Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Vogtinator:boo1225774-sp6
plasma5-workspace.openSUSE_Backports_SLE-15-SP6_Update
0001-Authenticate-local-clients.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Authenticate-local-clients.patch of Package plasma5-workspace.openSUSE_Backports_SLE-15-SP6_Update
From e6f05ccc17cc728b1dcb0fd179a495650b513f0c Mon Sep 17 00:00:00 2001 From: David Edmundson <kde@davidedmundson.co.uk> Date: Sat, 13 Apr 2024 23:07:19 +0100 Subject: [PATCH 1/2] Authenticate local clients ksmserver currently authenticates remote clients, but allows local connections through. This is a security risk that can allow another user on the same system to access the user's session management session without authentication. Co-authored-by: Fabian Vogt <fabian@ritter-vogt.de> --- ksmserver/server.cpp | 57 ++++---------------------------------------- 1 file changed, 5 insertions(+), 52 deletions(-) diff --git a/ksmserver/server.cpp b/ksmserver/server.cpp index 8a408cf73b..62bb8fb74d 100644 --- a/ksmserver/server.cpp +++ b/ksmserver/server.cpp @@ -158,15 +158,6 @@ static QTemporaryFile *remTempFile = nullptr; static IceListenObj *listenObjs = nullptr; int numTransports = 0; -static bool only_local = 0; - -static Bool HostBasedAuthProc(char * /*hostname*/) -{ - if (only_local) - return true; - else - return false; -} Status KSMRegisterClientProc(SmsConn /* smsConn */, SmPointer managerData, char *previousId) { @@ -311,33 +302,6 @@ static void write_iceauth(FILE *addfp, FILE *removefp, IceAuthDataEntry *entry) #define MAGIC_COOKIE_LEN 16 -Status SetAuthentication_local(int count, IceListenObj *listenObjs) -{ - int i; - for (i = 0; i < count; i++) { - char *prot = IceGetListenConnectionString(listenObjs[i]); - if (!prot) - continue; - char *host = strchr(prot, '/'); - char *sock = nullptr; - if (host) { - *host = 0; - host++; - sock = strchr(host, ':'); - if (sock) { - *sock = 0; - sock++; - } - } - qCDebug(KSMSERVER) << "KSMServer: SetAProc_loc: conn " << (unsigned)i << ", prot=" << prot << ", file=" << sock; - if (sock && !strcmp(prot, "local")) { - chmod(sock, 0700); - } - IceSetHostBasedAuthProc(listenObjs[i], HostBasedAuthProc); - free(prot); - } - return 1; -} Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry **authDataEntries) { @@ -372,8 +336,6 @@ Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry * write_iceauth(addAuthFile, remAuthFile, &(*authDataEntries)[i + 1]); IceSetPaAuthData(2, &(*authDataEntries)[i]); - - IceSetHostBasedAuthProc(listenObjs[i / 2], HostBasedAuthProc); } fclose(addAuthFile); fclose(remAuthFile); @@ -397,9 +359,6 @@ Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry * void FreeAuthenticationData(int count, IceAuthDataEntry *authDataEntries) { /* Each transport has entries for ICE and XSMP */ - if (only_local) - return; - for (int i = 0; i < count * 2; i++) { free(authDataEntries[i].network_id); free(authDataEntries[i].auth_data); @@ -542,16 +501,14 @@ KSMServer::KSMServer(InitFlags flags) clientInteracting = nullptr; xonCommand = config.readEntry("xonCommand", "xon"); - only_local = flags.testFlag(InitFlag::OnlyLocal); #ifdef HAVE__ICETRANSNOLISTEN - if (only_local) + if (flags.testFlag(InitFlag::OnlyLocal)) { _IceTransNoListen("tcp"); -#else - only_local = false; + } #endif char errormsg[256]; - if (!SmsInitialize((char *)KSMVendorString, (char *)KSMReleaseString, KSMNewClientProc, (SmPointer)this, HostBasedAuthProc, 256, errormsg)) { + if (!SmsInitialize((char *)KSMVendorString, (char *)KSMReleaseString, KSMNewClientProc, (SmPointer)this, nullptr, 256, errormsg)) { qCWarning(KSMSERVER, "KSMServer: could not register XSM protocol"); } @@ -594,12 +551,8 @@ KSMServer::KSMServer(InitFlags flags) free(session_manager); } - if (only_local) { - if (!SetAuthentication_local(numTransports, listenObjs)) - qFatal("KSMSERVER: authentication setup failed."); - } else { - if (!SetAuthentication(numTransports, listenObjs, &authDataEntries)) - qFatal("KSMSERVER: authentication setup failed."); + if (!SetAuthentication(numTransports, listenObjs, &authDataEntries)) { + qFatal("KSMSERVER: authentication setup failed."); } IceAddConnectionWatch(KSMWatchProc, (IcePointer)this); -- 2.44.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor