Created attachment 2680 [details] This patch is to change the location of the XAUTHORITY file from ~/.Xauthority to per session Xauh file in /tmp directory If a user's home directory is read-only, then X11 connection will be rejected because of wrong authentication. For example, $ssh -l hylee_local a-server Password: Last login: Wed Aug 5 14:09:42 2015 from 10.132.148.106 /usr/bin/xauth: timeout in locking authority file /export/home/hylee_local/.Xauthority hylee_local$/usr/bin/xemacs /tmp/junk X11 connection rejected because of wrong authentication. ... The root cause of the problem is because the xauth program (invoked by sshd) couldn't lock the non-writable the ~/.Xauthority file. This is a serious problem on Solaris, because a writable home directory isn't always available for root in an immutable zone. We have resolved this problem by changing sshd to use a distinct temporary X authority file for each session. This temporary Xauthority file will be stored in the /tmp directory and it will be removed when the session is closed. Attached is our bug-fix patch file, which applies to OpenSSH6.8p1.
Retarget to openssh-7.3
Created attachment 2809 [details] new patch file for per session xauth enhancement
Recently, we discovered that the original code changes for this enhancement would not work if UsePrivilegeSeparation is set to NO. We fixed the problem with the following code changes: -------------------------------------------------------------------- --- old/session.c Mon Apr 25 15:33:39 2016 +++ new/session.c Mon Apr 25 15:37:31 2016 @@ -2241,6 +2241,7 @@ * means that we won't set XAUTHORITY variable in child's environment * and xauth(1) will use the default location for the authority file. */ + temporarily_use_uid(s->pw); if (mkdtemp(xauthdir) != NULL) { s->auth_file = xmalloc(MAXPATHLEN); snprintf(s->auth_file, MAXPATHLEN, "%s/xauthfile", @@ -2273,6 +2274,7 @@ "authority file: %.100s; will use the default xauth file", strerror(errno)); } + restore_uid(); #endif return success; } ----------------------------------------------------------------------- A new patch file was attached also, which applies to OpenSSH 7.2p2.
retarget unfinished bugs to next release
OpenSSH 7.4 release is closing; punt the bugs to 7.5
Move incomplete bugs to openssh-7.6 target since 7.5 shipped a while back. To calibrate expectations, there's little chance all of these are going to make 7.6.
remove 7.5 target
Created attachment 3047 [details] factor out agent socket directory creation for reuse The agent forwarding code already creates one directory, so to avoid a proliferation, this factors it out in preparation for using it for xauth files too. Also moves the ExposeAuthInfo contents to that directory now that it is convenient.
Created attachment 3048 [details] create xauth file in temp directory This uses the previous refactoring to create a per-session xauth file. If the file is created successfully then its location is supplied via XAUTHORITY and automatically used by xauth(1).
Move to OpenSSH 7.8 tracking bug
dtucker made this observation: > this will make it much harder to use an X display from anywhere else > other than the session that created it. Right now I could do > "DISPLAY=:10.0 some_installer" on the console and it'll pick > up the cookie from ~/.Xauthority and probably work, or at least be no > more broken than usual. > > I'm not sure if that's a down side or not but it's certainly a change > in behaviour.
untarget this because we'll need to think about it a little more. Maybe we could do an access(3) check and only fall back to tmp-hosted XAUTHORITY if it failed? OTOH that seems an excessively complex solution to what is essentially a configuration problem.
(In reply to Damien Miller from comment #16) > Maybe we could do an access(3) check and only fall back to > tmp-hosted XAUTHORITY if it failed? There are other reasons for putting .Xauthority outside the home directory besides the home directory being read only. See, for example, the write-up at https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1648107.