[X2Go-Commits] libpam-x2go.git - x2gosession (branch) updated: 626a5ed1cc6421c00f103fa769ac19f867e7ed1f

Wed Apr 24 18:47:24 CEST 2013

The branch, x2gosession has been updated
  discards  829831debae6d31f199056444739f90b0f9e996d (commit)
  discards  6e7601e14089a79aec2accfa800c259049449b8e (commit)
  discards  817ff829b60891959d4b947fbd79c7bd3e2e67dd (commit)
  discards  645af42abcb4b3ac922705751d134d31d8959912 (commit)
  discards  edbe36fbccacebc2de6d15d0bfa3d480dd69a135 (commit)
  discards  48df96792e41ff14f101fbb9829a059b0cdd3879 (commit)
       via  626a5ed1cc6421c00f103fa769ac19f867e7ed1f (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (829831debae6d31f199056444739f90b0f9e996d)
            \
             N -- N -- N (626a5ed1cc6421c00f103fa769ac19f867e7ed1f)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 src/pam-freerdp.c |   81 +++++++++++++++++++++--------------------------------
 1 file changed, 32 insertions(+), 49 deletions(-)

The diff of changes is:

diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index f234ca9..2261a20 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -23,7 +23,7 @@
 #include <sys/wait.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/mman.h>
+#include <sys/stat.h>
 #include <sys/un.h>
 #include <pwd.h>
 
@@ -33,13 +33,6 @@
 
 #define PAM_TYPE_DOMAIN  1234
 
-static char * global_domain = NULL;
-/* FIXME? This is a work around to the fact that PAM seems to be clearing
-   the auth token between authorize and open_session.  Which then requires
-   us to save it.  Seems like we're the wrong people to do it, but we have
-   no choice */
-static char * global_password = NULL;
-
 /* Either grab a value or prompt for it */
 static char *
 get_item (pam_handle_t * pamh, int type)
@@ -49,14 +42,7 @@ get_item (pam_handle_t * pamh, int type)
 	if (type != PAM_TYPE_DOMAIN) {
 		char * value = NULL;
 		if (pam_get_item(pamh, type, (const void **)&value) == PAM_SUCCESS && value != NULL) {
-			return value;
-		}
-		if (type == PAM_AUTHTOK && global_password != NULL) {
-			return global_password;
-		}
-	} else {
-		if (global_domain != NULL) {
-			return global_domain;
+			return strdup(value);
 		}
 	}
 	/* Now we need to prompt */
@@ -95,17 +81,17 @@ get_item (pam_handle_t * pamh, int type)
 	}
 
 	struct pam_response * responses = NULL;
-	if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS || responses == NULL) {
+	if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS) {
 		return NULL;
 	}
 
-	char * promptval = responses->resp;
+	char * retval = responses->resp;
 	free(responses);
 
 	if (type == PAM_RHOST) {
-		char * subloc = strstr(promptval, "://");
+		char * subloc = strstr(retval, "://");
 		if (subloc != NULL) {
-			char * original = promptval;
+			char * original = retval;
 			char * newish = subloc + strlen("://");
 			char * endslash = strstr(newish, "/");
 
@@ -113,38 +99,11 @@ get_item (pam_handle_t * pamh, int type)
 				endslash[0] = '\0';
 			}
 
-			promptval = strdup(newish);
+			retval = strdup(newish);
 			free(original);
 		}
 	}
 
-	char * retval = NULL;
-	if (promptval != NULL) { /* Can't believe it really would be at this point, but let's be sure */
-		if (type != PAM_TYPE_DOMAIN) {
-			pam_set_item(pamh, type, (const void *)promptval);
-			/* We're returning the value saved by PAM so we can clear promptval */
-			pam_get_item(pamh, type, (const void **)&retval);
-		} else {
-			if (global_domain != NULL) {
-				free(global_domain);
-			}
-			global_domain = strdup(promptval);
-			retval = global_domain;
-		}
-		if (type == PAM_AUTHTOK) {
-			if (global_password != NULL) {
-				memset(global_password, 0, strlen(global_password));
-				munlock(global_password, strlen(global_password));
-				free(global_password);
-			}
-			global_password = strdup(promptval);
-			mlock(global_password, strlen(global_password));
-			retval = global_password;
-		}
-
-		free(promptval);
-	}
-
 	return retval;
 }
 
@@ -154,6 +113,9 @@ get_item (pam_handle_t * pamh, int type)
 		goto done; \
 	}
 
+/* TODO: Make this a build thing */
+#define XFREERDP "/usr/bin/xfreerdp"
+
 /* Authenticate.  We need to make sure we have a user account, that
    there are remote accounts and then verify them with FreeRDP */
 PAM_EXTERN int
@@ -233,8 +195,14 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	}
 	}
 
-	/* Return our status */
+	/* Free Memory and return our status */
 done:
+	if (username != NULL) { free(username); }
+	if (password != NULL) { free(password); }
+	if (ruser != NULL)    { free(ruser); }
+	if (rhost != NULL)    { free(rhost); }
+	if (rdomain != NULL)  { free(rdomain); }
+
 	return retval;
 }
 
@@ -295,6 +263,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 		goto done;
 	}
 
+	/* Set the socket file permissions to be 600 and the user and group
+	   to be the guest user.  NOTE: This won't protect on BSD */
+	if (chmod(socket_addr.sun_path, S_IRUSR | S_IWUSR) != 0 ||
+			chown(socket_addr.sun_path, pwdent->pw_uid, pwdent->pw_gid) != 0) {
+		close(socketfd);
+		retval = PAM_SYSTEM_ERR;
+		goto done;
+	}
+
 	/* Build this up as a buffer so we can just write it and see that
 	   very, very clearly */
 	int buffer_len = 0;
@@ -348,6 +325,12 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 	}
 
 done:
+	if (username != NULL) { free(username); }
+	if (password != NULL) { free(password); }
+	if (ruser != NULL)    { free(ruser); }
+	if (rhost != NULL)    { free(rhost); }
+	if (rdomain != NULL)  { free(rdomain); }
+
     return retval;
 }
 


hooks/post-receive
-- 
libpam-x2go.git (Remote login session via X2Go (PAM module))

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "libpam-x2go.git" (Remote login session via X2Go (PAM module)).


