From meta@rose.club.kyutech.ac.jp  Mon May 23 20:30:06 2011
Return-Path: <meta@rose.club.kyutech.ac.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 77AA21065675
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 23 May 2011 20:30:06 +0000 (UTC)
	(envelope-from meta@rose.club.kyutech.ac.jp)
Received: from rose.club.kyutech.ac.jp (rose.club.kyutech.ac.jp [131.206.108.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 11B6F8FC14
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 23 May 2011 20:30:05 +0000 (UTC)
Received: from rose.club.kyutech.ac.jp (localhost [127.0.0.1])
	by rose.club.kyutech.ac.jp (8.14.4/8.14.4) with ESMTP id p4NKU3mY017213
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 24 May 2011 05:30:03 +0900 (JST)
	(envelope-from meta@rose.club.kyutech.ac.jp)
Received: (from meta@localhost)
	by rose.club.kyutech.ac.jp (8.14.4/8.14.4/Submit) id p4NKU3vn017210;
	Tue, 24 May 2011 05:30:03 +0900 (JST)
	(envelope-from meta)
Message-Id: <201105232030.p4NKU3vn017210@rose.club.kyutech.ac.jp>
Date: Tue, 24 May 2011 05:30:03 +0900 (JST)
From: "Iwao, Koichiro" <meta@club.kyutech.ac.jp>
Reply-To: "Iwao, Koichiro" <meta@club.kyutech.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         157282
>Category:       ports
>Synopsis:       [MAINTAINER PATCH] net/xrdp: effective login name is not set by xrdp-sesman
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    swills
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 23 20:40:09 UTC 2011
>Closed-Date:    Sun Sep 09 22:20:31 UTC 2012
>Last-Modified:  Sun Sep 09 22:20:31 UTC 2012
>Originator:     Iwao, Koichiro
>Release:        FreeBSD 8.2-RELEASE-p1 amd64
>Organization:
Kyushu Institute of Technology
>Environment:
System: FreeBSD rose.club.kyutech.ac.jp 8.2-RELEASE-p1 FreeBSD 8.2-RELEASE-p1 #1: Mon Apr 25 03:31:52 JST 2011 root@rose.club.kyutech.ac.jp:/usr/obj/usr/src/sys/MASAKIKERNEL amd64


>Description:
xrdp is originally made for Linux, handling setlogin/getlogin is not enough for *BSD.
Some programs like mysql fail to get actual username.
Also, this may cause a security issue like FreeBSD-SA-02:07.k5su due to setlogin system call.
http://security.freebsd.org/advisories/FreeBSD-SA-02:07.k5su.asc

Added file:
 - files/patch-sesman__session.c

>How-To-Repeat:
Login to the host via xrdp, run `id -p` on xterm, the login name will be wrong.

The result will be:
$ id -p
login	root
uid	meta
groups	meta

ex) mysql gets username as 'root' even if the actual user is not root:
$ whoami
meta
$ mysql
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

Login shuld be as same as uid:
$ id -p
uid	meta
groups	meta

>Fix:
See attached patch.

--- patch-sesman__session.c begins here ---
--- sesman/session.c.orig	2011-03-12 16:10:35.000000000 +0900
+++ sesman/session.c	2011-05-24 04:45:59.000000000 +0900
@@ -16,7 +16,47 @@
    xrdp: A Remote Desktop Protocol server.
    Copyright (C) Jay Sorg 2005-2008
 */
-
+/*
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose.  Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ * SSH2 support by Markus Friedl.
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * 
+ * Copyright (c) 2011 Koichiro Iwao <meta@club.kyutech.ac.jp>, 
+ *                    Kyushu Institute of Technology.
+ *                    All rights reserved.
+ *
+ * 	from: OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp
+ *            with some ideas about process grouping from OpenSSH to xrdp
+ * 	       
+ */
 /**
  *
  * @file session.c
@@ -373,6 +413,23 @@
     g_sprintf(geometry, "%dx%d", width, height);
     g_sprintf(depth, "%d", bpp);
     g_sprintf(screen, ":%d", display);
+#ifdef __FreeBSD__
+    /*
+     * Create a new session and process group since 4.4BSD 
+     * setlogin affects the entire process group.
+     */
+    if (setsid() < 0)
+    {
+      log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
+        "setsid failed: %.100s", strerror(errno));
+    }
+
+    if (setlogin(username) < 0)
+    {
+      log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
+        "setlogin failed: %.100s", strerror(errno));
+    }
+#endif
     wmpid = g_fork();
     if (wmpid == -1)
     {
--- patch-sesman__session.c ends here ---


>Release-Note:
>Audit-Trail:
Class-Changed-From-To: sw-bug->maintainer-update 
Class-Changed-By: edwin 
Class-Changed-When: Mon May 23 20:40:20 UTC 2011 
Class-Changed-Why:  
Fix category (submitter is maintainer) (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 

From: Kouichiro Iwao <meta@club.kyutech.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org, freebsd-ports-bugs@freebsd.org
Cc:  
Subject: Re: ports/157282: [MAINTAINER PATCH] net/xrdp: effective login name
 is not set by xrdp-sesman
Date: Fri, 5 Aug 2011 14:37:20 +0900

 some bugs are found in my patch. wait until sending new one.
State-Changed-From-To: open->suspended 
State-Changed-By: eadler 
State-Changed-When: Sat Oct 15 21:26:23 UTC 2011 
State-Changed-Why:  
awaiting patch from submitter 


Responsible-Changed-From-To: freebsd-ports-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Sat Oct 15 21:26:23 UTC 2011 
Responsible-Changed-Why:  
awaiting patch from submitter 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
State-Changed-From-To: suspended->open 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 27 03:45:41 UTC 2011 
State-Changed-Why:  
Submitter has fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 

From: Kouichiro Iwao <meta@club.kyutech.ac.jp>
To: eadler@FreeBSD.org
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/157282: [MAINTAINER PATCH] net/xrdp: effective login name
 is not set by xrdp-sesman
Date: Thu, 27 Oct 2011 12:39:37 +0900

 --IJpNTDwzlM2Ie8A6
 Content-Type: text/plain; charset=iso-2022-jp
 Content-Disposition: inline
 
 new patch is ready. see attached.
 the patch is also available here.
 http://www.club.kyutech.ac.jp/~meta/patches/patch-sesman__session_1.patch
 
 --IJpNTDwzlM2Ie8A6
 Content-Type: text/x-diff; charset=iso-2022-jp
 Content-Disposition: attachment; filename="patch-sesman__session_1.patch"
 
 --- sesman/session.c.orig	2011-03-12 16:10:35.000000000 +0900
 +++ sesman/session.c	2011-10-27 12:13:11.000000000 +0900
 @@ -16,7 +16,47 @@
     xrdp: A Remote Desktop Protocol server.
     Copyright (C) Jay Sorg 2005-2008
  */
 -
 +/*
 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 + *                    All rights reserved
 + *
 + * As far as I am concerned, the code I have written for this software
 + * can be used freely for any purpose.  Any derived versions of this
 + * software must be clearly marked as such, and if the derived work is
 + * incompatible with the protocol description in the RFC file, it must be
 + * called by a name other than "ssh" or "Secure Shell".
 + *
 + * SSH2 support by Markus Friedl.
 + * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + * 
 + * Copyright (c) 2011 Iwao, Koichiro <meta@club.kyutech.ac.jp>, 
 + *                    Kyushu Institute of Technology.
 + *                    All rights reserved.
 + *
 + * 	from: OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp
 + *            with some ideas about process grouping from OpenSSH to xrdp
 + * 	       
 + */
  /**
   *
   * @file session.c
 @@ -373,6 +413,33 @@
      g_sprintf(geometry, "%dx%d", width, height);
      g_sprintf(depth, "%d", bpp);
      g_sprintf(screen, ":%d", display);
 +#ifdef __FreeBSD__
 +    /*
 +     * Create a new session and process group since 4.4BSD 
 +     * setlogin affects the entire process group.
 +     */
 +    pid_t bsdsespid = g_fork();
 +
 +    if (bsdsespid == -1)
 +    {
 +    }
 +    else if (bsdsespid == 0) /* BSD session leader */
 +    {
 +        if (setsid() < 0)
 +        {
 +          log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
 +            "setsid failed: %.100s", strerror(errno));
 +        }
 +
 +        if (setlogin(username) < 0)
 +        {
 +          log_message(&(g_cfg->log), LOG_LEVEL_ERROR,
 +            "setlogin failed: %.100s", strerror(errno));
 +        }
 +    }
 +
 +    g_waitpid(bsdsespid);
 +#endif
      wmpid = g_fork();
      if (wmpid == -1)
      {
 
 --IJpNTDwzlM2Ie8A6--
State-Changed-From-To: open->feedback 
State-Changed-By: eadler 
State-Changed-When: Thu Oct 27 19:50:07 UTC 2011 
State-Changed-Why:  
Any chance of getting this commited upstream? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
State-Changed-From-To: feedback->open 
State-Changed-By: eadler 
State-Changed-When: Fri Oct 28 15:46:21 UTC 2011 
State-Changed-Why:  
per private reply, apperently not 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
Responsible-Changed-From-To: eadler->freebsd-x11 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Wed Nov 2 22:02:36 UTC 2011 
Responsible-Changed-Why:  
ENOTIME 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
Responsible-Changed-From-To: freebsd-x11->swills 
Responsible-Changed-By: swills 
Responsible-Changed-When: Sun Sep 9 22:08:59 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
State-Changed-From-To: open->closed 
State-Changed-By: swills 
State-Changed-When: Sun Sep 9 22:20:28 UTC 2012 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=157282 
>Unformatted:
