Hi,
If you look at the output of "xauth list" on you favourite OpenBSD
machine you might get a bit scared, especially if you have an IPv6
enabled network or if you used to travel and connect to various
networks.
Most of the lines are there to allow TCP connexions to the IP adresss
of the machine by the time you log into xenodm.
But tcp connexions are disabled by default in the X server since a few
years now, so those authorizations are useless.
Also the recent discussion about dhcpleased and its asynchronous
nature make it clear that there is no way that the IP addresses known
at xenodm startup will not change during the lifetime of the session.
The diff below tells xenodm to not add authorizations for tcp
connexions, unless it's explicitely configured. Only the authorization
for the local unix socket connections is created.
To test, apply to /usr/xenocara/app/xenodm (note that you need the
very recent commits I did earlier today) and run :
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper clean
make -f Makefile.bsd-wrapper
doas make -f Makefile.bsd-wrapper install
Then remove the old ~/.Xauthority file, full of useless lines and
reboot. Once logged in check the contents of xauth list again.
Comments ? ok ?
Index: include/dm.h
===================================================================
RCS file: /cvs/xenocara/app/xenodm/include/dm.h,v
retrieving revision 1.16
diff -u -p -u -r1.16 dm.h
--- include/dm.h 8 Mar 2021 17:54:28 -0000 1.16
+++ include/dm.h 8 Mar 2021 20:05:11 -0000
@@ -123,6 +123,7 @@ struct display {
unsigned short *authNameLens; /* authorization protocol name lens */
char *clientAuthFile;/* client specified auth file */
int authComplain; /* complain when no auth for XDMCP */
+ int listenTcp; /* assume server is listening on TCP */
/* information potentially derived from resources */
int authNameNum; /* number of protocol names */
Index: man/xenodm.man
===================================================================
RCS file: /cvs/xenocara/app/xenodm/man/xenodm.man,v
retrieving revision 1.12
diff -u -p -u -r1.12 xenodm.man
--- man/xenodm.man 8 Mar 2021 17:54:28 -0000 1.12
+++ man/xenodm.man 8 Mar 2021 20:05:11 -0000
@@ -582,6 +582,21 @@ to occur, during which time the new auth
The default is
.Cm false ,
which will work for all MIT servers.
+.It Ic DisplayManager. Ns Ar DISPLAY Ns Ic .listenTcp
+If set to
+.Cm true ,
+enable the
+.Ic listen Ic tcp
+option for the given X server.
+When this setting is set to
+.Cm false ,
+.Nm
+will only generate authorizations for the local (ie Unix socket)
+transport mechanism.
+Otherwise full authorization for all possible transport mechanisms
+will be generated.
+The default is
+.Cm false .
.El
.Sh CONFIGURATION FILE
First, the
Index: xenodm/auth.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/auth.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 auth.c
--- xenodm/auth.c 8 Mar 2021 17:54:28 -0000 1.16
+++ xenodm/auth.c 8 Mar 2021 20:05:11 -0000
@@ -736,13 +736,14 @@ setAuthNumber (Xauth *auth, char *name)
}
static void
-writeLocalAuth (FILE *file, Xauth *auth, char *name)
+writeLocalAuth (FILE *file, Xauth *auth, char *name, int listenTcp)
{
Debug ("writeLocalAuth: %s %.*s\n", name, auth->name_length, auth->name);
setAuthNumber (auth, name);
#ifdef TCPCONN
- DefineSelf (file, auth);
+ if (listenTcp)
+ DefineSelf (file, auth);
#endif
DefineLocal (file, auth);
}
@@ -762,8 +763,21 @@ SetUserAuthorization (struct display *d,
struct stat statb;
int i;
int magicCookie;
+ char **arg;
+ int foundListen = 0;
Debug ("SetUserAuthorization\n");
+ for (arg = d->argv; *arg!= NULL; arg++) {
+ if (strcmp(*arg, "tcp") == 0 && foundListen) {
+ Debug("setUserAuthorization: found listenTcp \n");
+ d->listenTcp = 1;
+ break;
+ }
+ if (strcmp(*arg, "-listen") == 0)
+ foundListen = 1;
+ else
+ foundListen = 0;
+ }
auths = d->authorizations;
if (auths) {
home = getEnv (verify->userEnviron, "HOME");
@@ -813,7 +827,7 @@ SetUserAuthorization (struct display *d,
!strncmp (auths[i]->name, "MIT-MAGIC-COOKIE-1", 18))
{
magicCookie = i;
- writeLocalAuth (new, auths[i], d->name);
+ writeLocalAuth (new, auths[i], d->name, d->listenTcp);
break;
}
}
@@ -893,7 +907,7 @@ RemoveUserAuthorization (struct display
initAddrs ();
doWrite = 0;
for (i = 0; i < d->authNum; i++)
- writeLocalAuth (new, auths[i], d->name);
+ writeLocalAuth (new, auths[i], d->name, d->listenTcp);
doWrite = 1;
if (old) {
if (fstat (fileno (old), &statb) != -1)
Index: xenodm/resource.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/resource.c,v
retrieving revision 1.6
diff -u -p -u -r1.6 resource.c
--- xenodm/resource.c 8 Mar 2021 17:54:28 -0000 1.6
+++ xenodm/resource.c 8 Mar 2021 20:05:11 -0000
@@ -169,6 +169,8 @@ struct displayResource serverResources[]
"" },
{ "autoLogin", "AutoLogin", DM_STRING, boffset(autoLogin),
"" },
+{ "listenTcp", "ListenTcp", DM_BOOL, boffset(listenTcp),
+ "false" },
};
#define NUM_SERVER_RESOURCES (sizeof serverResources/\
Index: xenodm/server.c
===================================================================
RCS file: /cvs/xenocara/app/xenodm/xenodm/server.c,v
retrieving revision 1.4
diff -u -p -u -r1.4 server.c
--- xenodm/server.c 11 Jul 2018 14:35:46 -0000 1.4
+++ xenodm/server.c 8 Mar 2021 20:05:11 -0000
@@ -86,6 +86,8 @@ StartServerOnce (struct display *d)
snprintf (arg, sizeof(arg), "-auth %s", d->authFile);
argv = parseArgs (argv, arg);
}
+ if (d->listenTcp)
+ argv = parseArgs(argv, "-listen tcp");
if (!argv) {
LogError ("StartServer: no arguments\n");
sleep ((unsigned) d->openDelay);
--
Matthieu Herrb
