ports/157282: [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman

Iwao, Koichiro meta at club.kyutech.ac.jp
Mon May 23 20:40:10 UTC 2011


>Number:         157282
>Category:       ports
>Synopsis:       [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 23 20:40:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Iwao, Koichiro
>Release:        FreeBSD 8.2-RELEASE-p1 amd64
>Organization:
Kyushu Institute of Technology
>Environment:
System: FreeBSD rose.club.kyutech.ac.jp 8.2-RELEASE-p1 FreeBSD 8.2-RELEASE-p1 #1: Mon Apr 25 03:31:52 JST 2011 root at rose.club.kyutech.ac.jp:/usr/obj/usr/src/sys/MASAKIKERNEL amd64


>Description:
xrdp is originally made for Linux, handling setlogin/getlogin is not enough for *BSD.
Some programs like mysql fail to get actual username.
Also, this may cause a security issue like FreeBSD-SA-02:07.k5su due to setlogin system call.
http://security.freebsd.org/advisories/FreeBSD-SA-02:07.k5su.asc

Added file:
 - files/patch-sesman__session.c

>How-To-Repeat:
Login to the host via xrdp, run `id -p` on xterm, the login name will be wrong.

The result will be:
$ id -p
login	root
uid	meta
groups	meta

ex) mysql gets username as 'root' even if the actual user is not root:
$ whoami
meta
$ mysql
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Login shuld be as same as uid:
$ id -p
uid	meta
groups	meta

>Fix:
See attached patch.

--- patch-sesman__session.c begins here ---
--- sesman/session.c.orig	2011-03-12 16:10:35.000000000 +0900
+++ sesman/session.c	2011-05-24 04:45:59.000000000 +0900
@@ -16,7 +16,47 @@
    xrdp: A Remote Desktop Protocol server.
    Copyright (C) Jay Sorg 2005-2008
 */
-
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright (c) 2011 Koichiro Iwao <meta at club.kyutech.ac.jp>, 
+ *                    Kyushu Institute of Technology.
+ *                    All rights reserved.
+ *
+ * 	from: OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp
+ *            with some ideas about process grouping from OpenSSH to xrdp
+ * 	       
+ */
 /**
  *
  * @file session.c
@@ -373,6 +413,23 @@
     g_sprintf(geometry, "%dx%d", width, height);
     g_sprintf(depth, "%d", bpp);
     g_sprintf(screen, ":%d", display);
+#ifdef __FreeBSD__
+    /*
+     * Create a new session and process group since 4.4BSD 
+     * setlogin affects the entire process group.
+     */
+    if (setsid() < 0)
+    {
+      log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
+        "setsid failed: %.100s", strerror(errno));
+    }
+
+    if (setlogin(username) < 0)
+    {
+      log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
+        "setlogin failed: %.100s", strerror(errno));
+    }
+#endif
     wmpid = g_fork();
     if (wmpid == -1)
     {
--- patch-sesman__session.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list