Redesign Xauth handling #1230
Redesign Xauth handling #1230
Conversation
|
I've applied this PR to OpenMandrivaAssociation/sddm@5384de2 I'm running sddm on OpenMandriva with this PR, found no issues. |
src/helper/UserSession.cpp
Outdated
| FILE *fp = popen(qPrintable(cmd), "w"); | ||
| QString dir = QStandardPaths::writableLocation(QStandardPaths::RuntimeLocation); | ||
| if (!dir.isEmpty()) { | ||
| m_xauthFile.setFileTemplate(dir + QStringLiteral("/xauth_XXXXXX")); |
There was a problem hiding this comment.
This is somewhat weird.
setupChildProcess is after we've forked, we have the same memory contents, but it's not shared. It's COW.
Does it work as intended and actually clean up?
I suspect it would seem to work because:
the m_xauthFile of the parent that's actually scoped to the process stays effectively uninitialised
the child sets up m_xauthFile but in it's cloned memory, we would then effectively leak the temporary file as we don't call the destructor when we exec()
There was a problem hiding this comment.
Good catch - I totally forgot to mention that.
It leaks the temporary file currently, so relies on /run getting cleaned up by something else.
Not sure how to improve that though, the deletion would need to happen in the user context as well to avoid any arbitrary deletion vulnerabilities.
There's also #1083 which needs a way to clean up stuff after a user session ends.
There was a problem hiding this comment.
What about redesigning sddm-helper away from setupChildProcess? It could just do the setup in the main process itself (like setuid) and then use QProcess as usual. This means that sddm-helper would effectively run as the target user at that point and proper cleanup can be performed.
It would not help with #1083 though as that's managed by sddm, not sddm-helper IIRC.
There was a problem hiding this comment.
This is technically possible, but currently sddm-helper performs utmp and PAM session handling after the user process quites, so that would have to be moved into the daemon first...
I tested how this behaves on FreeBSD and there the session setup is done as part of Xsession: https://github.com/freebsd/freebsd-ports-kde/blob/d70b3c9023dfe8414ea91c31881209d16c15b229/x11/sddm/files/patch-data_scripts_Xsession#L18
This also includes setting up XDG_RUNTIME_DIR, which means that it's not available inside sddm-helper at all.
While using the fallback directory there is technically fine, it definitely needs manual cleanup then.
Note that there are currently open topics, like the authority file leak and the manpage update. |
|
I changed the design somewhat. Instead of putting the temporary |
Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX References: - https://bugzilla.opensuse.org/show_bug.cgi?id=1174290 - https://bugzilla.suse.com/show_bug.cgi?id=1174293 - sddm/sddm#1230 - jonls/redshift#763 This is the 2.13 version of 35f033c / https://gitlab.com/apparmor/apparmor/-/merge_requests/581 The difference is that this commit avoids using the @{run} variable.
Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX References: * https://bugzilla.opensuse.org/show_bug.cgi?id=1174290 * https://bugzilla.suse.com/show_bug.cgi?id=1174293 * sddm/sddm#1230 * jonls/redshift#763 This is the 2.13 version of 35f033c / https://gitlab.com/apparmor/apparmor/-/merge_requests/581 The difference is that this commit avoids using the @{run} variable. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/582 Acked-by: John Johansen <john.johansen@canonical.com>
Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX References: - https://bugzilla.opensuse.org/show_bug.cgi?id=1174290 - https://bugzilla.suse.com/show_bug.cgi?id=1174293 - sddm/sddm#1230 - jonls/redshift#763 This is the 2.13 version of 35f033c / https://gitlab.com/apparmor/apparmor/-/merge_requests/582 The difference is that this commit avoids using the @{run} variable. (cherry picked from commit 02b9090)
Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX References: - https://bugzilla.opensuse.org/show_bug.cgi?id=1174290 - https://bugzilla.suse.com/show_bug.cgi?id=1174293 - sddm/sddm#1230 - jonls/redshift#763 This is the 2.13 version of 35f033c / https://gitlab.com/apparmor/apparmor/-/merge_requests/582 The difference is that this commit avoids using the @{run} variable. (cherry picked from commit 02b9090) Signed-off-by: John Johansen <john.johansen@canonical.com>
|
Placing file xauth_XXXXX has bad side-effects. The user cannot write to the containing directory, so xauth (the program) cannot create the lockfile RUNTIME_DIR/xauth_XXXXX-c
|
|
@tvolin make sure you have set proper permissions on |
Great, back to the drawing board. Apparently this approach doesn't work either then. |
O.o You realize that way you're giving EVERY USER on the system FULL ACCESS to your sessions and the login screen, which means they can just run xev and grab your passwords? |
oops, thanks for spotting this ⭕ |
|
Actually, I missed that the directory has the sticky bit set - in that case it should actually be fine (but no guarantee). There are other issues with this approach though, for instance that there's still no explicit cleanup in case of leftover files (sddm crash, power outage, etc.). |
|
Permissions 1733 seem to do the job. Non-root users can't even see the name of each other's xauth files. And with 0600 as the file permission (which it is), they cannot read each other's files either. |
I'm wondering mostly about FreeBSD actually.
|
Well, I did yesterday but just shortly afterwards major changes got merged... I don't currently have time to get familiar with them and redo this PR. |
|
@Vogtinator can you please rebase it on top current head ? |
|
@Vogtinator @davidedmundson Can someone please look at rebasing this on top of current mainline? We need this and I couldn't figure out how to do it myself. 😢 |
This is a rebase of sddm#1230 by @Vogtinator > This commit moves Xauthority handling over to libXau. > Advantage is that this allows use of FamilyWild, is faster, more reliable > and easier to read. However, we lose the ability to merge the new cookie into > an existing Xauthority file, so support for using a non-temporary file is > dropped. Even if merging was implemented manually, use of FamilyWild would > "infect" such a file and break it for DMs which don't write it.
This is a rebase of sddm#1230 by @Vogtinator > This commit moves Xauthority handling over to libXau. > Advantage is that this allows use of FamilyWild, is faster, more reliable > and easier to read. However, we lose the ability to merge the new cookie into > an existing Xauthority file, so support for using a non-temporary file is > dropped. Even if merging was implemented manually, use of FamilyWild would > "infect" such a file and break it for DMs which don't write it.
By moving this in display we don't need sddm-helper to perform anything as root after the initial setup. This allows us to drop the priveleges in UserSession before forking. This should unblock sddm#1230 as well as give us a path to simplify the paths where the helper is running the display manager.
This is a rebase of sddm#1230 by @Vogtinator > This commit moves Xauthority handling over to libXau. > Advantage is that this allows use of FamilyWild, is faster, more reliable > and easier to read. However, we lose the ability to merge the new cookie into > an existing Xauthority file, so support for using a non-temporary file is > dropped. Even if merging was implemented manually, use of FamilyWild would > "infect" such a file and break it for DMs which don't write it.
This is a rebase of sddm#1230 by @Vogtinator > This commit moves Xauthority handling over to libXau. > Advantage is that this allows use of FamilyWild, is faster, more reliable > and easier to read. However, we lose the ability to merge the new cookie into > an existing Xauthority file, so support for using a non-temporary file is > dropped. Even if merging was implemented manually, use of FamilyWild would > "infect" such a file and break it for DMs which don't write it.
Vogtinator
force-pushed
the
libxau
branch
3 times, most recently
from
bb0a3a5 to
6e012fb
Compare
|
Tested to work as expected with |
src/common/XAuth.cpp
Outdated
| // Check file | ||
| if (!fp) | ||
| if (XauWriteAuth(authFp, &auth) == 0) { | ||
| fclose(authFp); |
There was a problem hiding this comment.
I would suggest using QScopeGuard rather than having to fClose in all the paths
This commit moves Xauthority handling over to libXau. Advantage is that this allows use of FamilyWild, is faster, more reliable and easier to read. However, we lose the ability to merge the new cookie into an existing Xauthority file, so support for using a non-temporary file is dropped. Even if merging was implemented manually, use of FamilyWild would "infect" such a file and break it for DMs which don't write it. Co-authored-by: Matt Jolly <Matt.Jolly@footclan.ninja>
Use proper temporary files instead of UUIDs. This makes the file's purpose more obvious and also takes care of cleanup.
By moving this in display we don't need sddm-helper to perform anything as root after the initial setup. This allows us to drop the priveleges in UserSession before forking. This should unblock sddm#1230 as well as give us a path to simplify the paths where the helper is running the display manager.
Starting from sddm 0.20 (by sddm#1230), the xauth file is at `/tmp/xauth_*` instead of `~/.Xauthority`. The new location is subject to systemd-tmpfiles's cleanup, which deletes files from /tmp/ that are older than 10 days: https://github.com/systemd/systemd/blob/v254/tmpfiles.d/tmp.conf The xauth file should not be removed while the session is active, because it is needed for starting X applications. When removed, X applications won't start any more. This patch fixes the issue by declaring these files as "ignored" in sddm-tmpfiles.conf, so that systemd-tmpfiles doesn't remove them. Minimal test case: ``` touch /tmp/xauth_testonly SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --prefix=/tmp/ --clean ``` Pre-patch output: File "/tmp/xauth_testonly": change time Mon 2023-10-02 01:27:38.395466 CEST is too new. (meaning that the file was considered for removal) Post-patch output: Ignoring "/tmp/xauth_testonly": a separate glob exists. (meaning that the file is ignored and not considered for removal)
Starting from sddm 0.20 (by sddm#1230), the xauth file is at `/tmp/xauth_*` instead of `~/.Xauthority`. The new location is subject to systemd-tmpfiles's cleanup, which deletes files from /tmp/ that are older than 10 days: https://github.com/systemd/systemd/blob/v254/tmpfiles.d/tmp.conf The xauth file should not be removed while the session is active, because it is needed for starting X applications. When removed, X applications won't start any more. This patch fixes the issue by declaring these files as "ignored" in sddm-tmpfiles.conf, so that systemd-tmpfiles doesn't remove them. Minimal test case: ``` touch /tmp/xauth_testonly SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --prefix=/tmp/ --clean ``` Pre-patch output: File "/tmp/xauth_testonly": change time Mon 2023-10-02 01:27:38.395466 CEST is too new. (meaning that the file was considered for removal) Post-patch output: Ignoring "/tmp/xauth_testonly": a separate glob exists. (meaning that the file is ignored and not considered for removal)
Starting from sddm 0.20 (by #1230), the xauth file is at `/tmp/xauth_*` instead of `~/.Xauthority`. The new location is subject to systemd-tmpfiles's cleanup, which deletes files from /tmp/ that are older than 10 days: https://github.com/systemd/systemd/blob/v254/tmpfiles.d/tmp.conf The xauth file should not be removed while the session is active, because it is needed for starting X applications. When removed, X applications won't start any more. This patch fixes the issue by declaring these files as "ignored" in sddm-tmpfiles.conf, so that systemd-tmpfiles doesn't remove them. Minimal test case: ``` touch /tmp/xauth_testonly SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --prefix=/tmp/ --clean ``` Pre-patch output: File "/tmp/xauth_testonly": change time Mon 2023-10-02 01:27:38.395466 CEST is too new. (meaning that the file was considered for removal) Post-patch output: Ignoring "/tmp/xauth_testonly": a separate glob exists. (meaning that the file is ignored and not considered for removal)
This commit moves Xauthority handling over to libXau.
Advantage is that this allows use of FamilyWild, is faster, more reliable
and easier to read. However, we lose the ability to merge the new cookie into
an existing Xauthority file, so support for using a non-temporary file is
dropped. Even if merging was implemented manually, use of FamilyWild would
"infect" such a file and break it for DMs which don't write it.