Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 436230 - (ldm) implement proper use of xauth
Summary: (ldm) implement proper use of xauth
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: ldm
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Warren Togami
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: K12LTSP
TreeView+ depends on / blocked
 
Reported: 2008-03-06 00:26 UTC by Warren Togami
Modified: 2008-03-23 22:56 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-23 22:56:25 UTC


Attachments (Terms of Use)

Description Warren Togami 2008-03-06 00:26:00 UTC
http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk/annotate/?file_id=ldm.c-20070611142051-jkh2vwmsp70sequl-32
141 		create_xauth()
142 		{
143 	325.16.46 	    GPid xauthpid;
144 	325.7.41 	    int status;
145 		
146 	325.7.22 	    char *xauth_command[] = {
147 		       "/usr/bin/xauth", 
148 		       "-i",
149 		       "-n",
150 		       "-f",
151 		       ldminfo.authfile,
152 	325.7.41 	       "generate",
153 	325.7.22 	       ldminfo.display,
154 		       NULL };		
161 		    do {
162 		        sleep(1);
163 		        xauthpid = ldm_spawn(xauth_command);
164 		        status = ldm_wait(xauthpid);
165 		    } while (status);
166 		}

On F-8 this works fine, but F-9 xauth exits with an error return value.

xauth-1.0.2/process.c:
    status = XSecurityQueryExtension(dpy, &major_version, &minor_version);
    if (!status)
    {
        prefix (inputfilename, lineno);
        fprintf (stderr, "couldn't query Security extension on display \"%s\"\n",
                 displayname);
        return 1;
    }

It is failing here on F-9.

#xorg-devel
<airlied> warren: the security framework was redesigned from scratch pretty much
<alanc> XC-Security was reimplented using XACE, but XACE has no protocol, just a
server framework for extensions like XC-Security/SELinux/TrustedSolaris to add
checks

kernel-2.6.25-0.90.rc3.git5.fc9.i586
xorg-x11-server-Xorg-1.4.99.900-0.28.20080304.fc9.i386
xorg-x11-xauth-1.0.2-4.fc9.i386
libselinux-2.0.59-1.fc9.i386

This happens on a thin client running these packages and selinux=0.  There are
no selinux-policy* packages installed, and the filesystem is unlabeled.

This is a blocker for LTSP in Fedora 9.

Comment 1 Adam Jackson 2008-03-06 19:09:20 UTC
Yep, the security extension is gone, intentionally.

It looks like you're just using it to create a new auth cookie.  You should
instead do what every other display manager does: create the auth cookie ahead
of time, and invoke the server with it.  See the code in startx(1) for an
example, or the mkxauth(1) utility.

Comment 2 Chuck Ebbert 2008-03-08 02:39:05 UTC
runxas does that too.

(We should be packaging that script with Fedora BTW)


Comment 3 Ray Strode [halfline] 2008-03-08 18:10:14 UTC
Well that code is just spawning /usr/bin/xauth

Either /usr/bin/xauth needs to be fixed, or ldm needs to be changed not to use
xauth and xauth needs to deprecate that command line option.



Comment 4 Warren Togami 2008-03-10 05:31:33 UTC
xauth itself doesn't need fixing.  It turns out that 1) ldm was never doing
xauth properly and 2) ldm was running X with the incredibly stupid -ac
parameter, so #1 didn't matter.

ldm needs to be fixed to use xauth properly.

Comment 5 Warren Togami 2008-03-19 20:52:56 UTC

if [ -f /etc/lts.conf ]; then
    eval $(getltscfg -a) || true
fi

if [ -n "$LDM_DIRECTX" ]; then
    PROTOCOL=$(xauth list | awk '{print $2}')
    KEY=$(xauth list | awk '{print $3}')

    echo $DISPLAY $LDMINFO_IPADDR $PROTOCOL $KEY >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth remove ${LDMINFO_IPADDR}${DISPLAY}" >> /tmp/foople
    ssh -S ${LDM_SOCKET} ${LDM_SERVER} \
        "xauth add ${LDMINFO_IPADDR}${DISPLAY} ${PROTOCOL} ${KEY}" >> /tmp/foopl
e
fi


Example code from sbalneav.

Comment 6 Warren Togami 2008-03-23 22:56:25 UTC
The minimum to get this feature is now in ldm-trunk.  Further cleanups ensue.


Note You need to log in before you can comment on or make changes to this bug.