Bug 436230 - (ldm) implement proper use of xauth
(ldm) implement proper use of xauth
Product: Fedora
Classification: Fedora
Component: ldm (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Warren Togami
Fedora Extras Quality Assurance
Depends On:
Blocks: K12LTSP
  Show dependency treegraph
Reported: 2008-03-05 19:26 EST by Warren Togami
Modified: 2008-03-23 18:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-23 18:56:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Warren Togami 2008-03-05 19:26:00 EST
141 		create_xauth()
142 		{
143 	325.16.46 	    GPid xauthpid;
144 	325.7.41 	    int status;
146 	325.7.22 	    char *xauth_command[] = {
147 		       "/usr/bin/xauth", 
148 		       "-i",
149 		       "-n",
150 		       "-f",
151 		       ldminfo.authfile,
152 	325.7.41 	       "generate",
153 	325.7.22 	       ldminfo.display,
154 		       NULL };		
161 		    do {
162 		        sleep(1);
163 		        xauthpid = ldm_spawn(xauth_command);
164 		        status = ldm_wait(xauthpid);
165 		    } while (status);
166 		}

On F-8 this works fine, but F-9 xauth exits with an error return value.

    status = XSecurityQueryExtension(dpy, &major_version, &minor_version);
    if (!status)
        prefix (inputfilename, lineno);
        fprintf (stderr, "couldn't query Security extension on display \"%s\"\n",
        return 1;

It is failing here on F-9.

<airlied> warren: the security framework was redesigned from scratch pretty much
<alanc> XC-Security was reimplented using XACE, but XACE has no protocol, just a
server framework for extensions like XC-Security/SELinux/TrustedSolaris to add


This happens on a thin client running these packages and selinux=0.  There are
no selinux-policy* packages installed, and the filesystem is unlabeled.

This is a blocker for LTSP in Fedora 9.
Comment 1 Adam Jackson 2008-03-06 14:09:20 EST
Yep, the security extension is gone, intentionally.

It looks like you're just using it to create a new auth cookie.  You should
instead do what every other display manager does: create the auth cookie ahead
of time, and invoke the server with it.  See the code in startx(1) for an
example, or the mkxauth(1) utility.
Comment 2 Chuck Ebbert 2008-03-07 21:39:05 EST
runxas does that too.

(We should be packaging that script with Fedora BTW)
Comment 3 Ray Strode [halfline] 2008-03-08 13:10:14 EST
Well that code is just spawning /usr/bin/xauth

Either /usr/bin/xauth needs to be fixed, or ldm needs to be changed not to use
xauth and xauth needs to deprecate that command line option.

Comment 4 Warren Togami 2008-03-10 01:31:33 EDT
xauth itself doesn't need fixing.  It turns out that 1) ldm was never doing
xauth properly and 2) ldm was running X with the incredibly stupid -ac
parameter, so #1 didn't matter.

ldm needs to be fixed to use xauth properly.
Comment 5 Warren Togami 2008-03-19 16:52:56 EDT

if [ -f /etc/lts.conf ]; then
    eval $(getltscfg -a) || true

if [ -n "$LDM_DIRECTX" ]; then
    PROTOCOL=$(xauth list | awk '{print $2}')
    KEY=$(xauth list | awk '{print $3}')

    echo $DISPLAY $LDMINFO_IPADDR $PROTOCOL $KEY >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth remove ${LDMINFO_IPADDR}${DISPLAY}" >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth add ${LDMINFO_IPADDR}${DISPLAY} ${PROTOCOL} ${KEY}" >> /tmp/foopl

Example code from sbalneav.
Comment 6 Warren Togami 2008-03-23 18:56:25 EDT
The minimum to get this feature is now in ldm-trunk.  Further cleanups ensue.

Note You need to log in before you can comment on or make changes to this bug.