[X2Go-Commits] libpam-x2go.git - x2gosession (branch) updated: b027ad477e7a42e6cbe3a9485d41e2c2abc57365

X2Go dev team git-admin at x2go.org
Wed Apr 24 18:47:24 CEST 2013


The branch, x2gosession has been updated
  discards  c8d25717c4a441e05b1c702288a1b5928e62c288 (commit)
  discards  d9da9b90a2be88825b3219f21b5865872591bbdb (commit)
  discards  6e7601e14089a79aec2accfa800c259049449b8e (commit)
  discards  817ff829b60891959d4b947fbd79c7bd3e2e67dd (commit)
  discards  645af42abcb4b3ac922705751d134d31d8959912 (commit)
  discards  edbe36fbccacebc2de6d15d0bfa3d480dd69a135 (commit)
  discards  48df96792e41ff14f101fbb9829a059b0cdd3879 (commit)
       via  b027ad477e7a42e6cbe3a9485d41e2c2abc57365 (commit)
       via  626a5ed1cc6421c00f103fa769ac19f867e7ed1f (commit)
       via  e2dbf52d86c5c6e1734c7df1b17d8ced9589e82a (commit)
       via  0b41e3977e41d07997f008a8344f9ab70e4d213d (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (c8d25717c4a441e05b1c702288a1b5928e62c288)
            \
             N -- N -- N (b027ad477e7a42e6cbe3a9485d41e2c2abc57365)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 src/pam-freerdp.c |   74 +++++++++++++++++++----------------------------------
 1 file changed, 26 insertions(+), 48 deletions(-)

The diff of changes is:
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index 82704c5..df2f3c5 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -23,7 +23,7 @@
 #include <sys/wait.h>
 #include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/mman.h>
+#include <sys/stat.h>
 #include <sys/un.h>
 #include <pwd.h>
 
@@ -33,13 +33,6 @@
 
 #define PAM_TYPE_DOMAIN  1234
 
-static char * global_domain = NULL;
-/* FIXME? This is a work around to the fact that PAM seems to be clearing
-   the auth token between authorize and open_session.  Which then requires
-   us to save it.  Seems like we're the wrong people to do it, but we have
-   no choice */
-static char * global_password = NULL;
-
 /* Either grab a value or prompt for it */
 static char *
 get_item (pam_handle_t * pamh, int type)
@@ -51,13 +44,6 @@ get_item (pam_handle_t * pamh, int type)
 		if (pam_get_item(pamh, type, (const void **)&value) == PAM_SUCCESS && value != NULL) {
 			return strdup(value);
 		}
-		if (type == PAM_AUTHTOK && global_password != NULL) {
-			return strdup(global_password);
-		}
-	} else {
-		if (global_domain != NULL) {
-			return strdup(global_domain);
-		}
 	}
 	/* Now we need to prompt */
 
@@ -95,7 +81,7 @@ get_item (pam_handle_t * pamh, int type)
 	}
 
 	struct pam_response * responses = NULL;
-	if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS || responses == NULL) {
+	if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS) {
 		return NULL;
 	}
 
@@ -118,26 +104,6 @@ get_item (pam_handle_t * pamh, int type)
 		}
 	}
 
-	if (retval != NULL) { /* Can't believe it really would be at this point, but let's be sure */
-		if (type != PAM_TYPE_DOMAIN) {
-			pam_set_item(pamh, type, (const void *)retval);
-		} else {
-			if (global_domain != NULL) {
-				free(global_domain);
-			}
-			global_domain = strdup(retval);
-		}
-		if (type == PAM_AUTHTOK) {
-			if (global_password != NULL) {
-				memset(global_password, 0, strlen(global_password));
-				munlock(global_password, strlen(global_password));
-				free(global_password);
-			}
-			global_password = strdup(retval);
-			mlock(global_password, strlen(global_password));
-		}
-	}
-
 	return retval;
 }
 
@@ -147,6 +113,9 @@ get_item (pam_handle_t * pamh, int type)
 		goto done; \
 	}
 
+/* TODO: Make this a build thing */
+#define XFREERDP "/usr/bin/xfreerdp"
+
 /* Authenticate.  We need to make sure we have a user account, that
    there are remote accounts and then verify them with FreeRDP */
 PAM_EXTERN int
@@ -283,7 +252,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 	memset(&socket_addr, 0, sizeof(struct sockaddr_un));
 	socket_addr.sun_family = AF_UNIX;
 	strncpy(socket_addr.sun_path, pwdent->pw_dir, sizeof(socket_addr.sun_path) - 1);
-	strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", (sizeof(socket_addr.sun_path) - strlen(pwdent->pw_dir)) - 1);
+	strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", sizeof(socket_addr.sun_path) - 1);
 
 	/* We bind the socket before forking so that we ensure that
 	   there isn't a race condition to get to it.  Things will block
@@ -294,6 +263,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 		goto done;
 	}
 
+	/* Set the socket file permissions to be 600 and the user and group
+	   to be the guest user.  NOTE: This won't protect on BSD */
+	if (chmod(socket_addr.sun_path, S_IRUSR | S_IWUSR) != 0 ||
+			chown(socket_addr.sun_path, pwdent->pw_uid, pwdent->pw_gid) != 0) {
+		close(socketfd);
+		retval = PAM_SYSTEM_ERR;
+		goto done;
+	}
+
 	/* Build this up as a buffer so we can just write it and see that
 	   very, very clearly */
 	int buffer_len = 0;
@@ -303,15 +281,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 	buffer_len += strlen(password) + 1; /* Add one for the NULL */
 
 	char * buffer = malloc(buffer_len);
-	/* Lock the buffer before writing */
-	mlock(buffer, buffer_len);
 	snprintf(buffer, buffer_len, "%s %s %s %s", ruser, password, rdomain, rhost);
 
 	pid_t pid = fork();
 	if (pid == 0) {
-		/* Locks to carry over */
-		mlock(buffer, buffer_len);
-
 		if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 ||
 				setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) {
 			_exit(EXIT_FAILURE);
@@ -346,14 +319,11 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
 	} else if (pid < 0) {
 		retval = PAM_SYSTEM_ERR;
 		close(socketfd);
+		free(buffer);
 	} else {
 		session_pid = pid;
 	}
 
-	memset(buffer, 0, buffer_len);
-	munlock(buffer, buffer_len);
-	free(buffer);
-
 done:
 	if (username != NULL) { free(username); }
 	if (password != NULL) { free(password); }
@@ -377,12 +347,20 @@ pam_sm_close_session (pam_handle_t *pamh, int flags, int argc, const char **argv
 	return PAM_IGNORE;
 }
 
+/* LightDM likes to have this function around, but we don't need it as we
+   don't have a token hanging around. */
+PAM_EXTERN int
+pam_sm_setcred (pam_handle_t *pamh, int flags, int argc, const char ** argv)
+{
+	return PAM_SUCCESS;
+}
+
 #ifdef PAM_STATIC
 
 struct pam_module _pam_freerdp_modstruct = {
-     "pam-freerdp",
+     "pam_freerdp",
      pam_sm_authenticate,
-     NULL,
+     pam_sm_setcred,
      NULL,
      pam_sm_open_session,
      pam_sm_close_session,


hooks/post-receive
-- 
libpam-x2go.git (Remote login session via X2Go (PAM module))

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "libpam-x2go.git" (Remote login session via X2Go (PAM module)).




More information about the x2go-commits mailing list