From b00a9a1272a59dd34f11fe76f003d56e3ac94e2b Mon Sep 17 00:00:00 2001 From: Gaetan Nadon Date: Fri, 21 Jan 2011 21:59:03 -0500 Subject: config: do not use sed as there is no text substitution to make Just ship the script. Signed-off-by: Gaetan Nadon --- .gitignore | 5 +- Makefile.am | 14 ++-- xauth_switch_to_sun-des-1 | 172 +++++++++++++++++++++++++++++++++++++++++ xauth_switch_to_sun-des-1.cpp | 174 ------------------------------------------ 4 files changed, 179 insertions(+), 186 deletions(-) create mode 100644 xauth_switch_to_sun-des-1 delete mode 100755 xauth_switch_to_sun-des-1.cpp diff --git a/.gitignore b/.gitignore index 33a7964..0b88b62 100644 --- a/.gitignore +++ b/.gitignore @@ -71,9 +71,8 @@ core *.tar.bz2 *.tar.gz # -# Add & Override patterns for scripts +# Add & Override patterns for scripts # # Edit the following section as needed # For example, !report.pc overrides *.pc. See 'man gitignore' -# -xauth_switch_to_sun-des-1 +# diff --git a/Makefile.am b/Makefile.am index b6f0ed7..487c606 100644 --- a/Makefile.am +++ b/Makefile.am @@ -20,17 +20,13 @@ # PERFORMANCE OF THIS SOFTWARE. SUBDIRS = man -dist_bin_SCRIPTS = fontname.sh fontprop.sh xon - -bin_SCRIPTS = xauth_switch_to_sun-des-1 - -xauth_switch_to_sun-des-1: $(srcdir)/xauth_switch_to_sun-des-1.cpp - grep -v Avoid $(srcdir)/xauth_switch_to_sun-des-1.cpp | sed -e /^\#.*$$/d -e s/XCOMM/\#/g > $@ +dist_bin_SCRIPTS = \ + fontname.sh \ + fontprop.sh \ + xon \ + xauth_switch_to_sun-des-1 MAINTAINERCLEANFILES = ChangeLog INSTALL -CLEANFILES = xauth_switch_to_sun-des-1 - -EXTRA_DIST = xauth_switch_to_sun-des-1.cpp .PHONY: ChangeLog INSTALL diff --git a/xauth_switch_to_sun-des-1 b/xauth_switch_to_sun-des-1 new file mode 100644 index 0000000..13d8fb9 --- /dev/null +++ b/xauth_switch_to_sun-des-1 @@ -0,0 +1,172 @@ +#!/bin/ksh +# X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth. +# this script switched the current Xservers authentification +# (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1. +# +# +# Copyright 2002-2004 by Roland Mainz . +# +# +# Requirements: +# - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet) +# - user must have proper credentials ("SecureRPC") +# - script must be able to "guess" the UID of the Xserver +# +# Advantages: +# - User may allow other users to gain access via +# % xhost +jigsaw@ +# instead of moving 128bit cookies +# +# Known bugs: +# - Was not tested on Linux since several months + + +umask 077 +# force POSIX binaries +export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin + +# debug +alias xxdebug=true +# alias xxdebug= + +# get full qualified domain name +getFQDN() +{ + getent hosts ${1} | awk "{print \$2}" - +} + +user2netname() +{ + UID=$(id -u $1) + DOMAINNAME=$(domainname) + if [ $UID != 0 ] ; then + netname=unix.$UID@$DOMAINNAME + else + netname=unix.$HOSTNAME@$DOMAINNAME + fi + + # BUG: SecureRPC isn't limited to NIS+ + # (but there is no "getent publickey ...") ... + # ToDo: + # - YP name is "publickey.byname" + # - What name does LDAP use ? + if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then + echo "$netname" + else + echo "user ${UID} has no entry in cred.org_dir" >&2 + return 1 + fi + + return 0 +} + + +# pid to username +getUserOfPID() +{ + ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" - +} + +# test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary +# Xauthority file +dry_run() +{ +( + principal="$1" + # XAUTHORITY may not be defined + if [ "$XAUTHORITY" = "" ] ; then + export XAUTHORITY=~/.Xauthority + fi + + ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}" + TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth + export XAUTHORITY="$TMP_XAUTHORITY" + touch "$XAUTHORITY" + + (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ; + echo "add $displayhost:$displaynum SUN-DES-1 $principal" + ) | xauth source - + + # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver... + if ! xset q 2>/dev/null 1>/dev/null ; then + # clean-up + rm -f "$TMP_XAUTHORITY" + return 1 + fi + + rm -f "$TMP_XAUTHORITY" + + return 0 +) +} + +# main + +HOSTNAME=$(hostname) +FQDN=$(getFQDN $HOSTNAME) + +# be sure that DISPLAY contains the host name +# BUGs: +# - this does _not_ catch non-tcp connections (like DECnet). +# - this may not work with IPv6 addresses +displayhost=${DISPLAY%:*} +displaynum=$(x=${DISPLAY#*:}; echo ${x%.*}) +if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then + # fix DISPLAY + export DISPLAY="${FQDN}:${DISPLAY#*:}" + displayhost=${DISPLAY%:*} +fi + + +# grant access for current user and for user root +# (a bug in /usr/dt/bin/dtaction requires this for user "root", too - +# Solaris 7/8 dtaction runns setuid root and opens a display connection +# before chaning the EUID to the "destination uid"... ;-( ). +xhost +${LOGNAME}@ +$(user2netname root) + +# get X server principal(=user) +# this may fail if user isn't local +# unfortunately we cannot get the Xserver PID with a simply API - we +# have to "guess" in this case. "pgrep" creates a list of PIDs which may +# match. Then we create a list of all matching "principals" and test +# them - item by item... +# ... step 1: Create list of principals +principal_list="" # you can add "most common" principals here... +fallback_principal_list="" # you can add "fallback" principals here + # (for example, principals for Xterminals (where + # the Xserver always runns under the same UID) + # which use SUN-DES-1) +for i in $(pgrep -f ".*X.* :$displaynum*") ; do + principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}" +done + +xxdebug echo "principal_list=${principal_list}" + +# ... step 2: Test the list of principals +for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do + # make a "dry run" and test whether we really can use SUN-DES-1 auth. + # for this display using the given principal + if dry_run "${PRINCIPAL}" ; then + # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies + # Users ~/.Xauthority _must_ be changed in _one_ step to avoid + # possible race conditions when switching auth. on a "live" + # $DISPLAY... + (echo "remove $displayhost/unix:$displaynum" ; + echo "remove $displayhost:$displaynum" ; + echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ; + echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL" + ) | xauth source - + + # success. + xxdebug echo "success." + exit 0 + fi +done + +echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2 +xhost -$LOGNAME@ -$(user2netname root) + +# failure. +xxdebug echo failure. +exit 1 +# EOF. diff --git a/xauth_switch_to_sun-des-1.cpp b/xauth_switch_to_sun-des-1.cpp deleted file mode 100755 index 3e5850f..0000000 --- a/xauth_switch_to_sun-des-1.cpp +++ /dev/null @@ -1,174 +0,0 @@ -XCOMM!/bin/ksh -XCOMM X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth. -XCOMM this script switched the current Xservers authentification -XCOMM (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1. -XCOMM -XCOMM -XCOMM Copyright 2002-2004 by Roland Mainz . -XCOMM -XCOMM -XCOMM Requirements: -XCOMM - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet) -XCOMM - user must have proper credentials ("SecureRPC") -XCOMM - script must be able to "guess" the UID of the Xserver -XCOMM -XCOMM Advantages: -XCOMM - User may allow other users to gain access via -XCOMM % xhost +jigsaw@ -XCOMM instead of moving 128bit cookies -XCOMM -XCOMM Known bugs: -XCOMM - Was not tested on Linux since several months - -/* Avoid problems with CPP processing */ -#undef unix - -umask 077 -XCOMM force POSIX binaries -export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin - -XCOMM debug -alias xxdebug=true -XCOMM alias xxdebug= - -XCOMM get full qualified domain name -getFQDN() -{ - getent hosts ${1} | awk "{print \$2}" - -} - -user2netname() -{ - UID=$(id -u $1) - DOMAINNAME=$(domainname) - if [ $UID != 0 ] ; then - netname=unix.$UID@$DOMAINNAME - else - netname=unix.$HOSTNAME@$DOMAINNAME - fi - - # BUG: SecureRPC isn't limited to NIS+ - # (but there is no "getent publickey ...") ... - # ToDo: - # - YP name is "publickey.byname" - # - What name does LDAP use ? - if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then - echo "$netname" - else - echo "user ${UID} has no entry in cred.org_dir" >&2 - return 1 - fi - - return 0 -} - - -XCOMM pid to username -getUserOfPID() -{ - ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" - -} - -XCOMM test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary -XCOMM Xauthority file -dry_run() -{ -( - principal="$1" - # XAUTHORITY may not be defined - if [ "$XAUTHORITY" = "" ] ; then - export XAUTHORITY=~/.Xauthority - fi - - ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}" - TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth - export XAUTHORITY="$TMP_XAUTHORITY" - touch "$XAUTHORITY" - - (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ; - echo "add $displayhost:$displaynum SUN-DES-1 $principal" - ) | xauth source - - - # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver... - if ! xset q 2>/dev/null 1>/dev/null ; then - # clean-up - rm -f "$TMP_XAUTHORITY" - return 1 - fi - - rm -f "$TMP_XAUTHORITY" - - return 0 -) -} - -XCOMM main - -HOSTNAME=$(hostname) -FQDN=$(getFQDN $HOSTNAME) - -XCOMM be sure that DISPLAY contains the host name -XCOMM BUGs: -XCOMM - this does _not_ catch non-tcp connections (like DECnet). -XCOMM - this may not work with IPv6 addresses -displayhost=${DISPLAY%:*} -displaynum=$(x=${DISPLAY#*:}; echo ${x%.*}) -if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then - # fix DISPLAY - export DISPLAY="${FQDN}:${DISPLAY#*:}" - displayhost=${DISPLAY%:*} -fi - - -XCOMM grant access for current user and for user root -XCOMM (a bug in /usr/dt/bin/dtaction requires this for user "root", too - -XCOMM Solaris 7/8 dtaction runns setuid root and opens a display connection -XCOMM before chaning the EUID to the "destination uid"... ;-( ). -xhost +${LOGNAME}@ +$(user2netname root) - -XCOMM get X server principal(=user) -XCOMM this may fail if user isn't local -XCOMM unfortunately we cannot get the Xserver PID with a simply API - we -XCOMM have to "guess" in this case. "pgrep" creates a list of PIDs which may -XCOMM match. Then we create a list of all matching "principals" and test -XCOMM them - item by item... -XCOMM ... step 1: Create list of principals -principal_list="" # you can add "most common" principals here... -fallback_principal_list="" # you can add "fallback" principals here - # (for example, principals for Xterminals (where - # the Xserver always runns under the same UID) - # which use SUN-DES-1) -for i in $(pgrep -f ".*X.* :$displaynum*") ; do - principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}" -done - -xxdebug echo "principal_list=${principal_list}" - -XCOMM ... step 2: Test the list of principals -for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do - # make a "dry run" and test whether we really can use SUN-DES-1 auth. - # for this display using the given principal - if dry_run "${PRINCIPAL}" ; then - # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies - # Users ~/.Xauthority _must_ be changed in _one_ step to avoid - # possible race conditions when switching auth. on a "live" - # $DISPLAY... - (echo "remove $displayhost/unix:$displaynum" ; - echo "remove $displayhost:$displaynum" ; - echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ; - echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL" - ) | xauth source - - - # success. - xxdebug echo "success." - exit 0 - fi -done - -echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2 -xhost -$LOGNAME@ -$(user2netname root) - -XCOMM failure. -xxdebug echo failure. -exit 1 -XCOMM EOF. -- cgit v1.2.3