Bugzilla – Attachment 2680 Details for
Bug 2440
X11 connection will fail if user's home directory is read-only
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
This patch is to change the location of the XAUTHORITY file from ~/.Xauthority to per session Xauh file in /tmp directory
sshd_per_session_xauthfile.patch (text/plain), 4.79 KB, created by
huieying.lee
on 2015-08-06 07:56:26 AEST
(
hide
)
Description:
This patch is to change the location of the XAUTHORITY file from ~/.Xauthority to per session Xauh file in /tmp directory
Filename:
MIME Type:
Creator:
huieying.lee
Created:
2015-08-06 07:56:26 AEST
Size:
4.79 KB
patch
obsolete
># ># This patch is to change the location of the XAUTHORITY file from ># $HOME/.Xauthority to per session Xauthority file in the /tmp directory, ># so that X11Forwarding will still work, when the user's home directory is ># read-only. ># >--- orig/session.c Thu Jul 30 10:35:15 2015 >+++ new/session.c Tue Aug 4 11:29:22 2015 >@@ -62,6 +62,10 @@ > #include <unistd.h> > #include <limits.h> > >+#ifdef PER_SESSION_XAUTHFILE >+#include <libgen.h> >+#endif >+ > #include "openbsd-compat/sys-queue.h" > #include "xmalloc.h" > #include "ssh.h" >@@ -132,6 +136,11 @@ > > static int session_pty_req(Session *); > >+#ifdef PER_SESSION_XAUTHFILE >+void session_xauthfile_cleanup(Session *); >+void cleanup_all_session_xauthfile(); >+#endif >+ > /* import */ > extern ServerOptions options; > extern char *__progname; >@@ -1218,6 +1227,11 @@ > if (getenv("TZ")) > child_set_env(&env, &envsize, "TZ", getenv("TZ")); > >+#ifdef PER_SESSION_XAUTHFILE >+ if (s->auth_file != NULL) >+ child_set_env(&env, &envsize, "XAUTHORITY", s->auth_file); >+#endif >+ > /* Set custom environment options from RSA authentication. */ > if (!options.use_login) { > while (custom_environment) { >@@ -2170,6 +2184,11 @@ > { > int success; > >+#ifdef PER_SESSION_XAUTHFILE >+ int fd; >+ char xauthdir[] = "/tmp/ssh-xauth-XXXXXX"; >+#endif >+ > if (s->auth_proto != NULL || s->auth_data != NULL) { > error("session_x11_req: session %d: " > "x11 forwarding already active", s->self); >@@ -2188,6 +2207,48 @@ > s->auth_proto = NULL; > s->auth_data = NULL; > } >+ >+#ifdef PER_SESSION_XAUTHFILE >+ /* >+ * Create per session X authority file in the /tmp directory. >+ * >+ * If mkdtemp() or open() fails then s->auth_file remains NULL which >+ * means that we won't set XAUTHORITY variable in child's environment >+ * and xauth(1) will use the default location for the authority file. >+ */ >+ if (mkdtemp(xauthdir) != NULL) { >+ s->auth_file = xmalloc(MAXPATHLEN); >+ snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile", >+ xauthdir); >+ /* >+ * we don't want that "creating new authority file" message to >+ * be printed by xauth(1) so we must create that file >+ * beforehand. >+ */ >+ if ((fd = open(s->auth_file, O_CREAT | O_EXCL | O_RDONLY, >+ S_IRUSR | S_IWUSR)) == -1) { >+ error("failed to create the temporary X authority " >+ "file %s: %.100s; will use the default one", >+ s->auth_file, strerror(errno)); >+ free(s->auth_file); >+ s->auth_file = NULL; >+ if (rmdir(xauthdir) == -1) { >+ error("cannot remove xauth directory " >+ "%s: %.100s", xauthdir, strerror(errno)); >+ } >+ } else { >+ close(fd); >+ debug("temporary X authority file %s created", >+ s->auth_file); >+ debug("session number = %d", s->self); >+ } >+ } >+ else { >+ error("failed to create a directory for the temporary X " >+ "authority file: %.100s; will use the default xauth file", >+ strerror(errno)); >+ } >+#endif > return success; > } > >@@ -2378,6 +2439,50 @@ > PRIVSEP(session_pty_cleanup2(s)); > } > >+#ifdef PER_SESSION_XAUTHFILE >+/* >+ * We use a different temporary X authority file per session so we should >+ * remove those files when cleanup_exit() is called. >+ */ >+void >+session_xauthfile_cleanup(Session *s) >+{ >+ if (s == NULL || s->auth_file == NULL) { >+ return; >+ } >+ >+ debug("session_xauthfile_cleanup: session %d removing %s", s->self, >+ s->auth_file); >+ >+ if (unlink(s->auth_file) == -1) { >+ error("session_xauthfile_cleanup: cannot remove xauth file: " >+ "%.100s", strerror(errno)); >+ return; >+ } >+ >+ /* dirname() will modify s->auth_file but that's ok */ >+ if (rmdir(dirname(s->auth_file)) == -1) { >+ error("session_xauthfile_cleanup: " >+ "cannot remove xauth directory: %.100s", strerror(errno)); >+ return; >+ } >+ free(s->auth_file); >+ s->auth_file = NULL; >+} >+ >+/* >+ * This is called by do_cleanup() when cleanup_exit() is called. >+ */ >+void >+cleanup_all_session_xauthfile() >+{ >+ int i; >+ for (i = 0; i < sessions_nalloc; i++) { >+ session_xauthfile_cleanup(&sessions[i]); >+ } >+} >+#endif >+ > static char * > sig2name(int sig) > { >@@ -2512,6 +2617,9 @@ > free(s->auth_display); > free(s->auth_data); > free(s->auth_proto); >+#ifdef PER_SESSION_XAUTHFILE >+ session_xauthfile_cleanup(s); >+#endif > free(s->subsys); > if (s->env != NULL) { > for (i = 0; i < s->num_env; i++) { >@@ -2763,6 +2871,10 @@ > /* remove agent socket */ > auth_sock_cleanup_proc(authctxt->pw); > >+#ifdef PER_SESSION_XAUTHFILE >+ cleanup_all_session_xauthfile(); >+#endif >+ > /* > * Cleanup ptys/utmp only if privsep is disabled, > * or if running in monitor. >--- orig/session.h Thu Jul 30 10:35:12 2015 >+++ new/session.h Tue Aug 4 11:30:04 2015 >@@ -49,6 +49,9 @@ > char *auth_display; > char *auth_proto; > char *auth_data; >+#ifdef PER_SESSION_XAUTHFILE >+ char *auth_file; /* xauth(1) authority file */ >+#endif > int single_connection; > > /* proto 2 */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2680">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2440
:
2680
|
2809
|
3047
|
3048