Bugzilla – Attachment 1119 Details for
Bug 771
Add option to override XAUTHORITY env variable
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches openssh to prevent creation of user defined .Xauthority
openssh-3.9p1-xauthfile.patch (text/plain), 2.63 KB, created by
Fabien Wernli
on 2006-04-13 01:51:14 AEST
(
hide
)
Description:
Patches openssh to prevent creation of user defined .Xauthority
Filename:
MIME Type:
Creator:
Fabien Wernli
Created:
2006-04-13 01:51:14 AEST
Size:
2.63 KB
patch
obsolete
>--- openssh-in2p3-3.9p1/session.c 2004-08-12 14:40:25.000000000 +0200 >+++ openssh-in2p3-3.9p1/session.c.ccin2p3 2006-04-12 17:27:30.000000000 +0200 >@@ -99,6 +99,10 @@ > extern void destroy_sensitive_data(void); > extern Buffer loginmsg; > >+/* Local Xauthority file. */ >+static char *xauthfile; >+extern void xauthfile_cleanup_proc(void *); >+ > /* original command from peer. */ > const char *original_command = NULL; > >@@ -230,6 +234,30 @@ > } > > /* >+ * Remove local Xauthority file. >+*/ >+void >+xauthfile_cleanup_proc(void *_pw) >+{ >+ struct passwd *pw = _pw; >+ char *p; >+ >+ debug("xauthfile_cleanup_proc called"); >+ if (xauthfile != NULL) { >+ temporarily_use_uid(pw); >+ unlink(xauthfile); >+ p = strrchr(xauthfile, '/'); >+ if (p != NULL) { >+ *p = '\0'; >+ rmdir(xauthfile); >+ } >+ xfree(xauthfile); >+ xauthfile = NULL; >+ restore_uid(); >+ } >+} >+ >+/* > * Prepares for an interactive session. This is called after the user has > * been successfully authenticated. During this message exchange, pseudo > * terminals are allocated, X11, TCP/IP, and authentication agent forwardings >@@ -1114,6 +1142,9 @@ > } > #endif /* USE_PAM */ > >+ if (xauthfile) >+ child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); >+ > if (auth_sock_name != NULL) > child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, > auth_sock_name); >@@ -2182,6 +2213,7 @@ > struct stat st; > char display[512], auth_display[512]; > char hostname[MAXHOSTNAMELEN]; >+ int fd = -1; > > if (no_x11_forwarding_flag) { > packet_send_debug("X11 forwarding disabled in user configuration file."); >@@ -2201,13 +2233,31 @@ > "not compatible with UseLogin=yes."); > return 0; > } >- if (s->display != NULL) { >+ if (s->display != NULL || xauthfile != NULL) { > debug("X11 display already set."); > return 0; > } >+ xauthfile = xmalloc(MAXPATHLEN); >+ strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); >+ temporarily_use_uid(s->pw); >+ if (mkdtemp(xauthfile) == NULL) { >+ error("private X11 dir: mkdtemp %s failed: %s", >+ xauthfile, strerror(errno)); >+ restore_uid(); >+ xfree(xauthfile); >+ xauthfile = NULL; >+ return 0; >+ } >+ strlcat(xauthfile, "/cookies", MAXPATHLEN); >+ fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); >+ if (fd >= 0) >+ close(fd); >+ restore_uid(); >+ > if (x11_create_display_inet(options.x11_display_offset, > options.x11_use_localhost, s->single_connection, > &s->display_number) == -1) { >+ xauthfile_cleanup_proc(s->pw); > debug("x11_create_display_inet failed."); > return 0; > } >@@ -2294,6 +2346,10 @@ > } > #endif > >+ /* remove user's local Xauthority file */ >+ if (xauthfile) >+ xauthfile_cleanup_proc(authctxt->pw); >+ > /* remove agent socket */ > auth_sock_cleanup_proc(authctxt->pw); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1119">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 771
: 1119