Fix for http://freedesktop.org/bugzilla/show_bug.cgi?id=1407 - Addingsco_port_update-baseXORG-6_8_99_903XORG-6_8_99_902XORG-6_8_99_901XORG-6_8_99_900XORG-6_8_99_9XORG-6_8_99_8XORG-6_8_99_7XORG-6_8_99_6XORG-6_8_99_5XORG-6_8_99_4XORG-6_8_99_3XORG-6_8_99_2XORG-6_8_99_16XORG-6_8_99_15XORG-6_8_99_14XORG-6_8_99_13XORG-6_8_99_12XORG-6_8_99_11XORG-6_8_99_10XORG-6_8_99_1

    simple helper script which switches the current user authentification
    from MIT-MAGIC-COOKIE-1 to SUN-DES-1 if this authentification scheme is
    available.

1 files changed, 174 insertions, 0 deletions

diff --git a/xauth_switch_to_sun-des-1.cpp b/xauth_switch_to_sun-des-1.cpp
new file mode 100755
index 0000000..3e5850f
--- /dev/null
+++ b/xauth_switch_to_sun-des-1.cpp
@@ -0,0 +1,174 @@
+XCOMM!/bin/ksh
+XCOMM X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth. 
+XCOMM this script switched the current Xservers authentification 
+XCOMM (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1.
+XCOMM
+XCOMM
+XCOMM Copyright 2002-2004 by Roland Mainz <roland.mainz@nrubsig.org>.
+XCOMM
+XCOMM
+XCOMM Requirements:
+XCOMM - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet)
+XCOMM - user must have proper credentials ("SecureRPC")
+XCOMM - script must be able to "guess" the UID of the Xserver
+XCOMM
+XCOMM Advantages:
+XCOMM - User may allow other users to gain access via
+XCOMM   % xhost +jigsaw@
+XCOMM   instead of moving 128bit cookies
+XCOMM
+XCOMM Known bugs:
+XCOMM - Was not tested on Linux since several months
+
+/* Avoid problems with CPP processing */
+#undef unix
+
+umask 077
+XCOMM force POSIX binaries
+export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin
+
+XCOMM debug
+alias xxdebug=true
+XCOMM alias xxdebug=
+
+XCOMM get full qualified domain name
+getFQDN()
+{
+    getent hosts ${1} | awk "{print \$2}" - 
+}
+
+user2netname()
+{
+    UID=$(id -u $1)
+    DOMAINNAME=$(domainname)
+    if [ $UID != 0 ] ; then
+        netname=unix.$UID@$DOMAINNAME
+    else
+        netname=unix.$HOSTNAME@$DOMAINNAME
+    fi
+
+    # BUG: SecureRPC isn't limited to NIS+ 
+    #      (but there is no "getent publickey ...") ...
+    # ToDo:
+    # - YP name is "publickey.byname"
+    # - What name does LDAP use ?
+    if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then
+        echo "$netname"
+    else
+        echo "user ${UID} has no entry in cred.org_dir" >&2
+        return 1
+    fi
+    
+    return 0
+}    
+
+
+XCOMM pid to username
+getUserOfPID()
+{
+    ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" -
+}
+
+XCOMM test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary
+XCOMM Xauthority file
+dry_run()
+{
+(
+  principal="$1"
+  # XAUTHORITY may not be defined
+  if [ "$XAUTHORITY" = "" ] ; then
+      export XAUTHORITY=~/.Xauthority
+  fi
+  
+  ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}"
+  TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth
+  export XAUTHORITY="$TMP_XAUTHORITY"
+  touch "$XAUTHORITY"
+
+  (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ;
+   echo "add $displayhost:$displaynum SUN-DES-1 $principal"
+  ) | xauth source -
+  
+  # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver...
+  if ! xset q 2>/dev/null 1>/dev/null ; then   
+    # clean-up
+    rm -f "$TMP_XAUTHORITY"
+    return 1
+  fi
+
+  rm -f "$TMP_XAUTHORITY"
+  
+  return 0
+)
+}
+
+XCOMM main
+
+HOSTNAME=$(hostname)
+FQDN=$(getFQDN $HOSTNAME)
+
+XCOMM be sure that DISPLAY contains the host name
+XCOMM BUGs: 
+XCOMM - this does _not_ catch non-tcp connections (like DECnet).
+XCOMM - this may not work with IPv6 addresses
+displayhost=${DISPLAY%:*}
+displaynum=$(x=${DISPLAY#*:}; echo ${x%.*})
+if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then
+    # fix DISPLAY
+    export DISPLAY="${FQDN}:${DISPLAY#*:}"
+    displayhost=${DISPLAY%:*}
+fi
+
+
+XCOMM grant access for current user and for user root
+XCOMM (a bug in /usr/dt/bin/dtaction requires this for user "root", too -
+XCOMM Solaris 7/8 dtaction runns setuid root and opens a display connection
+XCOMM before chaning the EUID to the "destination uid"... ;-( ).
+xhost +${LOGNAME}@ +$(user2netname root)
+
+XCOMM get X server principal(=user)
+XCOMM this may fail if user isn't local
+XCOMM unfortunately we cannot get the Xserver PID with a simply API - we 
+XCOMM have to "guess" in this case. "pgrep" creates a list of PIDs which may
+XCOMM match. Then we create a list of all matching "principals" and test
+XCOMM them - item by item...
+XCOMM ... step 1: Create list of principals
+principal_list=""          # you can add "most common" principals here...
+fallback_principal_list="" # you can add "fallback" principals here
+                           # (for example, principals for Xterminals (where
+                           # the Xserver always runns under the same UID) 
+                           # which use SUN-DES-1)
+for i in $(pgrep -f ".*X.* :$displaynum*") ; do    
+    principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}"
+done
+
+xxdebug echo "principal_list=${principal_list}"
+
+XCOMM ... step 2: Test the list of principals
+for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do    
+    # make a "dry run" and test whether we really can use SUN-DES-1 auth.
+    # for this display using the given principal
+    if dry_run "${PRINCIPAL}" ; then
+        # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies
+        # Users ~/.Xauthority _must_ be changed in _one_ step to avoid
+        # possible race conditions when switching auth. on a "live" 
+        # $DISPLAY...
+        (echo "remove $displayhost/unix:$displaynum" ;
+         echo "remove $displayhost:$displaynum" ;
+         echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ;
+         echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL"
+        ) | xauth source -
+    
+        # success.
+        xxdebug echo "success."
+        exit 0
+    fi
+done
+
+echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2
+xhost -$LOGNAME@ -$(user2netname root) 
+
+XCOMM failure.
+xxdebug echo failure.
+exit 1
+XCOMM EOF.