From owner-freebsd-ports Thu Jan 10 1:30:44 2002 Delivered-To: freebsd-ports@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id F23D337B405 for ; Thu, 10 Jan 2002 01:30:32 -0800 (PST) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id g0A9UTq26172 for ; Thu, 10 Jan 2002 10:30:29 +0100 (MET) Received: from hyperion.informatik.rwth-aachen.de (hyperion.Informatik.RWTH-Aachen.DE [137.226.194.33]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/6) with ESMTP id g0A9USv26153 for ; Thu, 10 Jan 2002 10:30:28 +0100 (MET) Received: from margaux.informatik.rwth-aachen.de (margaux.Informatik.RWTH-Aachen.DE [137.226.194.72]) by hyperion.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1) with ESMTP id KAA01435 for ; Thu, 10 Jan 2002 10:29:09 +0100 (MET) Received: (from stolz@localhost) by margaux.informatik.rwth-aachen.de (8.9.1b+Sun/8.9.1-gb-2) id KAA08069 for ports@freebsd.org; Thu, 10 Jan 2002 10:30:23 +0100 (MET) Date: Thu, 10 Jan 2002 10:30:22 +0100 From: Volker Stolz To: ports@freebsd.org Subject: [*BSD] Adding setusercontext() to gdm Message-ID: <20020110103022.B8055@i2.informatik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline User-Agent: Mutt/1.3.17i Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: multipart/mixed; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I added setusercontext() and friends to 'gdm', so that you would get proper settings from login.conf which are currently ignored by gdm. However, this opens a major can of worms: gdm likes to set GDM_LANG which in turn causes 'gnome-session' from x11/gnomecore to rewrite LANG on X session startup :-/ This is currently fixed by rewriting GDM_LANG with the setting obtained from login.conf (if any). Another issue is PATH. gdm likes to set this himself, including configurable settings in gdm.conf -- exactly what you'd solve with login.conf on BSD. Please test the attached patches, note that you have to run 'autoconf' after patching. 'configure' will detect if libutil is available and set the corresponding flag in config.h. To check if the gdm-binary has been correctly built, 'ldd daemon/gdm | grep util' should show that gdm has been linked against libutil. To verify that the patch works, modify ~/.login_conf, e.g. set LANG, PATH, whatever and log in. Cheers, Volker --=20 Wonderful \hbox (0.80312pt too nice) in paragraph at lines 16--18 Volker Stolz * stolz@i2.informatik.rwth-aachen.de Please use PGP or S/MIME for correspondence! --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch-logincap-slave.c" Content-Transfer-Encoding: quoted-printable --- daemon/slave.c.orig Tue Jan 1 03:48:07 2002 +++ daemon/slave.c Fri Jan 4 17:24:13 2002 @@ -19,31 +19,38 @@ /* This is the gdm slave process. gdmslave runs the chooser, greeter * and the user's session scripts. */ =20 -#include -#include -#include -#include -#include -#include #include #include #include -#include +#include + #include #include -#include #include #include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_LOGINCAP +#include +#endif + +#include +#include #include #ifdef HAVE_LIBXINERAMA #include #endif -#include -#include -#include -#include -#include -#include =20 #include =20 @@ -140,6 +147,8 @@ static gboolean x_error_occured =3D FALSE; static gboolean gdm_got_usr2 =3D FALSE; =20 +static void changeUser(struct passwd *pwent, char *login); + /* ignore handlers */ static int ignore_xerror_handler (Display *disp, XErrorEvent *evt) @@ -1785,6 +1794,31 @@ =20 } =20 +#ifdef HAVE_LOGINCAP +void changeUser(struct passwd *pwent,char *login) { + if (setsid() =3D=3D -1) + gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: setsid()= failed for %s. Aborting."), login); + if (setusercontext(NULL,pwent,pwent->pw_uid, LOGIN_SETALL) =3D=3D -1) + gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: setuserc= ontext() failed for %s. Aborting."), login); +} + +#else + +void changeUser(struct passwd *pwent,char *login) { + setpgid(0,0); + umask(022); + /* setup the user's correct group */ + if (setgid (pwent->pw_gid) < 0) + gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: Could no= t setgid %d. Aborting."), pwent->pw_gid); + if (initgroups (login, pwent->pw_gid) < 0) + gdm_child_exit (DISPLAY_REMANAGE, _("gdm_slave_session_start: initgrou= ps() failed for %s. Aborting."), login); + if (setuid (pwent->pw_uid) < 0)=20 + gdm_child_exit (DISPLAY_REMANAGE, + _("gdm_slave_session_start: Could not become %s. Aborting."), login); +} + +#endif + static char * dequote (const char *in) { @@ -1823,6 +1857,9 @@ char *sesspath, *sessexec; gboolean need_config_sync =3D FALSE; const char *shell =3D NULL; +#ifdef HAVE_LOGINCAP + char *lang =3D NULL; +#endif =20 ve_clearenv (); =20 @@ -1840,11 +1877,7 @@ if (gnome_session !=3D NULL) ve_setenv ("GDM_GNOME_SESSION", gnome_session, TRUE); =20 - /* Special PATH for root */ - if (pwent->pw_uid =3D=3D 0) - ve_setenv ("PATH", GdmRootPath, TRUE); - else - ve_setenv ("PATH", GdmDefaultPath, TRUE); + changeUser(pwent,login); =20 /* Eeeeek, this no lookie as a correct language code, let's * try unaliasing it */ @@ -1853,28 +1886,42 @@ language =3D unaliaslang (language); } =20 +#ifndef HAVE_LOGINCAP + /* Set locale */ ve_setenv ("LANG", language, TRUE); ve_setenv ("GDM_LANG", language, TRUE); - =20 - setpgid (0, 0); -=09 - umask (022); + + /* Special PATH for root */ + if (pwent->pw_uid =3D=3D 0) + ve_setenv ("PATH", GdmRootPath, TRUE); + else + ve_setenv ("PATH", GdmDefaultPath, TRUE); + +#else + /* XXX If GDM_LANG is set, this will override the LANG from login.conf + in 'gnome-session' (check x11/gnomecore)! + Our solution: set GDM_LANG to LANG *now*. Should we run unaliaslang() = on + lang, too? */ + + lang =3D getenv("LANG"); + if (lang) { + ve_setenv ("GDM_LANG", lang, TRUE); + } else { + ve_setenv ("LANG", language, TRUE); + ve_setenv ("GDM_LANG", language, TRUE); + } =09 + /* Do not reset PATH */ + +#endif + /* setup the verify env vars */ if ( ! gdm_verify_setup_env (d)) gdm_child_exit (DISPLAY_REMANAGE, _("%s: Could not setup environment for %s. " "Aborting."), "gdm_slave_session_start", login); - - /* setup egid to the correct group, - * not to leave the egid around */ - setegid (pwent->pw_gid); - - if (setuid (pwent->pw_uid) < 0)=20 - gdm_child_exit (DISPLAY_REMANAGE, - _("gdm_slave_session_start: Could not become %s. Aborting."), login); =09 chdir (home_dir); =20 --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch-logincap-configure.in" Content-Transfer-Encoding: quoted-printable --- configure.in.orig Tue Jan 1 02:50:01 2002 +++ configure.in Fri Jan 4 17:34:29 2002 @@ -230,6 +230,11 @@ fi AC_SUBST(GDMASKPASS) =20 +dnl Can we use BSD's setusercontext +AC_CHECK_HEADERS(sys/types.h login_cap.h, [ + LIBS=3D"$LIBS -lutil" + AC_DEFINE(HAVE_LOGINCAP)]) + if test x$enable_authentication_scheme =3D xpam -a x$have_pam =3D xno ; th= en AC_MSG_ERROR(PAM support requested but not available) fi --EVF5PPMfhYS0aIcm-- --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (SunOS) Comment: For info see http://www.gnupg.org iQCVAwUBPD1fLhLpPok/0ba1AQHNbAP/WHIYq8x59+jkQjFLx1ZWa6iS48raOjf9 p/hQfGOFM1BzvQ8VPUrBOsAAmaGrtGNTOktxuXBaferEGDaxpFQt3Ohe/kkK1Obh SMV7MHgNBbKCRS3YhnwScMUsYxYGEhdkbCTkSwZDo3d6Xy+/y8p0sGBRmoELEJ4A 5dKUSSS2QUA= =Nyyh -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message