +fi + %clean rm -rf $RPM_BUILD_ROOT -- 2.44.0