http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/annotate/?file_id=ldm.c-20070611142051-jkh2vwmsp70sequl-32 141 create_xauth() 142 { 143 325.16.46 GPid xauthpid; 144 325.7.41 int status; 145 146 325.7.22 char *xauth_command[] = { 147 "/usr/bin/xauth", 148 "-i", 149 "-n", 150 "-f", 151 ldminfo.authfile, 152 325.7.41 "generate", 153 325.7.22 ldminfo.display, 154 NULL }; 161 do { 162 sleep(1); 163 xauthpid = ldm_spawn(xauth_command); 164 status = ldm_wait(xauthpid); 165 } while (status); 166 } On F-8 this works fine, but F-9 xauth exits with an error return value. xauth-1.0.2/process.c: status = XSecurityQueryExtension(dpy, &major_version, &minor_version); if (!status) { prefix (inputfilename, lineno); fprintf (stderr, "couldn't query Security extension on display \"%s\"\n", displayname); return 1; } It is failing here on F-9. #xorg-devel <airlied> warren: the security framework was redesigned from scratch pretty much <alanc> XC-Security was reimplented using XACE, but XACE has no protocol, just a server framework for extensions like XC-Security/SELinux/TrustedSolaris to add checks kernel-2.6.25-0.90.rc3.git5.fc9.i586 xorg-x11-server-Xorg-1.4.99.900-0.28.20080304.fc9.i386 xorg-x11-xauth-1.0.2-4.fc9.i386 libselinux-2.0.59-1.fc9.i386 This happens on a thin client running these packages and selinux=0. There are no selinux-policy* packages installed, and the filesystem is unlabeled. This is a blocker for LTSP in Fedora 9.
Yep, the security extension is gone, intentionally. It looks like you're just using it to create a new auth cookie. You should instead do what every other display manager does: create the auth cookie ahead of time, and invoke the server with it. See the code in startx(1) for an example, or the mkxauth(1) utility.
runxas does that too. (We should be packaging that script with Fedora BTW)
Well that code is just spawning /usr/bin/xauth Either /usr/bin/xauth needs to be fixed, or ldm needs to be changed not to use xauth and xauth needs to deprecate that command line option.
xauth itself doesn't need fixing. It turns out that 1) ldm was never doing xauth properly and 2) ldm was running X with the incredibly stupid -ac parameter, so #1 didn't matter. ldm needs to be fixed to use xauth properly.
if [ -f /etc/lts.conf ]; then eval $(getltscfg -a) || true fi if [ -n "$LDM_DIRECTX" ]; then PROTOCOL=$(xauth list | awk '{print $2}') KEY=$(xauth list | awk '{print $3}') echo $DISPLAY $LDMINFO_IPADDR $PROTOCOL $KEY >> /tmp/foople ssh -S ${LDM_SOCKET} ${LDM_SERVER} \ "xauth remove ${LDMINFO_IPADDR}${DISPLAY}" >> /tmp/foople ssh -S ${LDM_SOCKET} ${LDM_SERVER} \ "xauth add ${LDMINFO_IPADDR}${DISPLAY} ${PROTOCOL} ${KEY}" >> /tmp/foopl e fi Example code from sbalneav.
The minimum to get this feature is now in ldm-trunk. Further cleanups ensue.