Package: xrdp Version: 0.10.5-4 Severity: normal User: [email protected] Usertags: origin-kali
Dear Maintainer, out of the box, the xrdp daemon runs as root: ``` $ ps faux | grep xrdp root 451 0.0 0.4 11524 4496 ? Ss 01:26 0:00 /usr/sbin/xrdp-sesman --nodaemon root 480 0.0 0.6 12312 6768 ? Ss 01:26 0:00 /usr/sbin/xrdp --nodaemon ``` This is not recommended, upstream warns against it, and provides some settings to avoid that, see this part from /etc/xrdp/xrdp.ini: ``` ; Unprivileged User name and group to run the xrdp daemon. ; It is HIGHLY RECOMMENDED you set these values. See the xrdp.ini(5) ; manpage for more information on setting and checking these. #runtime_user=xrdp #runtime_group=xrdp ``` Upstream also provides the script /usr/share/xrdp/xrdp-chkpriv to print some diagnostic, currently the output is as such: ``` # /usr/share/xrdp/xrdp-chkpriv Settings - [xrdp.ini] runtime_user : - [xrdp.ini] runtime_group : - [xrdp.ini] certificate : /etc/xrdp/cert.pem - [xrdp.ini] key_file : /etc/xrdp/key.pem - [sesman.ini] SessionSockdirGroup : [ WARN ] This system is not configured to run xrdp without privilege ``` Now, for a bit of background. Debian bookworm shipped with xrdp 0.9 series, and if you try it out, you'll see that the xrdp daemon runs as the xrdp user. This was achieved via some Debian-specific patches. >From Debian trixie and onward, Debian shipped with xrdp 0.10 series, and two things happened: * most of the Debian patches were dropped * upstream started to provide a mechanism so that the xrdp daemon can drop privileges (see the xrdp.ini extract aforementioned), however this was never enabled in the Debian package Consequently, from trixie onward the xrdp daemon runs as root. I think it's a significant regression in term of security. We must provide a better setup out of the box for our users. Please find a tentative merge request at: https://salsa.debian.org/debian-remote-team/xrdp/-/merge_requests/13 With this MR, new xrdp installations will have the xrdp daemon run unprivileged out-of-the-box. For upgrades, users who modified their xrdp.ini file and decide to keep their own versions will not benefit from this change. Maybe that would warrant a NEWS entry to explain that the default config was insecure for xrdp 0.10.x, and what steps should be done to fix that manually? Steps are actually simple, there's just 3 settings to uncomment in xrdp.ini and sesman.ini. What do you think? Cheers, Arnaud
