Add xauth support to get more security for all backends

sesman/env.c

@@ -28,6 +28,7 @@
 #include "sesman.h"
 #include "grp.h"
 #include "ssl_calls.h"
+#include "os_calls.h"
 
 extern unsigned char g_fixedkey[8]; /* in sesman.c */
 extern struct config_sesman *g_cfg;  /* in sesman.c */
@@ -200,3 +201,42 @@ env_set_user(const char *username, char **passwd_file, int display,
 
     return error;
 }
+
+
+/******************************************************************************/
+int DEFAULT_CC
+env_add_xauth_user(int display, char *cookie, char *file)
+{
+    FILE *dp, *fd;
+    char xauth_str[256];
+
+    if ( file == NULL )
+    {
+        fd=fopen(".Xauthority", "a");
+        if (fd == NULL)
+            freopen(".Xauthority", "a", fd);
+        fclose(fd);
+
+        g_sprintf(xauth_str, "xauth -q add :%d . %s", display, cookie);
+    }
+    else
+    {
+        fd=fopen(file, "a");
+        if (fd == NULL)
+            freopen(file, "a", fd);
+        fclose(fd);
+
+        g_sprintf(xauth_str, "xauth -q -f %s  add :%d . %s", file, display, cookie);
+    }
+    log_message(LOG_LEVEL_DEBUG,
+                    "xauth command: %s", xauth_str);
+
+    if ( (dp = popen(xauth_str,"r")) == NULL ) {
+        log_message(LOG_LEVEL_INFO, "xauth failed, no X security");
+        return 1;
+    }
+
+    pclose(dp);
+
+    return 0;
+}

sesman/env.h

@@ -53,4 +53,17 @@ int DEFAULT_CC
 env_set_user(const char *username, char **passwd_file, int display,
              const struct list *env_names, const struct list *env_values);
 
+/**
+ *
+ * @brief create the XAUTORITY file for the user according to the display and the cookie
+ *        xauth uses XAUTORITY if defined, ~/.Xauthority otherwise
+ * @param display The session display
+ * @param cookie The cookie
+ * @param file If not NULL, write the autorization in the file instead of default location
+ * @return 0 if adding the cookie is ok
+ */
+
+int DEFAULT_CC
+env_add_xauth_user(int display, char *cookie, char * file);
+
 #endif

sesman/sesman.h

@@ -30,6 +30,7 @@
 #if defined(HAVE_CONFIG_H)
 #include "config_ac.h"
 #endif
+#include <stdio.h>
 #include "arch.h"
 #include "parse.h"
 #include "os_calls.h"

sesman/session.c

@@ -676,6 +676,20 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
                 g_snprintf(text, 255, "%d", g_cfg->sess.kill_disconnected);
                 g_setenv("XRDP_SESMAN_KILL_DISCONNECTED", text, 1);
 
+                /* now the Xauthority stuff */
+                char cookie[33] = "";
+                char authfile[255] = ".Xauthority";
+
+                if (g_getenv("XAUTHORITY") !=NULL)
+                    g_sprintf(authfile, "%s", g_getenv("XAUTHORITY"));
+                /* Create the cookie */
+                srand((unsigned int) time(0));
+                for (i = 0; i < 32; i += 2)
+                    sprintf(&cookie[i], "%02X", rand() % 16);
+
+                /* Add the entry in XAUTORITY file */
+                env_add_xauth_user(display, cookie, NULL);
+
                 if (type == SESMAN_SESSION_TYPE_XORG)
                 {
 #ifdef HAVE_SYS_PRCTL_H
@@ -702,6 +716,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
                     /* these are the must have parameters */
                     list_add_item(xserver_params, (tintptr) g_strdup(xserver));
                     list_add_item(xserver_params, (tintptr) g_strdup(screen));
+                    list_add_item(xserver_params, (tintptr) g_strdup("-auth"));
+                    list_add_item(xserver_params, (tintptr) g_strdup(authfile));
 
                     /* additional parameters from sesman.ini file */
                     list_append_list_strdup(g_cfg->xorg_params, xserver_params, 1);
@@ -737,6 +753,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
                     /* these are the must have parameters */
                     list_add_item(xserver_params, (tintptr)g_strdup(xserver));
                     list_add_item(xserver_params, (tintptr)g_strdup(screen));
+                    list_add_item(xserver_params, (tintptr)g_strdup("-auth"));
+                    list_add_item(xserver_params, (tintptr)g_strdup(authfile));
                     list_add_item(xserver_params, (tintptr)g_strdup("-geometry"));
                     list_add_item(xserver_params, (tintptr)g_strdup(geometry));
                     list_add_item(xserver_params, (tintptr)g_strdup("-depth"));
@@ -768,6 +786,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
                     /* these are the must have parameters */
                     list_add_item(xserver_params, (tintptr)g_strdup(xserver));
                     list_add_item(xserver_params, (tintptr)g_strdup(screen));
+                    list_add_item(xserver_params, (tintptr)g_strdup("-auth"));
+                    list_add_item(xserver_params, (tintptr)g_strdup(authfile));
                     list_add_item(xserver_params, (tintptr)g_strdup("-geometry"));
                     list_add_item(xserver_params, (tintptr)g_strdup(geometry));
                     list_add_item(xserver_params, (tintptr)g_strdup("-depth"));