Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-12-20 Thread Tormod Volden 
FYI, my first patch above was applied in upstream 5.45 and will appear
in 5.45-1 in unstable soon. Please let us know if it works fine with
your SSSD.

Tormod

Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-10-11 Thread Tormod Volden 
> Le 30/09/2020 à 22:06, Jamie Zawinski a écrit :
> > The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to 
> > detect the case when "xscreensaver" and "xscreensaver-demo" are running on 
> > different hosts, because if they are different hosts, they are likely 
> > different file systems for the home directory. Your first patch disables 
> > this check.

The intention of my first patch is, given luser is
"name@ddns_domain@host", that the detected username becomes
"name@ddns_domain" and the detected hostname "host". Whereas today the
username becomes "name" and the hostname "ddns_domain@host" which
seems wrong. I don't see right now (this was a while back) how the
patch disables any check. In the simple case of one "@" it is the same
if we use strchr or strrchr.

Tormod

Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-09-30 Thread Vincent Danjean 
Le 30/09/2020 à 22:06, Jamie Zawinski a écrit :
> The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to detect 
> the case when "xscreensaver" and "xscreensaver-demo" are running on different 
> hosts, because if they are different hosts, they are likely different file 
> systems for the home directory. Your first patch disables this check. 
> 
> I still don't understand why a user name would have an @ in it in the first 
> place, so I can't comment on the rest.

  When using sssd[1] with different auth providers (ldap, ad, ...),
users (and groups) are suffixed by '@'providerid
  Usernames without qualifiers get the default one when used.

  For example:
cat /etc/sssd/sssd.conf
[sssd]
[...]
domains = nts,example.fr
default_domain_suffix = example.fr
[...]
[domain/example.fr]
id_provider = ad
[... ad config ...]
[domain/nts]
id_provider = ldap
[...ldap config ...]


And then:
$ id user1
uid=157153(us...@example.fr) gid=5153(maingr...@example.fr) 
groupes=5153(maingr...@example.fr),13182(othergr...@example.fr),136315(applicationgr...@example.fr)
$ id user2
id: 'user2': no such user
$ id user2@nts
uid=5000(user2@nts) gid=5000(user2@nts) 
groups=5000(user2@nts),4010(application-access-grp@nts)

So, the '@' in the username comes from the sssd software that is
more and more used in large systems (AD/ldap/...)

This is transparent to most software, even with ssh that already uses
'@' itself. Using my previous example, to log into the system, I can use:
ssh user1@host
ssh us...@example.fr@host
ssh -l user1 host
ssh -l us...@example.fr host
ssh user2@nts@host
ssh -l user2@nts host
but not (user2 is not a user in the default auth provider)
ssh user2@host

  Regards,
Vincent

[1] https://en.wikipedia.org/wiki/System_Security_Services_Daemon

-- 
Vincent Danjean   GPG key ID 0xD17897FA vdanj...@debian.org
GPG key fingerprint: 621E 3509 654D D77C 43F5  CA4A F6AE F2AF D178 97FA
Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo:  deb http://people.debian.org/~vdanjean/debian unstable main

Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-09-30 Thread Jamie Zawinski 
The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to detect 
the case when "xscreensaver" and "xscreensaver-demo" are running on different 
hosts, because if they are different hosts, they are likely different file 
systems for the home directory. Your first patch disables this check. 

I still don't understand why a user name would have an @ in it in the first 
place, so I can't comment on the rest.

--
Jamie Zawinski  https://www.jwz.org/  https://www.dnalounge.com/

Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-04-10 Thread Tormod Volden 
Hi Vincent,

Thanks for your report. Yes, I understand it from the messages that on
your machines getpwuid() returns a username including this "@domain"
part, but the server_xscreensaver_version() which queries the server,
strips away all "@" parts (I don't even know if XGetWindowProperty()
returns the @domain part here).

First, I am not familiar enough with SSSD to know if pw_name should
include the "@domain" part, but I will assume it for the following
suggestions, in preferred order:

1) if XGetWindowProperty() returns user@domain@host, this simple patch
could solve it by only stripping the last "@" part:

diff --git a/driver/remote.c b/driver/remote.c
index 83254e0..e409ebc 100644
--- a/driver/remote.c
+++ b/driver/remote.c
@@ -681,7 +681,7 @@ server_xscreensaver_version (Display *dpy,
{
  char *o = 0, *p = 0, *c = 0;
  o = strchr ((char *) id, '(');
- if (o) p = strchr (o, '@');
+ if (o) p = strrchr (o, '@');
  if (p) c = strchr (p, ')');
  if (c)
{

2) in case XGetWindowProperty() doesn't return the "@domain" part,
canonicalize the username received via server_xscreensaver_version so
it should match the getpwuid() result:

diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c
index da98c53..14f82c1 100644
--- a/driver/demo-Gtk.c
+++ b/driver/demo-Gtk.c
@@ -4477,6 +4477,17 @@ the_network_is_not_the_computer (state *s)

   server_xscreensaver_version (dpy, , , );

+  /* canonical name in case of directory service */
+  if (ruser)
+{
+  const char *new_ruser = getpwnam(ruser)->pw_name;
+  if (new_ruser)
+{
+  free(ruser);
+  ruser = strdup(new_ruser);
+}
+}
+
   /* Make a buffer that's big enough for a number of copies of all the
  strings, plus some. */
   msg = (char *) malloc (10 * ((rversion ? strlen(rversion) : 0

3) the hammer, strip away any "@" part in the getpwuid() result:

diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c
index da98c53..d2c9b6a 100644
--- a/driver/demo-Gtk.c
+++ b/driver/demo-Gtk.c
@@ -4471,7 +4471,13 @@ the_network_is_not_the_computer (state *s)
 # endif /* !HAVE_UNAME && !VMS */

   if (p && p->pw_name)
-luser = p->pw_name;
+{
+  char *domain;
+  luser = p->pw_name;
+  domain = strchr(luser, '@');
+  if (domain)
+*domain = '\0';
+}
   else
 luser = "???";

@@ -4496,7 +4502,7 @@ the_network_is_not_the_computer (state *s)
  "on display \"%s\".  Launch it now?"),
d);
 }
-  else if (p && ruser && *ruser && !!strcmp (ruser, p->pw_name))
+  else if (p && ruser && *ruser && !!strcmp (ruser, luser))
 {
   /* Warn that the two processes are running as different users.
*/


(Presenting all three just because I already have them, having jumped
on (3) then (2) before I had thought through it)

If you are willing to build and test, please try it on the latest
version from https://salsa.debian.org/debian/xscreensaver

Regards,
Tormod


On Wed, Apr 8, 2020 at 10:57 PM Vincent Danjean  wrote:
>
>   I run xscreensaver (with xfce4) on machines that use SSSD
> to managed its users. There are several source of authentification
> (as allowed by SSSD) but the main one (and default one) is to
> authenticate against an AD (windows kind of ldap/kerberos).
>   The important thing is that user names (ie logins) are of the
> form name@domain

>   I suspect the message is due to the fact that xscreensaver(-demo?)
> stores the login and the machine name under the form login@machine
> but fails to correctly parse such string when login contains a '@'
> character, as this is the case here.
>
>   Regards,
> Vincent

Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames

2020-04-08 Thread Vincent Danjean 
Package: xscreensaver
Version: 5.42+dfsg1-1
Severity: normal

  Hi,

  I run xscreensaver (with xfce4) on machines that use SSSD
to managed its users. There are several source of authentification
(as allowed by SSSD) but the main one (and default one) is to
authenticate against an AD (windows kind of ldap/kerberos).
  The important thing is that user names (ie logins) are of the
form name@domain

  When launching xscreensaver-demo, I always got the following
message (sorry, its in French):
===
xscreensaver-demo est lancé par l'utilisateur «name@domain» sur la machine 
«myhostname».
Cependant le xscreensaver gérant l'écran «:0.0»
est lancé par l'utilisateur «name»  sur la machine «domain@myhostname».

Comme ce sont des utilisateurs différents, ils ne vont pas lire/écrire
le même fichier «~/.xscreensaver», donc xscreensaver-demo ne fonctionnera
pas correctement.

Vous devez soit relancer xscreensaver-demo en tant que «name», soit relancer
xscreensaver en tant que «name@domain».

Relancer le démon xscreensaver maintenant ?

Annuler / Valider
==
[approximate translation:]
xscreensaver-demo is launched by the «name@domain» user on the «myhostname» 
machine.
However, the xscreensaver managing the screen «:0.0»
is launched by the «name» user on the «domain@myhostname» machine.

As these are two different users, they won't read/write
the same «~/.xscreensaver» file, so xscreensaver-demo won't work
correctly.

You must either restart xscreensaver-demo as «name», or restart
xscreensaver as «name@domain».

Restart xscreensaver daemon now?

Cancel / Validate
==

Using "Annuler" (ie cancel) or "Valider" (validate) leads to the
same effect: I can manipulate the demo options through xscreensaver-demo
in any cases.

  I suspect the message is due to the fact that xscreensaver(-demo?)
stores the login and the machine name under the form login@machine
but fails to correctly parse such string when login contains a '@'
character, as this is the case here.

  Regards,
Vincent

-- System Information:
Debian Release: 10.2
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xscreensaver depends on:
ii  libatk1.0-0  2.30.0-2
ii  libc62.28-10
ii  libcairo21.16.0-4
ii  libfontconfig1   2.13.1-2
ii  libfreetype6 2.9.1-3+deb10u1
ii  libgdk-pixbuf2.0-0   2.38.1+dfsg-1
ii  libglade2-0  1:2.6.4-2+b1
ii  libglib2.0-0 2.58.3-2+deb10u2
ii  libgtk2.0-0  2.24.32-3
ii  libice6  2:1.0.9-2
ii  libpam0g 1.3.1-5
ii  libpango-1.0-0   1.42.4-7~deb10u1
ii  libpangocairo-1.0-0  1.42.4-7~deb10u1
ii  libpangoft2-1.0-01.42.4-7~deb10u1
ii  libsm6   2:1.2.3-1
ii  libx11-6 2:1.6.7-1
ii  libxext6 2:1.3.3-1+b2
ii  libxi6   2:1.7.9-1
ii  libxinerama1 2:1.1.4-2
ii  libxml2  2.9.4+dfsg1-7+b3
ii  libxmu6  2:1.1.2-2+b3
ii  libxrandr2   2:1.5.1-1
ii  libxrender1  1:0.9.10-1
ii  libxt6   1:1.1.5-1+b3
ii  libxxf86vm1  1:1.1.4-1+b2
ii  xscreensaver-data5.42+dfsg1-1

Versions of packages xscreensaver recommends:
ii  libjpeg-turbo-progs   1:1.5.2-2+b1
ii  perl  5.28.1-6
ii  wamerican [wordlist]  2018.04.16-1
ii  wfrench [wordlist]1.2.4-1

Versions of packages xscreensaver suggests:
ii  firefox-esr [www-browser]  68.4.1esr-1~deb10u1
pn  fortune
ii  gdm3   3.30.2-3
ii  konqueror [www-browser]4:18.12.0-1
ii  lynx [www-browser] 2.8.9rel.1-3
pn  qcam | streamer
ii  w3m [www-browser]  0.5.3-37
pn  xdaliclock 
pn  xfishtank  
pn  xscreensaver-data-extra
pn  xscreensaver-gl
pn  xscreensaver-gl-extra  

-- no debconf information