Bug 436230 - (ldm) implement proper use of xauth
(ldm) implement proper use of xauth
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ldm (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Warren Togami
Fedora Extras Quality Assurance
:
Depends On:
Blocks: K12LTSP
  Show dependency treegraph
 
Reported: 2008-03-05 19:26 EST by Warren Togami
Modified: 2008-03-23 18:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-23 18:56:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2008-03-05 19:26:00 EST
http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/annotate/?file_id=ldm.c-20070611142051-jkh2vwmsp70sequl-32
141 		create_xauth()
142 		{
143 	325.16.46 	    GPid xauthpid;
144 	325.7.41 	    int status;
145 		
146 	325.7.22 	    char *xauth_command[] = {
147 		       "/usr/bin/xauth", 
148 		       "-i",
149 		       "-n",
150 		       "-f",
151 		       ldminfo.authfile,
152 	325.7.41 	       "generate",
153 	325.7.22 	       ldminfo.display,
154 		       NULL };		
161 		    do {
162 		        sleep(1);
163 		        xauthpid = ldm_spawn(xauth_command);
164 		        status = ldm_wait(xauthpid);
165 		    } while (status);
166 		}

On F-8 this works fine, but F-9 xauth exits with an error return value.

xauth-1.0.2/process.c:
    status = XSecurityQueryExtension(dpy, &major_version, &minor_version);
    if (!status)
    {
        prefix (inputfilename, lineno);
        fprintf (stderr, "couldn't query Security extension on display \"%s\"\n",
                 displayname);
        return 1;
    }

It is failing here on F-9.

#xorg-devel
<airlied> warren: the security framework was redesigned from scratch pretty much
<alanc> XC-Security was reimplented using XACE, but XACE has no protocol, just a
server framework for extensions like XC-Security/SELinux/TrustedSolaris to add
checks

kernel-2.6.25-0.90.rc3.git5.fc9.i586
xorg-x11-server-Xorg-1.4.99.900-0.28.20080304.fc9.i386
xorg-x11-xauth-1.0.2-4.fc9.i386
libselinux-2.0.59-1.fc9.i386

This happens on a thin client running these packages and selinux=0.  There are
no selinux-policy* packages installed, and the filesystem is unlabeled.

This is a blocker for LTSP in Fedora 9.
Comment 1 Adam Jackson 2008-03-06 14:09:20 EST
Yep, the security extension is gone, intentionally.

It looks like you're just using it to create a new auth cookie.  You should
instead do what every other display manager does: create the auth cookie ahead
of time, and invoke the server with it.  See the code in startx(1) for an
example, or the mkxauth(1) utility.
Comment 2 Chuck Ebbert 2008-03-07 21:39:05 EST
runxas does that too.

(We should be packaging that script with Fedora BTW)
Comment 3 Ray Strode [halfline] 2008-03-08 13:10:14 EST
Well that code is just spawning /usr/bin/xauth

Either /usr/bin/xauth needs to be fixed, or ldm needs to be changed not to use
xauth and xauth needs to deprecate that command line option.

Comment 4 Warren Togami 2008-03-10 01:31:33 EDT
xauth itself doesn't need fixing.  It turns out that 1) ldm was never doing
xauth properly and 2) ldm was running X with the incredibly stupid -ac
parameter, so #1 didn't matter.

ldm needs to be fixed to use xauth properly.
Comment 5 Warren Togami 2008-03-19 16:52:56 EDT

if [ -f /etc/lts.conf ]; then
    eval $(getltscfg -a) || true
fi

if [ -n "$LDM_DIRECTX" ]; then
    PROTOCOL=$(xauth list | awk '{print $2}')
    KEY=$(xauth list | awk '{print $3}')

    echo $DISPLAY $LDMINFO_IPADDR $PROTOCOL $KEY >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth remove ${LDMINFO_IPADDR}${DISPLAY}" >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth add ${LDMINFO_IPADDR}${DISPLAY} ${PROTOCOL} ${KEY}" >> /tmp/foopl
e
fi


Example code from sbalneav.
Comment 6 Warren Togami 2008-03-23 18:56:25 EDT
The minimum to get this feature is now in ldm-trunk.  Further cleanups ensue.

Note You need to log in before you can comment on or make changes to this bug.