Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
FYI, my first patch above was applied in upstream 5.45 and will appear in 5.45-1 in unstable soon. Please let us know if it works fine with your SSSD. Tormod
Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
> Le 30/09/2020 à 22:06, Jamie Zawinski a écrit : > > The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to > > detect the case when "xscreensaver" and "xscreensaver-demo" are running on > > different hosts, because if they are different hosts, they are likely > > different file systems for the home directory. Your first patch disables > > this check. The intention of my first patch is, given luser is "name@ddns_domain@host", that the detected username becomes "name@ddns_domain" and the detected hostname "host". Whereas today the username becomes "name" and the hostname "ddns_domain@host" which seems wrong. I don't see right now (this was a while back) how the patch disables any check. In the simple case of one "@" it is the same if we use strchr or strrchr. Tormod
Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
Le 30/09/2020 à 22:06, Jamie Zawinski a écrit : > The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to detect > the case when "xscreensaver" and "xscreensaver-demo" are running on different > hosts, because if they are different hosts, they are likely different file > systems for the home directory. Your first patch disables this check. > > I still don't understand why a user name would have an @ in it in the first > place, so I can't comment on the rest. When using sssd[1] with different auth providers (ldap, ad, ...), users (and groups) are suffixed by '@'providerid Usernames without qualifiers get the default one when used. For example: cat /etc/sssd/sssd.conf [sssd] [...] domains = nts,example.fr default_domain_suffix = example.fr [...] [domain/example.fr] id_provider = ad [... ad config ...] [domain/nts] id_provider = ldap [...ldap config ...] And then: $ id user1 uid=157153(us...@example.fr) gid=5153(maingr...@example.fr) groupes=5153(maingr...@example.fr),13182(othergr...@example.fr),136315(applicationgr...@example.fr) $ id user2 id: 'user2': no such user $ id user2@nts uid=5000(user2@nts) gid=5000(user2@nts) groups=5000(user2@nts),4010(application-access-grp@nts) So, the '@' in the username comes from the sssd software that is more and more used in large systems (AD/ldap/...) This is transparent to most software, even with ssh that already uses '@' itself. Using my previous example, to log into the system, I can use: ssh user1@host ssh us...@example.fr@host ssh -l user1 host ssh -l us...@example.fr host ssh user2@nts@host ssh -l user2@nts host but not (user2 is not a user in the default auth provider) ssh user2@host Regards, Vincent [1] https://en.wikipedia.org/wiki/System_Security_Services_Daemon -- Vincent Danjean GPG key ID 0xD17897FA vdanj...@debian.org GPG key fingerprint: 621E 3509 654D D77C 43F5 CA4A F6AE F2AF D178 97FA Unofficial pkgs: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://people.debian.org/~vdanjean/debian unstable main
Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
The reason remote.c includes @hostname on the XA_SCREENSAVER_ID is to detect the case when "xscreensaver" and "xscreensaver-demo" are running on different hosts, because if they are different hosts, they are likely different file systems for the home directory. Your first patch disables this check. I still don't understand why a user name would have an @ in it in the first place, so I can't comment on the rest. -- Jamie Zawinski https://www.jwz.org/ https://www.dnalounge.com/
Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
Hi Vincent, Thanks for your report. Yes, I understand it from the messages that on your machines getpwuid() returns a username including this "@domain" part, but the server_xscreensaver_version() which queries the server, strips away all "@" parts (I don't even know if XGetWindowProperty() returns the @domain part here). First, I am not familiar enough with SSSD to know if pw_name should include the "@domain" part, but I will assume it for the following suggestions, in preferred order: 1) if XGetWindowProperty() returns user@domain@host, this simple patch could solve it by only stripping the last "@" part: diff --git a/driver/remote.c b/driver/remote.c index 83254e0..e409ebc 100644 --- a/driver/remote.c +++ b/driver/remote.c @@ -681,7 +681,7 @@ server_xscreensaver_version (Display *dpy, { char *o = 0, *p = 0, *c = 0; o = strchr ((char *) id, '('); - if (o) p = strchr (o, '@'); + if (o) p = strrchr (o, '@'); if (p) c = strchr (p, ')'); if (c) { 2) in case XGetWindowProperty() doesn't return the "@domain" part, canonicalize the username received via server_xscreensaver_version so it should match the getpwuid() result: diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c index da98c53..14f82c1 100644 --- a/driver/demo-Gtk.c +++ b/driver/demo-Gtk.c @@ -4477,6 +4477,17 @@ the_network_is_not_the_computer (state *s) server_xscreensaver_version (dpy, , , ); + /* canonical name in case of directory service */ + if (ruser) +{ + const char *new_ruser = getpwnam(ruser)->pw_name; + if (new_ruser) +{ + free(ruser); + ruser = strdup(new_ruser); +} +} + /* Make a buffer that's big enough for a number of copies of all the strings, plus some. */ msg = (char *) malloc (10 * ((rversion ? strlen(rversion) : 0 3) the hammer, strip away any "@" part in the getpwuid() result: diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c index da98c53..d2c9b6a 100644 --- a/driver/demo-Gtk.c +++ b/driver/demo-Gtk.c @@ -4471,7 +4471,13 @@ the_network_is_not_the_computer (state *s) # endif /* !HAVE_UNAME && !VMS */ if (p && p->pw_name) -luser = p->pw_name; +{ + char *domain; + luser = p->pw_name; + domain = strchr(luser, '@'); + if (domain) +*domain = '\0'; +} else luser = "???"; @@ -4496,7 +4502,7 @@ the_network_is_not_the_computer (state *s) "on display \"%s\". Launch it now?"), d); } - else if (p && ruser && *ruser && !!strcmp (ruser, p->pw_name)) + else if (p && ruser && *ruser && !!strcmp (ruser, luser)) { /* Warn that the two processes are running as different users. */ (Presenting all three just because I already have them, having jumped on (3) then (2) before I had thought through it) If you are willing to build and test, please try it on the latest version from https://salsa.debian.org/debian/xscreensaver Regards, Tormod On Wed, Apr 8, 2020 at 10:57 PM Vincent Danjean wrote: > > I run xscreensaver (with xfce4) on machines that use SSSD > to managed its users. There are several source of authentification > (as allowed by SSSD) but the main one (and default one) is to > authenticate against an AD (windows kind of ldap/kerberos). > The important thing is that user names (ie logins) are of the > form name@domain > I suspect the message is due to the fact that xscreensaver(-demo?) > stores the login and the machine name under the form login@machine > but fails to correctly parse such string when login contains a '@' > character, as this is the case here. > > Regards, > Vincent
Bug#956251: xscreensaver-demo do not handle correctly domain part of usernames
Package: xscreensaver Version: 5.42+dfsg1-1 Severity: normal Hi, I run xscreensaver (with xfce4) on machines that use SSSD to managed its users. There are several source of authentification (as allowed by SSSD) but the main one (and default one) is to authenticate against an AD (windows kind of ldap/kerberos). The important thing is that user names (ie logins) are of the form name@domain When launching xscreensaver-demo, I always got the following message (sorry, its in French): === xscreensaver-demo est lancé par l'utilisateur «name@domain» sur la machine «myhostname». Cependant le xscreensaver gérant l'écran «:0.0» est lancé par l'utilisateur «name» sur la machine «domain@myhostname». Comme ce sont des utilisateurs différents, ils ne vont pas lire/écrire le même fichier «~/.xscreensaver», donc xscreensaver-demo ne fonctionnera pas correctement. Vous devez soit relancer xscreensaver-demo en tant que «name», soit relancer xscreensaver en tant que «name@domain». Relancer le démon xscreensaver maintenant ? Annuler / Valider == [approximate translation:] xscreensaver-demo is launched by the «name@domain» user on the «myhostname» machine. However, the xscreensaver managing the screen «:0.0» is launched by the «name» user on the «domain@myhostname» machine. As these are two different users, they won't read/write the same «~/.xscreensaver» file, so xscreensaver-demo won't work correctly. You must either restart xscreensaver-demo as «name», or restart xscreensaver as «name@domain». Restart xscreensaver daemon now? Cancel / Validate == Using "Annuler" (ie cancel) or "Valider" (validate) leads to the same effect: I can manipulate the demo options through xscreensaver-demo in any cases. I suspect the message is due to the fact that xscreensaver(-demo?) stores the login and the machine name under the form login@machine but fails to correctly parse such string when login contains a '@' character, as this is the case here. Regards, Vincent -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-0.bpo.2-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xscreensaver depends on: ii libatk1.0-0 2.30.0-2 ii libc62.28-10 ii libcairo21.16.0-4 ii libfontconfig1 2.13.1-2 ii libfreetype6 2.9.1-3+deb10u1 ii libgdk-pixbuf2.0-0 2.38.1+dfsg-1 ii libglade2-0 1:2.6.4-2+b1 ii libglib2.0-0 2.58.3-2+deb10u2 ii libgtk2.0-0 2.24.32-3 ii libice6 2:1.0.9-2 ii libpam0g 1.3.1-5 ii libpango-1.0-0 1.42.4-7~deb10u1 ii libpangocairo-1.0-0 1.42.4-7~deb10u1 ii libpangoft2-1.0-01.42.4-7~deb10u1 ii libsm6 2:1.2.3-1 ii libx11-6 2:1.6.7-1 ii libxext6 2:1.3.3-1+b2 ii libxi6 2:1.7.9-1 ii libxinerama1 2:1.1.4-2 ii libxml2 2.9.4+dfsg1-7+b3 ii libxmu6 2:1.1.2-2+b3 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxt6 1:1.1.5-1+b3 ii libxxf86vm1 1:1.1.4-1+b2 ii xscreensaver-data5.42+dfsg1-1 Versions of packages xscreensaver recommends: ii libjpeg-turbo-progs 1:1.5.2-2+b1 ii perl 5.28.1-6 ii wamerican [wordlist] 2018.04.16-1 ii wfrench [wordlist]1.2.4-1 Versions of packages xscreensaver suggests: ii firefox-esr [www-browser] 68.4.1esr-1~deb10u1 pn fortune ii gdm3 3.30.2-3 ii konqueror [www-browser]4:18.12.0-1 ii lynx [www-browser] 2.8.9rel.1-3 pn qcam | streamer ii w3m [www-browser] 0.5.3-37 pn xdaliclock pn xfishtank pn xscreensaver-data-extra pn xscreensaver-gl pn xscreensaver-gl-extra -- no debconf information