[X2go-Dev] [PATCH] Allow users to edit their *own* sessions only
Reinhard Tartler
siretart at tauware.de
Mon Jul 25 00:10:03 CEST 2011
previously, users could create sessions under wrong uids or delete
sessions from other users. This patch implements prevents this by
checking the userid of the caller with the session id.
---
x2goserver/lib/x2gosqlitewrapper.pl | 23 ++++++++++++++++++++---
1 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/x2goserver/lib/x2gosqlitewrapper.pl b/x2goserver/lib/x2gosqlitewrapper.pl
index 70ee4e5..8483f32 100755
--- a/x2goserver/lib/x2gosqlitewrapper.pl
+++ b/x2goserver/lib/x2gosqlitewrapper.pl
@@ -25,14 +25,14 @@ use strict;
use DBI;
use POSIX;
-# retrieve home dir of x2gouser
+# retrieve home dir of x2gouser
my $x2gouser='x2gouser';
my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwnam($x2gouser);
my $dbfile="$homedir/x2go_sessions";
# retrieve account data of real user
my $realuser=$<;
-my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwnam($realuser);
+my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwuid($realuser);
my $dbh=DBI->connect("dbi:SQLite:dbname=$dbfile","","",{AutoCommit => 1}) or die $_;
@@ -81,6 +81,7 @@ elsif($cmd eq "listsessionsroot_all")
elsif($cmd eq "getmounts")
{
my $sid=shift or die "argument \"session_id\" missed";
+ check_user($sid);
my @strings;
my $sth=$dbh->prepare("select client, path from mounts where session_id=?");
$sth->execute($sid)or die;
@@ -91,6 +92,7 @@ elsif($cmd eq "deletemount")
{
my $sid=shift or die "argument \"session_id\" missed";
my $path=shift or die "argument \"path\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?");
$sth->execute($sid, $path);
$sth->finish();
@@ -101,6 +103,7 @@ elsif($cmd eq "insertmount")
my $sid=shift or die "argument \"session_id\" missed";
my $path=shift or die "argument \"path\" missed";
my $client=shift or die "argument \"client\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("insert into mounts (session_id,path,client) values (?, ?, ?)");
$sth->execute($sid, $path, $client);
if(!$sth->err())
@@ -115,6 +118,7 @@ elsif($cmd eq "insertsession")
my $display=shift or die "argument \"display\" missed";
my $server=shift or die "argument \"server\" missed";
my $sid=shift or die "argument \"session_id\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values
(?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))");
$sth->execute($display, $server, $realuser, $sid) or die $_;
@@ -131,6 +135,7 @@ elsif($cmd eq "createsession")
my $snd_port=shift or die"argument \"snd_port\" missed";
my $fs_port=shift or die"argument \"fs_port\" missed";
my $sid=shift or die "argument \"session_id\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?,
client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?");
$sth->execute($cookie, $pid, $client, $gr_port, $snd_port, $fs_port, $sid, $realuser)or die;
@@ -144,6 +149,7 @@ elsif($cmd eq "insertport")
my $sid=shift or die "argument \"session_id\" missed";
my $sshport=shift or die "argument \"port\" missed";
my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values (?, ?, ?)");
+ check_user($sid);
$sth->execute($server, $sid, $sshport) or die;
$sth->finish();
}
@@ -152,6 +158,7 @@ elsif($cmd eq "resume")
{
my $client=shift or die "argument \"client\" missed";
my $sid=shift or die "argument \"session_id\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),status='R',
client=? where session_id = ? and uname=?");
$sth->execute($client, $sid, $realuser) or die;
@@ -162,6 +169,7 @@ elsif($cmd eq "changestatus")
{
my $status=shift or die "argument \"status\" missed";
my $sid=shift or die "argument \"session_id\" missed";
+ check_user($sid);
my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),
status=? where session_id = ? and uname=?");
$sth->execute($status, $sid, $realuser)or die;
@@ -170,7 +178,6 @@ elsif($cmd eq "changestatus")
elsif($cmd eq "getdisplays")
{
-
#ignore $server
my @strings;
my $sth=$dbh->prepare("select display from sessions");
@@ -222,6 +229,7 @@ elsif($cmd eq "getagent")
{
my $sid=shift or die "argument \"session_id\" missed";
my $agent;
+ check_user($sid);
my $sth=$dbh->prepare("select agent_pid from sessions
where session_id=?");
$sth->execute($sid)or die;
@@ -239,6 +247,7 @@ elsif($cmd eq "getdisplay")
{
my $sid=shift or die "argument \"session_id\" missed";
my $display;
+ check_user($sid);
my $sth=$dbh->prepare("select display from sessions
where session_id =?");
$sth->execute($sid)or die;
@@ -296,6 +305,14 @@ sub checkroot
}
}
+sub check_user
+{
+ my $sid=shift or die "argument \"session_id\" missed";
+ # session id looks like someuser-51-1304005895_stDgnome-session_dp24
+ my ( $user, $rest ) = split('-', $sid, 2);
+ $user eq $uname or die "$uname is not authorized (should be $user)";
+}
+
sub fetchrow_printall_array
{
# print all arrays separated by the pipe symbol
--
1.7.4.1
More information about the x2go-dev
mailing list