diff options
author | Roland Mainz <roland.mainz@nrubsig.org> | 2004-09-17 22:24:35 +0000 |
---|---|---|
committer | Roland Mainz <roland.mainz@nrubsig.org> | 2004-09-17 22:24:35 +0000 |
commit | 0c6bc8884219683a333f2dca99a4029baeee3d27 (patch) | |
tree | b23bb8450e09e2975ad15b4ef114abbc5ce0ff02 | |
parent | 48a4e02907610d9d8f15a0823484f16f946fe170 (diff) |
Fix for http://freedesktop.org/bugzilla/show_bug.cgi?id=1407 - Addingsco_port_update-baseXORG-6_8_99_903XORG-6_8_99_902XORG-6_8_99_901XORG-6_8_99_900XORG-6_8_99_9XORG-6_8_99_8XORG-6_8_99_7XORG-6_8_99_6XORG-6_8_99_5XORG-6_8_99_4XORG-6_8_99_3XORG-6_8_99_2XORG-6_8_99_16XORG-6_8_99_15XORG-6_8_99_14XORG-6_8_99_13XORG-6_8_99_12XORG-6_8_99_11XORG-6_8_99_10XORG-6_8_99_1
simple helper script which switches the current user authentification
from MIT-MAGIC-COOKIE-1 to SUN-DES-1 if this authentification scheme is
available.
-rwxr-xr-x | xauth_switch_to_sun-des-1.cpp | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/xauth_switch_to_sun-des-1.cpp b/xauth_switch_to_sun-des-1.cpp new file mode 100755 index 0000000..3e5850f --- /dev/null +++ b/xauth_switch_to_sun-des-1.cpp @@ -0,0 +1,174 @@ +XCOMM!/bin/ksh +XCOMM X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth. +XCOMM this script switched the current Xservers authentification +XCOMM (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1. +XCOMM +XCOMM +XCOMM Copyright 2002-2004 by Roland Mainz <roland.mainz@nrubsig.org>. +XCOMM +XCOMM +XCOMM Requirements: +XCOMM - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet) +XCOMM - user must have proper credentials ("SecureRPC") +XCOMM - script must be able to "guess" the UID of the Xserver +XCOMM +XCOMM Advantages: +XCOMM - User may allow other users to gain access via +XCOMM % xhost +jigsaw@ +XCOMM instead of moving 128bit cookies +XCOMM +XCOMM Known bugs: +XCOMM - Was not tested on Linux since several months + +/* Avoid problems with CPP processing */ +#undef unix + +umask 077 +XCOMM force POSIX binaries +export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin + +XCOMM debug +alias xxdebug=true +XCOMM alias xxdebug= + +XCOMM get full qualified domain name +getFQDN() +{ + getent hosts ${1} | awk "{print \$2}" - +} + +user2netname() +{ + UID=$(id -u $1) + DOMAINNAME=$(domainname) + if [ $UID != 0 ] ; then + netname=unix.$UID@$DOMAINNAME + else + netname=unix.$HOSTNAME@$DOMAINNAME + fi + + # BUG: SecureRPC isn't limited to NIS+ + # (but there is no "getent publickey ...") ... + # ToDo: + # - YP name is "publickey.byname" + # - What name does LDAP use ? + if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then + echo "$netname" + else + echo "user ${UID} has no entry in cred.org_dir" >&2 + return 1 + fi + + return 0 +} + + +XCOMM pid to username +getUserOfPID() +{ + ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" - +} + +XCOMM test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary +XCOMM Xauthority file +dry_run() +{ +( + principal="$1" + # XAUTHORITY may not be defined + if [ "$XAUTHORITY" = "" ] ; then + export XAUTHORITY=~/.Xauthority + fi + + ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}" + TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth + export XAUTHORITY="$TMP_XAUTHORITY" + touch "$XAUTHORITY" + + (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ; + echo "add $displayhost:$displaynum SUN-DES-1 $principal" + ) | xauth source - + + # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver... + if ! xset q 2>/dev/null 1>/dev/null ; then + # clean-up + rm -f "$TMP_XAUTHORITY" + return 1 + fi + + rm -f "$TMP_XAUTHORITY" + + return 0 +) +} + +XCOMM main + +HOSTNAME=$(hostname) +FQDN=$(getFQDN $HOSTNAME) + +XCOMM be sure that DISPLAY contains the host name +XCOMM BUGs: +XCOMM - this does _not_ catch non-tcp connections (like DECnet). +XCOMM - this may not work with IPv6 addresses +displayhost=${DISPLAY%:*} +displaynum=$(x=${DISPLAY#*:}; echo ${x%.*}) +if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then + # fix DISPLAY + export DISPLAY="${FQDN}:${DISPLAY#*:}" + displayhost=${DISPLAY%:*} +fi + + +XCOMM grant access for current user and for user root +XCOMM (a bug in /usr/dt/bin/dtaction requires this for user "root", too - +XCOMM Solaris 7/8 dtaction runns setuid root and opens a display connection +XCOMM before chaning the EUID to the "destination uid"... ;-( ). +xhost +${LOGNAME}@ +$(user2netname root) + +XCOMM get X server principal(=user) +XCOMM this may fail if user isn't local +XCOMM unfortunately we cannot get the Xserver PID with a simply API - we +XCOMM have to "guess" in this case. "pgrep" creates a list of PIDs which may +XCOMM match. Then we create a list of all matching "principals" and test +XCOMM them - item by item... +XCOMM ... step 1: Create list of principals +principal_list="" # you can add "most common" principals here... +fallback_principal_list="" # you can add "fallback" principals here + # (for example, principals for Xterminals (where + # the Xserver always runns under the same UID) + # which use SUN-DES-1) +for i in $(pgrep -f ".*X.* :$displaynum*") ; do + principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}" +done + +xxdebug echo "principal_list=${principal_list}" + +XCOMM ... step 2: Test the list of principals +for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do + # make a "dry run" and test whether we really can use SUN-DES-1 auth. + # for this display using the given principal + if dry_run "${PRINCIPAL}" ; then + # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies + # Users ~/.Xauthority _must_ be changed in _one_ step to avoid + # possible race conditions when switching auth. on a "live" + # $DISPLAY... + (echo "remove $displayhost/unix:$displaynum" ; + echo "remove $displayhost:$displaynum" ; + echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ; + echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL" + ) | xauth source - + + # success. + xxdebug echo "success." + exit 0 + fi +done + +echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2 +xhost -$LOGNAME@ -$(user2netname root) + +XCOMM failure. +xxdebug echo failure. +exit 1 +XCOMM EOF. |