Bug 436230

Summary: (ldm) implement proper use of xauth
Product: [Fedora] Fedora Reporter: Warren Togami <wtogami>
Component: ldmAssignee: Warren Togami <wtogami>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: a.badger, eharrison, ma, xgl-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-23 22:56:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 188611    

Description Warren Togami 2008-03-06 00:26:00 UTC 
http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/annotate/?file_id=ldm.c-20070611142051-jkh2vwmsp70sequl-32
141 		create_xauth()
142 		{
143 	325.16.46 	    GPid xauthpid;
144 	325.7.41 	    int status;
145 		
146 	325.7.22 	    char *xauth_command[] = {
147 		       "/usr/bin/xauth", 
148 		       "-i",
149 		       "-n",
150 		       "-f",
151 		       ldminfo.authfile,
152 	325.7.41 	       "generate",
153 	325.7.22 	       ldminfo.display,
154 		       NULL };		
161 		    do {
162 		        sleep(1);
163 		        xauthpid = ldm_spawn(xauth_command);
164 		        status = ldm_wait(xauthpid);
165 		    } while (status);
166 		}

On F-8 this works fine, but F-9 xauth exits with an error return value.

xauth-1.0.2/process.c:
    status = XSecurityQueryExtension(dpy, &major_version, &minor_version);
    if (!status)
    {
        prefix (inputfilename, lineno);
        fprintf (stderr, "couldn't query Security extension on display \"%s\"\n",
                 displayname);
        return 1;
    }

It is failing here on F-9.

#xorg-devel
<airlied> warren: the security framework was redesigned from scratch pretty much
<alanc> XC-Security was reimplented using XACE, but XACE has no protocol, just a
server framework for extensions like XC-Security/SELinux/TrustedSolaris to add
checks

kernel-2.6.25-0.90.rc3.git5.fc9.i586
xorg-x11-server-Xorg-1.4.99.900-0.28.20080304.fc9.i386
xorg-x11-xauth-1.0.2-4.fc9.i386
libselinux-2.0.59-1.fc9.i386

This happens on a thin client running these packages and selinux=0.  There are
no selinux-policy* packages installed, and the filesystem is unlabeled.

This is a blocker for LTSP in Fedora 9.
Comment 1 Adam Jackson 2008-03-06 19:09:20 UTC 
Yep, the security extension is gone, intentionally.

It looks like you're just using it to create a new auth cookie.  You should
instead do what every other display manager does: create the auth cookie ahead
of time, and invoke the server with it.  See the code in startx(1) for an
example, or the mkxauth(1) utility.
Comment 2 Chuck Ebbert 2008-03-08 02:39:05 UTC 
runxas does that too.

(We should be packaging that script with Fedora BTW)
Comment 3 Ray Strode [halfline] 2008-03-08 18:10:14 UTC 
Well that code is just spawning /usr/bin/xauth

Either /usr/bin/xauth needs to be fixed, or ldm needs to be changed not to use
xauth and xauth needs to deprecate that command line option.
Comment 4 Warren Togami 2008-03-10 05:31:33 UTC 
xauth itself doesn't need fixing.  It turns out that 1) ldm was never doing
xauth properly and 2) ldm was running X with the incredibly stupid -ac
parameter, so #1 didn't matter.

ldm needs to be fixed to use xauth properly.
Comment 5 Warren Togami 2008-03-19 20:52:56 UTC 

if [ -f /etc/lts.conf ]; then
    eval $(getltscfg -a) || true
fi

if [ -n "$LDM_DIRECTX" ]; then
    PROTOCOL=$(xauth list | awk '{print $2}')
    KEY=$(xauth list | awk '{print $3}')

    echo $DISPLAY $LDMINFO_IPADDR $PROTOCOL $KEY >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth remove ${LDMINFO_IPADDR}${DISPLAY}" >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth add ${LDMINFO_IPADDR}${DISPLAY} ${PROTOCOL} ${KEY}" >> /tmp/foopl
e
fi


Example code from sbalneav.
Comment 6 Warren Togami 2008-03-23 22:56:25 UTC 
The minimum to get this feature is now in ldm-trunk.  Further cleanups ensue.