Commit 8297fa50 authored by Jiri (George) Lebl's avatar Jiri (George) Lebl Committed by George Lebl

touch auth files in /tmp every 12 hours so that they don't get whacked by


Mon Oct 06 15:02:19 2003  George Lebl <jirka@5z.com>

	* daemon/gdm.[ch], daemon/auth.c, daemon/slave.c:
	  touch auth files in /tmp every 12 hours so that
	  they don't get whacked by tmpwatch.  Also add an
	  option to short circuit the NFS test option to
	  allow cookies on NFS (NeverPlaceCookiesOnNFS)

	* gui/greeter/greeter.c: Display dialog about not
	  being able to load the theme even when not running
	  in debug mode.  So that missing/bad themes don't
	  just look like greeter crashes (see rh #106189 for
	  people getting confused by bad spec file)

	* config/gdm.conf.in: add the NeverPlaceCookiesOnNFS
	  key

	* docs/C/gdm.xml: add info about NeverPlaceCookiesOnNFS
parent 2eb70761
Mon Oct 06 15:02:19 2003 George Lebl <jirka@5z.com>
* daemon/gdm.[ch], daemon/auth.c, daemon/slave.c:
touch auth files in /tmp every 12 hours so that
they don't get whacked by tmpwatch. Also add an
option to short circuit the NFS test option to
allow cookies on NFS (NeverPlaceCookiesOnNFS)
* gui/greeter/greeter.c: Display dialog about not
being able to load the theme even when not running
in debug mode. So that missing/bad themes don't
just look like greeter crashes (see rh #106189 for
people getting confused by bad spec file)
* config/gdm.conf.in: add the NeverPlaceCookiesOnNFS
key
* docs/C/gdm.xml: add info about NeverPlaceCookiesOnNFS
Fri Oct 03 14:03:31 2003 George Lebl <jirka@5z.com>
* daemon/errorgui.c: include <signal.h> to fix build
......
Ahh news...
2.4.4.4 stuff:
- When cookies are in the fallback dir touch them every
12 hours to avoid tmpwatch from removing them
- Add config key NeverPlaceCookiesOnNFS to allow
cookie files on NFS or similar filesystems
- Graphical greeter now graphically complains if it can't
load a theme rather then plainly failing.
- Go shell quoting crazy (fixes among others rh #105858,
but none of the issues were actually security problems,
"annoying" on really weird configs at most)
- Some more anality with touching user owned files
- Minor other fixes
2.4.4.3 stuff:
- The graphical greeter now wraps text correctly (and
......
......@@ -110,7 +110,9 @@ BaseXsession=@EXPANDED_SYSCONFDIR@/gdm/Xsession
# Better leave this blank and HOME will be used. You can use syntax ~/ below
# to indicate home directory of the user. You can also set this to something
# like /tmp if you don't want the authorizations to be in home directories.
# This is useful if you have NFS mounted home directories.
# This is useful if you have NFS mounted home directories. Note that if this
# is the home directory the UserAuthFBDir will still be used in case the home
# directory is NFS, see security/NeverPlaceCookiesOnNFS to override this behaviour.
UserAuthDir=
# Fallback if home directory not writable
UserAuthFBDir=/tmp
......@@ -157,6 +159,13 @@ UserMaxFile=65536
# not add a "-nolisten tcp", as then the query just wouldn't work, so
# this setting only affects truly local sessions.
#DisallowTCP=true
# By default never place cookies if we "detect" NFS. We detect NFS
# by detecting "root-squashing". It seems bad practice to place
# cookies on things that go over the network by default and thus we
# don't do it by default. Sometimes you can however use safe remote
# filesystems where this is OK and you may want to have the cookie in your
# home directory.
#NeverPlaceCookiesOnNFS=true
# XDMCP is the protocol that allows remote login. If you want to log into
# gdm remotely (I'd never turn this on on open network, use ssh for such
......
......@@ -8,7 +8,7 @@ dnl
AC_PROG_INTLTOOL([0.21])
AM_CONFIG_HEADER(config.h)
AM_INIT_AUTOMAKE(gdm,2.4.4.3)
AM_INIT_AUTOMAKE(gdm,2.4.4.4)
AM_MAINTAINER_MODE
GTK_REQUIRED=1.3.1
......
......@@ -48,6 +48,7 @@ extern gchar *GdmUserAuthFB;
extern gint GdmUserMaxFile;
extern gint GdmRelaxPerms;
extern gboolean GdmDebug;
extern gboolean GdmNeverPlaceCookiesOnNFS;
static void
display_add_error (GdmDisplay *d)
......@@ -433,7 +434,6 @@ get_local_auth_error:
return NULL;
}
static gboolean
try_open_append (const char *file)
{
......@@ -560,7 +560,7 @@ try_user_add_again:
/* try opening as root, if we can't open as root,
then this is a NFS mounted directory with root squashing,
and we don't want to write cookies over NFS */
! try_open_read_as_root (d->userauth)) {
(GdmNeverPlaceCookiesOnNFS && ! try_open_read_as_root (d->userauth))) {
/* if the userauth file didn't exist and we were looking at it,
it likely exists now but empty, so just whack it
......@@ -603,6 +603,8 @@ try_user_add_again:
return FALSE;
}
d->last_auth_touch = time (NULL);
af = fdopen (authfd, "w");
}
else { /* User's Xauthority file is ok */
......
......@@ -151,6 +151,7 @@ gchar *GdmSuspend = NULL;
gchar *GdmSuspendReal = NULL;
gchar *GdmServAuthDir = NULL;
gchar *GdmUserAuthDir = NULL;
gboolean GdmNeverPlaceCookiesOnNFS = TRUE;
gchar *GdmUserAuthFile = NULL;
gchar *GdmUserAuthFB = NULL;
gchar *GdmPidFile = NULL;
......@@ -350,6 +351,7 @@ gdm_config_parse (void)
GdmSuspend = ve_config_get_string (cfg, GDM_KEY_SUSPEND);
GdmUser = ve_config_get_string (cfg, GDM_KEY_USER);
GdmUserAuthDir = ve_config_get_string (cfg, GDM_KEY_UAUTHDIR);
GdmNeverPlaceCookiesOnNFS = ve_config_get_bool (cfg, GDM_KEY_NEVERPLACECOOKIESONNFS);
GdmUserAuthFile = ve_config_get_string (cfg, GDM_KEY_UAUTHFILE);
GdmUserAuthFB = ve_config_get_string (cfg, GDM_KEY_UAUTHFB);
......
......@@ -192,6 +192,8 @@ enum {
#define GDM_KEY_RETRYDELAY "security/RetryDelay=3"
#define GDM_KEY_DISALLOWTCP "security/DisallowTCP=true"
#define GDM_KEY_NEVERPLACECOOKIESONNFS "security/NeverPlaceCookiesOnNFS=true"
#define GDM_KEY_XDMCP "xdmcp/Enable=false"
#define GDM_KEY_MAXPEND "xdmcp/MaxPending=4"
#define GDM_KEY_MAXSESS "xdmcp/MaxSessions=16"
......@@ -286,6 +288,7 @@ struct _GdmDisplay {
GSList *local_auths;
gchar *userauth;
gboolean authfb;
time_t last_auth_touch;
gchar *command;
gboolean failsafe_xserver;
gboolean use_chooser; /* run chooser instead of greeter */
......
......@@ -26,6 +26,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <utime.h>
#if defined(_POSIX_PRIORITY_SCHEDULING) && defined(HAVE_SCHED_YIELD)
#include <sched.h>
#endif
......@@ -370,6 +371,76 @@ run_session_output (gboolean read_until_eof)
NEVER_FAILS_setegid (oldg);
}
#define TIME_UNSET_P(tv) ((tv)->tv_sec == 0 && (tv)->tv_usec == 0)
/* Try to touch an authfb auth file every 12 hours. That way if it's
* in /tmp it doesn't get whacked by tmpwatch */
#define TRY_TO_TOUCH_TIME (60*60*12)
static struct timeval *
min_time_to_wait (struct timeval *tv)
{
if (d->authfb) {
time_t ct = time (NULL);
time_t sec_to_wait;
if (d->last_auth_touch + TRY_TO_TOUCH_TIME + 5 <= ct)
sec_to_wait = 5;
else
sec_to_wait = (d->last_auth_touch + TRY_TO_TOUCH_TIME) - ct;
if (TIME_UNSET_P (tv) ||
sec_to_wait < tv->tv_sec)
tv->tv_sec = sec_to_wait;
}
if (TIME_UNSET_P (tv))
return NULL;
else
return tv;
}
static void
try_to_touch_fb_userauth (void)
{
if (d->authfb && d->userauth != NULL && logged_in_uid >= 0) {
time_t ct = time (NULL);
if (d->last_auth_touch + TRY_TO_TOUCH_TIME <= ct) {
uid_t old;
gid_t oldg;
old = geteuid ();
oldg = getegid ();
/* make sure we are the user when we do this,
for purposes of file limits and all that kind of
stuff */
if G_LIKELY (logged_in_gid >= 0) {
if G_UNLIKELY (setegid (logged_in_gid) != 0) {
gdm_error ("Can't set GID to user GID");
return;
}
}
if G_LIKELY (logged_in_uid >= 0) {
if G_UNLIKELY (seteuid (logged_in_uid) != 0) {
gdm_error ("Can't set UID to user UID");
NEVER_FAILS_seteuid (old);
return;
}
}
/* This will "touch" the file */
utime (d->userauth, NULL);
NEVER_FAILS_seteuid (old);
NEVER_FAILS_setegid (oldg);
d->last_auth_touch = ct;
}
}
}
/* must call slave_waitpid_setpid before calling this */
static void
slave_waitpid (GdmWaitPid *wp)
......@@ -388,10 +459,13 @@ slave_waitpid (GdmWaitPid *wp)
/* Wait 5 seconds. */
tv.tv_sec = 5;
tv.tv_usec = 0;
select (0, NULL, NULL, NULL, &tv);
select (0, NULL, NULL, NULL, min_time_to_wait (&tv));
/* don't want to use sleep since we're using alarm
for pinging */
/* try to touch an fb auth file */
try_to_touch_fb_userauth ();
if (d->session_output_fd >= 0)
run_session_output (FALSE /* read_until_eof */);
check_notifies_now ();
......@@ -404,6 +478,7 @@ slave_waitpid (GdmWaitPid *wp)
char buf[1];
fd_set rfds;
int ret;
struct timeval tv;
FD_ZERO (&rfds);
FD_SET (slave_waitpid_r, &rfds);
......@@ -411,7 +486,15 @@ slave_waitpid (GdmWaitPid *wp)
d->session_output_fd >= 0)
FD_SET (d->session_output_fd, &rfds);
ret = select (MAX (slave_waitpid_r, d->session_output_fd)+1, &rfds, NULL, NULL, NULL);
/* unset time */
tv.tv_sec = 0;
tv.tv_usec = 0;
ret = select (MAX (slave_waitpid_r, d->session_output_fd)+1, &rfds, NULL, NULL, min_time_to_wait (&tv));
/* try to touch an fb auth file */
try_to_touch_fb_userauth ();
if (ret > 0) {
if (FD_ISSET (slave_waitpid_r, &rfds)) {
IGNORE_EINTR (read (slave_waitpid_r, buf, 1));
......
......@@ -2,8 +2,8 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
<!ENTITY legal SYSTEM "legal.xml">
<!ENTITY version "2.4.4.3">
<!ENTITY date "9/23/2003">
<!ENTITY version "2.4.4.4">
<!ENTITY date "10/6/2003">
]>
<article id="index" lang="en">
......@@ -209,6 +209,8 @@
it will conclude that it is on an NFS mount and it will
automatically use <filename>UserAuthFBDir</filename>,
which is usually <filename>/tmp</filename>.
This can be changed by setting <filename>NeverPlaceCookiesOnNFS</filename>
in the <filename>[security]</filename> section to false.
</para>
<para>
......@@ -1543,6 +1545,14 @@
directory should really be sticky and all that, just like
the <filename>/tmp</filename> directory.
</para>
<para>
Normally if this is the users home directory GDM will still
refuse to put cookies there if it thinks it is NFS (by testing
root-squashing).
This can be changed by setting <filename>NeverPlaceCookiesOnNFS</filename>
in the <filename>[security]</filename> section to false.
</para>
</listitem>
</varlistentry>
......@@ -1690,6 +1700,22 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>NeverPlaceCookiesOnNFS</term>
<listitem>
<synopsis>NeverPlaceCookiesOnNFS=true</synopsis>
<para>
Normally if this is true (which is by default), GDM will not place
cookies into the users home directory if this directory is on NFS.
Well, GDM will consider any filesystem with root-squashing an NFS
filesystem. Sometimes however the remote file system can have
root squashing and be safe (perhaps by using encryption). In this
case set this to 'false'. Note that this option appeared in
version 2.4.4.4 and is ignored in previous versions.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RelaxPermissions</term>
......
......@@ -1243,9 +1243,7 @@ main (int argc, char *argv[])
gdm_wm_screen.height,
&error);
if G_UNLIKELY (root == NULL &&
g_getenv ("GDM_THEME") != NULL &&
DOING_GDM_DEVELOPMENT)
if G_UNLIKELY (root == NULL)
{
GtkWidget *dialog;
char *s;
......@@ -1254,7 +1252,7 @@ main (int argc, char *argv[])
gdm_wm_init (0);
gdm_wm_focus_new_windows (TRUE);
tmp = ve_filename_to_utf8 (g_getenv ("GDM_THEME"));
tmp = ve_filename_to_utf8 (ve_sure_string (GdmGraphicalTheme));
s = g_strdup_printf (_("There was an error loading the "
"theme %s"), tmp);
g_free (tmp);
......@@ -1274,7 +1272,10 @@ main (int argc, char *argv[])
gtk_dialog_run (GTK_DIALOG (dialog));
exit(1);
if (DOING_GDM_DEVELOPMENT)
{
exit (1);
}
}
if G_UNLIKELY (error)
......@@ -1326,7 +1327,7 @@ main (int argc, char *argv[])
if G_UNLIKELY (DOING_GDM_DEVELOPMENT && root == NULL)
{
g_warning ("No theme could be loaded");
exit(1);
exit (1);
}
if G_UNLIKELY (root == NULL)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment