diff --git a/sesman/access.c b/sesman/access.c index 00c9c381..692575e5 100644 --- a/sesman/access.c +++ b/sesman/access.c @@ -42,7 +42,7 @@ access_login_allowed(char *user) return 0; } - if (0 == g_cfg->sec.ts_users_enable) + if ((0 == g_cfg->sec.ts_users_enable) && (0==g_cfg->sec.ts_always_group_check)) { LOG_DBG("Terminal Server Users group is disabled, allowing authentication", 1); @@ -57,7 +57,7 @@ access_login_allowed(char *user) if (g_cfg->sec.ts_users == gid) { - LOG_DBG("ts_users is user's primary group"); + log_message(LOG_LEVEL_DEBUG,"ts_users is user's primary group"); return 1; } diff --git a/sesman/config.c b/sesman/config.c index 9938249f..e2131c14 100644 --- a/sesman/config.c +++ b/sesman/config.c @@ -286,13 +286,18 @@ config_read_security(int file, struct config_security *sc, sc->ts_admins = gid; } } + if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALWAYSGROUPCHECK)) + { + sc->ts_always_group_check = text2bool((char *)list_get_item(param_v, i)); + } } /* printing security config */ g_printf("security configuration:\r\n"); g_printf("\tAllowRootLogin: %i\r\n", sc->allow_root); g_printf("\tMaxLoginRetry: %i\r\n", sc->login_retry); - + g_printf("\tAlwaysGroupCheck: %i\r\n", sc->ts_always_group_check); + if (sc->ts_users_enable) { g_printf("\tTSUsersGroup: %i\r\n", sc->ts_users); diff --git a/sesman/config.h b/sesman/config.h index 72c6cac4..263975b3 100644 --- a/sesman/config.h +++ b/sesman/config.h @@ -56,6 +56,7 @@ #define SESMAN_CFG_SEC_ALLOW_ROOT "AllowRootLogin" #define SESMAN_CFG_SEC_USR_GROUP "TerminalServerUsers" #define SESMAN_CFG_SEC_ADM_GROUP "TerminalServerAdmins" +#define SESMAN_CFG_SEC_ALWAYSGROUPCHECK "AlwaysGroupCheck" #define SESMAN_CFG_SESSIONS "Sessions" #define SESMAN_CFG_SESS_MAX "MaxSessions" @@ -93,6 +94,11 @@ struct config_security */ int ts_admins_enable; int ts_admins; + /** + * @var ts_always_group_check + * @brief if the Groups are not found deny access + */ + int ts_always_group_check; }; /** diff --git a/sesman/sesman.ini b/sesman/sesman.ini index f2a210a4..571e063b 100644 --- a/sesman/sesman.ini +++ b/sesman/sesman.ini @@ -10,6 +10,9 @@ AllowRootLogin=1 MaxLoginRetry=4 TerminalServerUsers=tsusers TerminalServerAdmins=tsadmins +# When AlwaysGroupCheck = false access will be permitted +# if the group TerminalServerUsers is not defined. +AlwaysGroupCheck = false [Sessions] X11DisplayOffset=10 diff --git a/xrdp/xrdp_wm.c b/xrdp/xrdp_wm.c index e779d641..502eab94 100644 --- a/xrdp/xrdp_wm.c +++ b/xrdp/xrdp_wm.c @@ -455,7 +455,7 @@ xrdp_wm_load_static_colors_plus(struct xrdp_wm *self, char *autorun_name) else if (g_strcasecmp(val, "pamerrortxt") == 0) { val = (char *)list_get_item(values, index); - g_strncpy(self->pamerrortxt,val,256); + g_strncpy(self->pamerrortxt,val,255); } } }