Add xauth support to get more security for all backends

master
BLINDAUER Emmanuel 8 years ago
parent 5966de4ee2
commit 7bd1823ceb

@ -28,6 +28,7 @@
#include "sesman.h" #include "sesman.h"
#include "grp.h" #include "grp.h"
#include "ssl_calls.h" #include "ssl_calls.h"
#include "os_calls.h"
extern unsigned char g_fixedkey[8]; /* in sesman.c */ extern unsigned char g_fixedkey[8]; /* in sesman.c */
extern struct config_sesman *g_cfg; /* in sesman.c */ extern struct config_sesman *g_cfg; /* in sesman.c */
@ -200,3 +201,42 @@ env_set_user(const char *username, char **passwd_file, int display,
return error; return error;
} }
/******************************************************************************/
int DEFAULT_CC
env_add_xauth_user(int display, char *cookie, char *file)
{
FILE *dp, *fd;
char xauth_str[256];
if ( file == NULL )
{
fd=fopen(".Xauthority", "a");
if (fd == NULL)
freopen(".Xauthority", "a", fd);
fclose(fd);
g_sprintf(xauth_str, "xauth -q add :%d . %s", display, cookie);
}
else
{
fd=fopen(file, "a");
if (fd == NULL)
freopen(file, "a", fd);
fclose(fd);
g_sprintf(xauth_str, "xauth -q -f %s add :%d . %s", file, display, cookie);
}
log_message(LOG_LEVEL_DEBUG,
"xauth command: %s", xauth_str);
if ( (dp = popen(xauth_str,"r")) == NULL ) {
log_message(LOG_LEVEL_INFO, "xauth failed, no X security");
return 1;
}
pclose(dp);
return 0;
}

@ -53,4 +53,17 @@ int DEFAULT_CC
env_set_user(const char *username, char **passwd_file, int display, env_set_user(const char *username, char **passwd_file, int display,
const struct list *env_names, const struct list *env_values); const struct list *env_names, const struct list *env_values);
/**
*
* @brief create the XAUTORITY file for the user according to the display and the cookie
* xauth uses XAUTORITY if defined, ~/.Xauthority otherwise
* @param display The session display
* @param cookie The cookie
* @param file If not NULL, write the autorization in the file instead of default location
* @return 0 if adding the cookie is ok
*/
int DEFAULT_CC
env_add_xauth_user(int display, char *cookie, char * file);
#endif #endif

@ -30,6 +30,7 @@
#if defined(HAVE_CONFIG_H) #if defined(HAVE_CONFIG_H)
#include "config_ac.h" #include "config_ac.h"
#endif #endif
#include <stdio.h>
#include "arch.h" #include "arch.h"
#include "parse.h" #include "parse.h"
#include "os_calls.h" #include "os_calls.h"

@ -676,6 +676,20 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
g_snprintf(text, 255, "%d", g_cfg->sess.kill_disconnected); g_snprintf(text, 255, "%d", g_cfg->sess.kill_disconnected);
g_setenv("XRDP_SESMAN_KILL_DISCONNECTED", text, 1); g_setenv("XRDP_SESMAN_KILL_DISCONNECTED", text, 1);
/* now the Xauthority stuff */
char cookie[33] = "";
char authfile[255] = ".Xauthority";
if (g_getenv("XAUTHORITY") !=NULL)
g_sprintf(authfile, "%s", g_getenv("XAUTHORITY"));
/* Create the cookie */
srand((unsigned int) time(0));
for (i = 0; i < 32; i += 2)
sprintf(&cookie[i], "%02X", rand() % 16);
/* Add the entry in XAUTORITY file */
env_add_xauth_user(display, cookie, NULL);
if (type == SESMAN_SESSION_TYPE_XORG) if (type == SESMAN_SESSION_TYPE_XORG)
{ {
#ifdef HAVE_SYS_PRCTL_H #ifdef HAVE_SYS_PRCTL_H
@ -702,6 +716,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
/* these are the must have parameters */ /* these are the must have parameters */
list_add_item(xserver_params, (tintptr) g_strdup(xserver)); list_add_item(xserver_params, (tintptr) g_strdup(xserver));
list_add_item(xserver_params, (tintptr) g_strdup(screen)); list_add_item(xserver_params, (tintptr) g_strdup(screen));
list_add_item(xserver_params, (tintptr) g_strdup("-auth"));
list_add_item(xserver_params, (tintptr) g_strdup(authfile));
/* additional parameters from sesman.ini file */ /* additional parameters from sesman.ini file */
list_append_list_strdup(g_cfg->xorg_params, xserver_params, 1); list_append_list_strdup(g_cfg->xorg_params, xserver_params, 1);
@ -737,6 +753,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
/* these are the must have parameters */ /* these are the must have parameters */
list_add_item(xserver_params, (tintptr)g_strdup(xserver)); list_add_item(xserver_params, (tintptr)g_strdup(xserver));
list_add_item(xserver_params, (tintptr)g_strdup(screen)); list_add_item(xserver_params, (tintptr)g_strdup(screen));
list_add_item(xserver_params, (tintptr)g_strdup("-auth"));
list_add_item(xserver_params, (tintptr)g_strdup(authfile));
list_add_item(xserver_params, (tintptr)g_strdup("-geometry")); list_add_item(xserver_params, (tintptr)g_strdup("-geometry"));
list_add_item(xserver_params, (tintptr)g_strdup(geometry)); list_add_item(xserver_params, (tintptr)g_strdup(geometry));
list_add_item(xserver_params, (tintptr)g_strdup("-depth")); list_add_item(xserver_params, (tintptr)g_strdup("-depth"));
@ -768,6 +786,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_SESSION *s)
/* these are the must have parameters */ /* these are the must have parameters */
list_add_item(xserver_params, (tintptr)g_strdup(xserver)); list_add_item(xserver_params, (tintptr)g_strdup(xserver));
list_add_item(xserver_params, (tintptr)g_strdup(screen)); list_add_item(xserver_params, (tintptr)g_strdup(screen));
list_add_item(xserver_params, (tintptr)g_strdup("-auth"));
list_add_item(xserver_params, (tintptr)g_strdup(authfile));
list_add_item(xserver_params, (tintptr)g_strdup("-geometry")); list_add_item(xserver_params, (tintptr)g_strdup("-geometry"));
list_add_item(xserver_params, (tintptr)g_strdup(geometry)); list_add_item(xserver_params, (tintptr)g_strdup(geometry));
list_add_item(xserver_params, (tintptr)g_strdup("-depth")); list_add_item(xserver_params, (tintptr)g_strdup("-depth"));

Loading…
Cancel
Save