[X2Go-Dev] [PATCHv2] Switch to DISPLAY env. var. and UNIX socket connection on OS, X.
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Wed Feb 29 16:57:30 CET 2012
Hi Mihai,
On Mo 27 Feb 2012 05:52:26 CET Mihai Moldovan wrote:
>
> Detect the current X11 socket by examining the DISPLAY environment
> variable, which is set to some UNIX socket path by launchd on each
> user login.
>
> Do a connection test via this UNIX socket.
>
> Let nxproxy use the X server via the provided UNIX socket, instead
> of connecting via TCP.
>
> This allows users to shutdown network connections for X11, which is
> a potential security risk. Even more so, if connection authentication
> is turned off, which is required for "strange" setups via ssh tunnels,
> it opens up your machine to any other computer it is reachable by
> with no authentication.
>
> Signed-off-by: Mihai Moldovan <ionic at ionic.de>
> ---
> onmainwindow.cpp | 36 +++++++++---------
> onmainwindow_part2.cpp | 9 +++-
> onmainwindow_part3.cpp | 100
> ++++++++++++++++--------------------------------
> onmainwindow_privat.h | 6 +-
> 4 files changed, 61 insertions(+), 90 deletions(-)
>
> diff --git a/onmainwindow.cpp b/onmainwindow.cpp
> index 344c993..6118f1f 100644
> --- a/onmainwindow.cpp
> +++ b/onmainwindow.cpp
> @@ -1,22 +1,22 @@
> /***************************************************************************
> -* Copyright (C) 2005-2012 by Oleksandr Shneyder *
> -* oleksandr.shneyder at obviously-nice.de *
> -* *
> -* This program is free software; you can redistribute it and/or modify *
> -* it under the terms of the GNU General Public License as published by F*
> -* the Free Software Foundation; either version 2 of the License, or *
> -* (at your option) any later version. *
> -* *
> -* This program is distributed in the hope that it will be useful, *
> -* but WITHOUT ANY WARRANTY; without even the implied warranty of *
> -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
> -* GNU General Public License for more details. *
> -* *
> -* You should have received a copy of the GNU General Public License *
> -* along with this program; if not, write to the *
> -* Free Software Foundation, Inc., *
> -* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
> -***************************************************************************/
> + * Copyright (C) 2005-2012 by Oleksandr Shneyder *
> + * oleksandr.shneyder at obviously-nice.de *
> + * *
> + * This program is free software; you can redistribute it and/or modify *
> + * it under the terms of the GNU General Public License as published by *
> + * the Free Software Foundation; either version 2 of the License, or *
> + * (at your option) any later version. *
> + * *
> + * This program is distributed in the hope that it will be useful, *
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of *
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
> + * GNU General Public License for more details. *
> + * *
> + * You should have received a copy of the GNU General Public License *
> + * along with this program; if not, write to the *
> + * Free Software Foundation, Inc., *
> + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
> +
> ***************************************************************************/
>
> #include "onmainwindow_privat.h"
>
> diff --git a/onmainwindow_part2.cpp b/onmainwindow_part2.cpp
> index f43c179..e8df279 100644
> --- a/onmainwindow_part2.cpp
> +++ b/onmainwindow_part2.cpp
> @@ -1900,12 +1900,17 @@ void ONMainWindow::slotTunnelOk()
> env << "NX_CLIENT="+QCoreApplication::applicationFilePath ();
>
> #if defined ( Q_OS_WIN ) || defined ( Q_OS_DARWIN )
> + // On Mac OS X, we want to make sure that DISPLAY is set to a
> proper value,
> + // but at the same time don't want to set the value ourselves but keep
> + // the provided one.
> QString disp=getXDisplay();
> if ( disp==QString::null )
> {
> //slotProxyerror ( QProcess::FailedToStart );
> return;
> }
> +#endif // Q_OS_WIN || Q_OS_DARWIN
> +#if defined ( Q_OS_WIN )
> if ( dispInd==-1 )
> {
> env <<"DISPLAY=localhost:"+disp;
> @@ -1917,8 +1922,8 @@ void ONMainWindow::slotTunnelOk()
> /* x2goDebug<<"existing env DISPLAY("<<dispInd<<
> ") DISPLAY=localhost:"+disp<<endl;*/
> }
> -#endif
> -#ifdef Q_OS_DARWIN
> +#endif // Q_OS_WIN
> +#if defined ( Q_OS_DARWIN )
> //setting /usr/X11/bin to find xauth
> env.insert (
> 0,
> diff --git a/onmainwindow_part3.cpp b/onmainwindow_part3.cpp
> index fb6a3ba..7eb14f3 100644
> --- a/onmainwindow_part3.cpp
> +++ b/onmainwindow_part3.cpp
> @@ -1,22 +1,22 @@
> /***************************************************************************
> -* Copyright (C) 2005-2012 by Oleksandr Shneyder *
> -* oleksandr.shneyder at obviously-nice.de *
> -* *
> -* This program is free software; you can redistribute it and/or modify *
> -* it under the terms of the GNU General Public License as published by F*
> -* the Free Software Foundation; either version 2 of the License, or *
> -* (at your option) any later version. *
> -* *
> -* This program is distributed in the hope that it will be useful, *
> -* but WITHOUT ANY WARRANTY; without even the implied warranty of *
> -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
> -* GNU General Public License for more details. *
> -* *
> -* You should have received a copy of the GNU General Public License *
> -* along with this program; if not, write to the *
> -* Free Software Foundation, Inc., *
> -* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
> -***************************************************************************/
> + * Copyright (C) 2005-2012 by Oleksandr Shneyder *
> + * oleksandr.shneyder at obviously-nice.de *
> + * *
> + * This program is free software; you can redistribute it and/or modify *
> + * it under the terms of the GNU General Public License as published by *
> + * the Free Software Foundation; either version 2 of the License, or *
> + * (at your option) any later version. *
> + * *
> + * This program is distributed in the hope that it will be useful, *
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of *
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
> + * GNU General Public License for more details. *
> + * *
> + * You should have received a copy of the GNU General Public License *
> + * along with this program; if not, write to the *
> + * Free Software Foundation, Inc., *
> + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
> +
> ***************************************************************************/
>
> #include "onmainwindow_privat.h"
>
> @@ -2054,63 +2054,29 @@ bool ONMainWindow::checkAgentProcess()
> #if defined ( Q_OS_DARWIN )
> QString ONMainWindow::getXDisplay()
> {
> - QTcpSocket tcpSocket ( this );
> - uint dispNumber=0;
> - QString xname,xdir,xopt;
> - dispNumber=0;
> - xdir=ConfigDialog::getXDarwinDirectory();
> - xname=xdir+"/Contents/MacOS/X11";
> - xopt=" -rootless :0";
> + QLocalSocket unixSocket (this);
> + QString xsocket (getenv ("DISPLAY"));
>
> - //for newer versions of XQuartz start startx instead of X11.app
> - xname="/usr/X11/bin/startx";
> - xopt="";
> - tcpSocket.connectToHost ( "127.0.0.1",6000+dispNumber );
> -
> - if ( tcpSocket.waitForConnected ( 3000 ) )
> - {
> - tcpSocket.close();
> - return QString::number ( dispNumber );
> - }
> - if ( xname==QString::null )
> + // OS X starts the X11 server automatically, as soon as the
> launchd UNIX socket
> + // is accessed.
> + // On user login, the DISPLAY environment variable is set to
> this said existing
> + // socket.
> + // By now, we should have a socket. Test, if connecting works.
> + if ((!xsocket.isEmpty ()))
> {
> - QMessageBox::critical (
> - this,tr ( "Can't connect to X-Server" ),
> - tr (
> - "Can't connect to X-Server\nPlease check your settings"
> - ) );
> - slotConfig();
> - return QString::null;
> - }
> - QProcess* pr=new QProcess ( this );
> - pr->setWorkingDirectory ( xdir );
> - pr->start ( xname+" "+xopt,QIODevice::NotOpen );
> - if ( pr->waitForStarted ( 3000 ) )
> - {
> -#ifdef Q_OS_DARWIN
> - //FIXME: the call of unistd.h sleep() do not work on all
> - // Mac OS X systems
> - system ( "sleep 3" );
> -#endif
> + unixSocket.connectToServer (xsocket);
>
> - tcpSocket.connectToHost ( "127.0.0.1",6000+dispNumber );
> - if ( tcpSocket.waitForConnected ( 1000 ) )
> + if (unixSocket.waitForConnected (10000))
> {
> - tcpSocket.close();
> - return QString::number ( dispNumber );
> + unixSocket.disconnectFromServer ();
> + return (xsocket);
> }
> - QMessageBox::critical (
> - this,tr ( "Can't connect to X-Server" ),
> - tr (
> - "Can't connect to X-Server\nPlease check your settings"
> - ) );
> - slotConfig();
> - return QString::null;
> }
> + // And if not, error out.
> QMessageBox::critical (
> - this,QString::null,
> + this,tr ( "Can't connect to X server\nPlease check your settings" ),
> tr (
> - "Can't start X Server\nPlease check your settings" ) );
> + "Can't start X server\nPlease check your settings" ) );
> slotConfig();
> return QString::null;
> }
> diff --git a/onmainwindow_privat.h b/onmainwindow_privat.h
> index 9e4375a..aa049f7 100644
> --- a/onmainwindow_privat.h
> +++ b/onmainwindow_privat.h
> @@ -1,6 +1,6 @@
> /***************************************************************************
> - * Copyright (C) 2005-2012 by Oleksandr Shneyder *
> - * oleksandr.shneyder at obviously-nice.de *
> + * Copyright (C) 2005-2012 by Oleksandr Shneyder *
> + * oleksandr.shneyder at obviously-nice.de *
> * *
> * This program is free software; you can redistribute it and/or modify *
> * it under the terms of the GNU General Public License as published by *
> @@ -66,7 +66,7 @@
> #include <QFileDialog>
> #include <QHttp>
> #include <QUrl>
> -#include <QTcpSocket>
> +#include <QLocalSocket>
> #include <QPlastiqueStyle>
> #include "sshprocess.h"
> #include "imgframe.h"
> --
> 1.7.9
>
>
>
I repeat my request to keep patches minimal and let them only fix one issue:
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=3b20e0e71cf3c01b1f73ecee2014c4ddf5c07a3f
The copyright header layout fixes I have committed separately.
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=93d11591928f54ff28a06edd10cb13494ef10d41
The DISPLAY var detection is another commit:
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=f9f9efef4450485b53cf43100d1ad14ea8f96b16
Greets,
Mike
--
DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20120229/6cb748bf/attachment.pgp>
More information about the x2go-dev
mailing list