File gdm-remote-root-login-setting.patch of Package gdm.16051
diff -Npur gdm-3.10.0.1-old//common/gdm-settings-keys.h gdm-3.10.0.1/common/gdm-settings-keys.h
--- gdm-3.10.0.1-old//common/gdm-settings-keys.h 2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/common/gdm-settings-keys.h 2015-06-16 17:00:56.000000000 +0800
@@ -42,6 +42,8 @@ G_BEGIN_DECLS
#define GDM_KEY_INCLUDE_ALL "greeter/IncludeAll"
#define GDM_KEY_DISALLOW_TCP "security/DisallowTCP"
+#define GDM_KEY_ALLOW_ROOT "security/AllowRoot"
+#define GDM_KEY_ALLOW_REMOTE_ROOT "security/AllowRemoteRoot"
#define GDM_KEY_XDMCP_ENABLE "xdmcp/Enable"
#define GDM_KEY_SHOW_LOCAL_GREETER "xdmcp/ShowLocalGreeter"
diff -Npur gdm-3.10.0.1-old//common/gdm-settings-system-backend.c gdm-3.10.0.1/common/gdm-settings-system-backend.c
--- gdm-3.10.0.1-old//common/gdm-settings-system-backend.c 2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/common/gdm-settings-system-backend.c 2015-06-16 17:02:43.000000000 +0800
@@ -45,6 +45,7 @@
#define SYSCONFIG_XDMCP_KEY "DISPLAYMANAGER_REMOTE_ACCESS"
#define SYSCONFIG_STARTS_XSERVER_KEY "DISPLAYMANAGER_STARTS_XSERVER"
#define SYSCONFIG_PASSWORDLESS_KEY "DISPLAYMANAGER_PASSWORD_LESS_LOGIN"
+#define SYSCONFIG_XDMCP_ROOT_ENABLE_KEY "DISPLAYMANAGER_ROOT_LOGIN_REMOTE"
/* Keys from sysconfig that have no equivalent in GDM:
* - DISPLAYMANAGER_ROOT_LOGIN_REMOTE
@@ -134,6 +135,18 @@ gdm_settings_system_backend_get_value (G
val = g_strdup (tcp_open ? "false" : "true");
}
}
+ } else if (!strcasecmp (key, GDM_KEY_ALLOW_REMOTE_ROOT)) {
+ const gchar *new_val;
+
+ val = gdm_sysconfig_get_value ((const gchar **) priv->lines, SYSCONFIG_XDMCP_ROOT_ENABLE_KEY);
+
+ if (val && !strcasecmp (val, "yes"))
+ new_val = "true";
+ else
+ new_val = "false";
+
+ g_free (val);
+ val = g_strdup (new_val);
} else if (!strcasecmp (key, GDM_KEY_XDMCP_ENABLE)) {
if (priv->dirty_xdmcp) {
val = g_strdup (priv->set_xdmcp ? "true" : "false");
diff -Npur gdm-3.10.0.1-old//daemon/gdm-session-worker.c gdm-3.10.0.1/daemon/gdm-session-worker.c
--- gdm-3.10.0.1-old//daemon/gdm-session-worker.c 2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/daemon/gdm-session-worker.c 2015-06-16 17:00:02.000000000 +0800
@@ -72,6 +72,7 @@
#include "gdm-session-auditor.h"
#endif
+#include "gdm-settings-keys.h"
#include "gdm-session-settings.h"
#define GDM_SESSION_WORKER_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), GDM_TYPE_SESSION_WORKER, GdmSessionWorkerPrivate))
@@ -1248,10 +1249,45 @@ gdm_session_worker_authorize_user (GdmSe
{
int error_code;
int authentication_flags;
+ char *username;
+ struct passwd *pwent = NULL;
g_debug ("GdmSessionWorker: determining if authenticated user (password required:%d) is authorized to session",
password_is_required);
+ gdm_session_worker_get_username (worker, &username);
+ if (username) {
+ pwent = getpwnam (username);
+ g_free (username);
+ }
+
+ if (pwent && (pwent->pw_uid == GDM_SESSION_ROOT_UID)) {
+ gboolean allow_root;
+
+ gdm_settings_direct_get_boolean (GDM_KEY_ALLOW_ROOT, &allow_root);
+ if (!allow_root) {
+ g_set_error (error,
+ GDM_SESSION_WORKER_ERROR,
+ GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+ "%s", _("System administrator is not allowed to login."));
+ gdm_session_worker_uninitialize_pam (worker, PAM_PERM_DENIED);
+ return FALSE;
+ }
+ if (!worker->priv->display_is_local) {
+ gboolean allow_remote_root;
+
+ gdm_settings_direct_get_boolean (GDM_KEY_ALLOW_REMOTE_ROOT, &allow_remote_root);
+ if (!allow_remote_root) {
+ g_set_error (error,
+ GDM_SESSION_WORKER_ERROR,
+ GDM_SESSION_WORKER_ERROR_AUTHORIZING,
+ "%s", _("System administrator is not allowed to remote login."));
+ gdm_session_worker_uninitialize_pam (worker, PAM_PERM_DENIED);
+ return FALSE;
+ }
+ }
+ }
+
authentication_flags = 0;
if (password_is_required) {
diff -Npur gdm-3.10.0.1-old//data/gdm.schemas.in.in gdm-3.10.0.1/data/gdm.schemas.in.in
--- gdm-3.10.0.1-old//data/gdm.schemas.in.in 2015-06-16 16:58:55.000000000 +0800
+++ gdm-3.10.0.1/data/gdm.schemas.in.in 2015-06-16 17:00:02.000000000 +0800
@@ -70,6 +70,19 @@
<signature>b</signature>
<default>true</default>
</schema>
+
+ <schema>
+ <key>security/AllowRoot</key>
+ <signature>b</signature>
+ <default>true</default>
+ </schema>
+
+ <schema>
+ <key>security/AllowRemoteRoot</key>
+ <signature>b</signature>
+ <default>false</default>
+ </schema>
+
<schema>
<key>xdmcp/Enable</key>
<signature>b</signature>
