[debian-edu-commits] debian-edu/pkg-team/ 144/159: let’s see whether this works for xorgxrdp←→xrdp dæmon conns

Dominik George natureshadow-guest at moszumanska.debian.org
Tue Feb 23 10:04:35 UTC 2016 

This is an automated email from the git hooks/post-receive script.

natureshadow-guest pushed a commit to branch master
in repository xrdp.

commit 96517cbbcc2658493237da7248f50a4c157b60a4
Author: mirabilos <tg at mirbsd.org>
Date:   Wed Sep 2 16:54:41 2015 +0200

    let’s see whether this works for xorgxrdp←→xrdp dæmon conns
---
 README.Debian          |  2 +-
 changelog              |  5 +++--
 patches/fix_perms.diff | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/series         |  1 +
 xrdp.init              |  9 ++++++---
 5 files changed, 64 insertions(+), 6 deletions(-)

diff --git a/README.Debian b/README.Debian
index 58c7adf..c66123c 100644
--- a/README.Debian
+++ b/README.Debian
@@ -11,7 +11,7 @@ messages about /etc/xrdp/cert.pem and /etc/xrdp/key.pem are good for.
 
 Another security issue is the hard-coded use of /tmp/.xrdp/ which
 probably should be moved to /var/run/xrdp/sockdir/ (pre-create in
-initscript with 0:0 1777; no idea about systemd); a local patch
+initscript with 0:xrdp 3777; no idea about systemd); a local patch
 could fix it with the hard-coded replacement path, but that’s
 probably okay. For now, the sysvinit script creates this path and
 sanity-checks it.
diff --git a/changelog b/changelog
index 629e99f..30073c0 100644
--- a/changelog
+++ b/changelog
@@ -1,11 +1,12 @@
-xrdp (0.9.0~git20150902-1~beta1) teckids; urgency=medium
+xrdp (0.9.0~git20150902-1~beta1) teckids; urgency=high
 
   * New upstream snapshot, DFSG-free AFAICT TTBOMK
   * Correct missing $ in sysvinit script
   * Clean up a now-obsolete conffile from xrdp 0.6
   * Document the /tmp/.xrdp/ issue and precreate it from sysvinit script
+  * Fix permissions to connect to xorgxrdp server from xrdp daemon
 
- -- Thorsten Glaser <thorsten.glaser at teckids.org>  Wed, 02 Sep 2015 15:45:56 +0200
+ -- Thorsten Glaser <thorsten.glaser at teckids.org>  Wed, 02 Sep 2015 16:54:22 +0200
 
 xrdp (0.9.0~git20150901+dfsg-1~beta1) teckids; urgency=medium
 
diff --git a/patches/fix_perms.diff b/patches/fix_perms.diff
new file mode 100644
index 0000000..9ac5093
--- /dev/null
+++ b/patches/fix_perms.diff
@@ -0,0 +1,53 @@
+# DP: attempt to fix connection problem between xrdp-sesman (running
+# DP: as root) and xrdp (running as xrdp) by creating the socket for
+# DP: the xorgxrdp server as 0660 in a sgid-xrdp directory, since we
+# DP: can’t easily chgrp here; also fix retval check for listen(2)
+
+--- a/common/os_calls.c
++++ b/common/os_calls.c
+@@ -140,7 +140,7 @@ g_mk_temp_dir(const char *app_name)
+                     }
+                 }
+ 
+-                g_chmod_hex("/tmp/.xrdp", 0x1777);
++                g_chmod_hex("/tmp/.xrdp", 0x3777);
+             }
+ 
+             snprintf(g_temp_base, sizeof(g_temp_base),
+--- a/xorg/X11R7.6/rdp/rdpup.c
++++ b/xorg/X11R7.6/rdp/rdpup.c
+@@ -1215,7 +1215,7 @@ rdpup_init(void)
+             return 0;
+         }
+ 
+-        g_chmod_hex("/tmp/.xrdp", 0x1777);
++        g_chmod_hex("/tmp/.xrdp", 0x3777);
+     }
+ 
+     i = atoi(display);
+--- a/xorgxrdp/module/rdpClientCon.c
++++ b/xorgxrdp/module/rdpClientCon.c
+@@ -1124,7 +1124,7 @@ rdpClientConInit(rdpPtr dev)
+                 return 0;
+             }
+         }
+-        g_chmod_hex("/tmp/.xrdp", 0x1777);
++        g_chmod_hex("/tmp/.xrdp", 0x3777);
+     }
+     i = atoi(display);
+     if (i < 1)
+@@ -1142,7 +1142,13 @@ rdpClientConInit(rdpPtr dev)
+             LLOGLN(0, ("rdpClientConInit: g_tcp_local_bind failed"));
+             return 1;
+         }
+-        g_sck_listen(dev->listen_sck);
++        if (g_sck_listen(dev->listen_sck) != 0)
++        {
++            LLOGLN(0, ("rdpClientConInit: g_sck_listen failed"));
++            unlink(dev->uds_data);
++            return 1;
++        }
++        g_chmod_hex(dev->uds_data, 0x0660);
+         AddEnabledDevice(dev->listen_sck);
+     }
+     return 0;
diff --git a/patches/series b/patches/series
index 56551c1..b483053 100644
--- a/patches/series
+++ b/patches/series
@@ -5,3 +5,4 @@ keymap-fallback.diff
 misc-fixes.diff
 systemd.diff
 nxstack.diff
+fix_perms.diff
diff --git a/xrdp.init b/xrdp.init
index 3d296cf..6177583 100644
--- a/xrdp.init
+++ b/xrdp.init
@@ -52,9 +52,12 @@ test -d /var/run/xrdp || mkdir /var/run/xrdp || exit $?
 chown xrdp:xrdp /var/run/xrdp || exit $?
 
 # create socks directory
-test -e /tmp/.xrdp || mkdir -m1777 /tmp/.xrdp || exit $?
-case $(stat -c '%a,%u,%g,%F' /tmp/.xrdp) in
-(1777,0,0,directory) ;;
+test -e /tmp/.xrdp || mkdir -m3777 /tmp/.xrdp || exit $?
+case $(stat -c '%a,%u,%G,%F' /tmp/.xrdp) in
+(3777,0,xrdp,directory) ;;
+(3777,0,root,directory|3777,0,wheel,directory)
+	chgrp xrdp /tmp/.xrdp
+	;;
 (*)
 	echo >&2 "E: /tmp/.xrdp has wrong permissions"
 	exit 1

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/pkg-team/xrdp.git

More information about the debian-edu-commits mailing list