Date: Tue, 24 May 2011 05:30:03 +0900 (JST) From: "Iwao, Koichiro" <meta@club.kyutech.ac.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/157282: [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman Message-ID: <201105232030.p4NKU3vn017210@rose.club.kyutech.ac.jp> Resent-Message-ID: <201105232040.p4NKeACf079207@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 157282 >Category: ports >Synopsis: [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon May 23 20:40:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Iwao, Koichiro >Release: FreeBSD 8.2-RELEASE-p1 amd64 >Organization: Kyushu Institute of Technology >Environment: System: FreeBSD rose.club.kyutech.ac.jp 8.2-RELEASE-p1 FreeBSD 8.2-RELEASE-p1 #1: Mon Apr 25 03:31:52 JST 2011 root@rose.club.kyutech.ac.jp:/usr/obj/usr/src/sys/MASAKIKERNEL amd64 >Description: xrdp is originally made for Linux, handling setlogin/getlogin is not enough for *BSD. Some programs like mysql fail to get actual username. Also, this may cause a security issue like FreeBSD-SA-02:07.k5su due to setlogin system call. http://security.freebsd.org/advisories/FreeBSD-SA-02:07.k5su.asc Added file: - files/patch-sesman__session.c >How-To-Repeat: Login to the host via xrdp, run `id -p` on xterm, the login name will be wrong. The result will be: $ id -p login root uid meta groups meta ex) mysql gets username as 'root' even if the actual user is not root: $ whoami meta $ mysql Enter password: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO) Login shuld be as same as uid: $ id -p uid meta groups meta >Fix: See attached patch. --- patch-sesman__session.c begins here --- --- sesman/session.c.orig 2011-03-12 16:10:35.000000000 +0900 +++ sesman/session.c 2011-05-24 04:45:59.000000000 +0900 @@ -16,7 +16,47 @@ xrdp: A Remote Desktop Protocol server. Copyright (C) Jay Sorg 2005-2008 */ - +/* + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + * + * SSH2 support by Markus Friedl. + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Copyright (c) 2011 Koichiro Iwao <meta@club.kyutech.ac.jp>, + * Kyushu Institute of Technology. + * All rights reserved. + * + * from: OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp + * with some ideas about process grouping from OpenSSH to xrdp + * + */ /** * * @file session.c @@ -373,6 +413,23 @@ g_sprintf(geometry, "%dx%d", width, height); g_sprintf(depth, "%d", bpp); g_sprintf(screen, ":%d", display); +#ifdef __FreeBSD__ + /* + * Create a new session and process group since 4.4BSD + * setlogin affects the entire process group. + */ + if (setsid() < 0) + { + log_message(&(g_cfg->log), LOG_LEVEL_ERROR, + "setsid failed: %.100s", strerror(errno)); + } + + if (setlogin(username) < 0) + { + log_message(&(g_cfg->log), LOG_LEVEL_ERROR, + "setlogin failed: %.100s", strerror(errno)); + } +#endif wmpid = g_fork(); if (wmpid == -1) { --- patch-sesman__session.c ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201105232030.p4NKU3vn017210>