> Date: Mon, 8 Mar 2021 21:09:49 +0100
> From: Matthieu Herrb <[email protected]>
>
> Hi,
>
> If you look at the output of "xauth list" on you favourite OpenBSD
> machine you might get a bit scared, especially if you have an IPv6
> enabled network or if you used to travel and connect to various
> networks.
>
> Most of the lines are there to allow TCP connexions to the IP adresss
> of the machine by the time you log into xenodm.
>
> But tcp connexions are disabled by default in the X server since a few
> years now, so those authorizations are useless.
>
> Also the recent discussion about dhcpleased and its asynchronous
> nature make it clear that there is no way that the IP addresses known
> at xenodm startup will not change during the lifetime of the session.
>
> The diff below tells xenodm to not add authorizations for tcp
> connexions, unless it's explicitely configured. Only the authorization
> for the local unix socket connections is created.
>
> To test, apply to /usr/xenocara/app/xenodm (note that you need the
> very recent commits I did earlier today) and run :
>
> make -f Makefile.bsd-wrapper obj
> make -f Makefile.bsd-wrapper clean
> make -f Makefile.bsd-wrapper
> doas make -f Makefile.bsd-wrapper install
>
> Then remove the old ~/.Xauthority file, full of useless lines and
> reboot. Once logged in check the contents of xauth list again.
>
> Comments ? ok ?
There are a couple of cases where the indentation is changed away from
what it was, using tabs instead of 4 spaces. But I don't know how
(in)consistent this codebase was in the first place.
otherwise this looks ok to me
> Index: include/dm.h
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/include/dm.h,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 dm.h
> --- include/dm.h 8 Mar 2021 17:54:28 -0000 1.16
> +++ include/dm.h 8 Mar 2021 20:05:11 -0000
> @@ -123,6 +123,7 @@ struct display {
> unsigned short *authNameLens; /* authorization protocol name lens */
> char *clientAuthFile;/* client specified auth file */
> int authComplain; /* complain when no auth for XDMCP */
> + int listenTcp; /* assume server is listening on TCP */
>
> /* information potentially derived from resources */
> int authNameNum; /* number of protocol names */
> Index: man/xenodm.man
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/man/xenodm.man,v
> retrieving revision 1.12
> diff -u -p -u -r1.12 xenodm.man
> --- man/xenodm.man 8 Mar 2021 17:54:28 -0000 1.12
> +++ man/xenodm.man 8 Mar 2021 20:05:11 -0000
> @@ -582,6 +582,21 @@ to occur, during which time the new auth
> The default is
> .Cm false ,
> which will work for all MIT servers.
> +.It Ic DisplayManager. Ns Ar DISPLAY Ns Ic .listenTcp
> +If set to
> +.Cm true ,
> +enable the
> +.Ic listen Ic tcp
> +option for the given X server.
> +When this setting is set to
> +.Cm false ,
> +.Nm
> +will only generate authorizations for the local (ie Unix socket)
> +transport mechanism.
> +Otherwise full authorization for all possible transport mechanisms
> +will be generated.
> +The default is
> +.Cm false .
> .El
> .Sh CONFIGURATION FILE
> First, the
> Index: xenodm/auth.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/xenodm/auth.c,v
> retrieving revision 1.16
> diff -u -p -u -r1.16 auth.c
> --- xenodm/auth.c 8 Mar 2021 17:54:28 -0000 1.16
> +++ xenodm/auth.c 8 Mar 2021 20:05:11 -0000
> @@ -736,13 +736,14 @@ setAuthNumber (Xauth *auth, char *name)
> }
>
> static void
> -writeLocalAuth (FILE *file, Xauth *auth, char *name)
> +writeLocalAuth (FILE *file, Xauth *auth, char *name, int listenTcp)
> {
>
> Debug ("writeLocalAuth: %s %.*s\n", name, auth->name_length, auth->name);
> setAuthNumber (auth, name);
> #ifdef TCPCONN
> - DefineSelf (file, auth);
> + if (listenTcp)
> + DefineSelf (file, auth);
> #endif
> DefineLocal (file, auth);
> }
> @@ -762,8 +763,21 @@ SetUserAuthorization (struct display *d,
> struct stat statb;
> int i;
> int magicCookie;
> + char **arg;
> + int foundListen = 0;
>
> Debug ("SetUserAuthorization\n");
> + for (arg = d->argv; *arg!= NULL; arg++) {
> + if (strcmp(*arg, "tcp") == 0 && foundListen) {
> + Debug("setUserAuthorization: found listenTcp \n");
> + d->listenTcp = 1;
> + break;
> + }
> + if (strcmp(*arg, "-listen") == 0)
> + foundListen = 1;
> + else
> + foundListen = 0;
> + }
> auths = d->authorizations;
> if (auths) {
> home = getEnv (verify->userEnviron, "HOME");
> @@ -813,7 +827,7 @@ SetUserAuthorization (struct display *d,
> !strncmp (auths[i]->name, "MIT-MAGIC-COOKIE-1", 18))
> {
> magicCookie = i;
> - writeLocalAuth (new, auths[i], d->name);
> + writeLocalAuth (new, auths[i], d->name, d->listenTcp);
> break;
> }
> }
> @@ -893,7 +907,7 @@ RemoveUserAuthorization (struct display
> initAddrs ();
> doWrite = 0;
> for (i = 0; i < d->authNum; i++)
> - writeLocalAuth (new, auths[i], d->name);
> + writeLocalAuth (new, auths[i], d->name, d->listenTcp);
> doWrite = 1;
> if (old) {
> if (fstat (fileno (old), &statb) != -1)
> Index: xenodm/resource.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/xenodm/resource.c,v
> retrieving revision 1.6
> diff -u -p -u -r1.6 resource.c
> --- xenodm/resource.c 8 Mar 2021 17:54:28 -0000 1.6
> +++ xenodm/resource.c 8 Mar 2021 20:05:11 -0000
> @@ -169,6 +169,8 @@ struct displayResource serverResources[]
> "" },
> { "autoLogin", "AutoLogin", DM_STRING, boffset(autoLogin),
> "" },
> +{ "listenTcp", "ListenTcp", DM_BOOL, boffset(listenTcp),
> + "false" },
> };
>
> #define NUM_SERVER_RESOURCES (sizeof serverResources/\
> Index: xenodm/server.c
> ===================================================================
> RCS file: /cvs/xenocara/app/xenodm/xenodm/server.c,v
> retrieving revision 1.4
> diff -u -p -u -r1.4 server.c
> --- xenodm/server.c 11 Jul 2018 14:35:46 -0000 1.4
> +++ xenodm/server.c 8 Mar 2021 20:05:11 -0000
> @@ -86,6 +86,8 @@ StartServerOnce (struct display *d)
> snprintf (arg, sizeof(arg), "-auth %s", d->authFile);
> argv = parseArgs (argv, arg);
> }
> + if (d->listenTcp)
> + argv = parseArgs(argv, "-listen tcp");
> if (!argv) {
> LogError ("StartServer: no arguments\n");
> sleep ((unsigned) d->openDelay);
>
> --
> Matthieu Herrb
>
>
