File 0001-Authenticate-local-clients.patch of Package plasma5-workspace
From e6f05ccc17cc728b1dcb0fd179a495650b513f0c Mon Sep 17 00:00:00 2001
From: David Edmundson <kde@davidedmundson.co.uk>
Date: Sat, 13 Apr 2024 23:07:19 +0100
Subject: [PATCH 1/2] Authenticate local clients
ksmserver currently authenticates remote clients, but allows local
connections through.
This is a security risk that can allow another user on the same system
to access the user's session management session without authentication.
Co-authored-by: Fabian Vogt <fabian@ritter-vogt.de>
---
ksmserver/server.cpp | 57 ++++----------------------------------------
1 file changed, 5 insertions(+), 52 deletions(-)
diff --git a/ksmserver/server.cpp b/ksmserver/server.cpp
index 8a408cf73b..62bb8fb74d 100644
--- a/ksmserver/server.cpp
+++ b/ksmserver/server.cpp
@@ -158,15 +158,6 @@ static QTemporaryFile *remTempFile = nullptr;
static IceListenObj *listenObjs = nullptr;
int numTransports = 0;
-static bool only_local = 0;
-
-static Bool HostBasedAuthProc(char * /*hostname*/)
-{
- if (only_local)
- return true;
- else
- return false;
-}
Status KSMRegisterClientProc(SmsConn /* smsConn */, SmPointer managerData, char *previousId)
{
@@ -311,33 +302,6 @@ static void write_iceauth(FILE *addfp, FILE *removefp, IceAuthDataEntry *entry)
#define MAGIC_COOKIE_LEN 16
-Status SetAuthentication_local(int count, IceListenObj *listenObjs)
-{
- int i;
- for (i = 0; i < count; i++) {
- char *prot = IceGetListenConnectionString(listenObjs[i]);
- if (!prot)
- continue;
- char *host = strchr(prot, '/');
- char *sock = nullptr;
- if (host) {
- *host = 0;
- host++;
- sock = strchr(host, ':');
- if (sock) {
- *sock = 0;
- sock++;
- }
- }
- qCDebug(KSMSERVER) << "KSMServer: SetAProc_loc: conn " << (unsigned)i << ", prot=" << prot << ", file=" << sock;
- if (sock && !strcmp(prot, "local")) {
- chmod(sock, 0700);
- }
- IceSetHostBasedAuthProc(listenObjs[i], HostBasedAuthProc);
- free(prot);
- }
- return 1;
-}
Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry **authDataEntries)
{
@@ -372,8 +336,6 @@ Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry *
write_iceauth(addAuthFile, remAuthFile, &(*authDataEntries)[i + 1]);
IceSetPaAuthData(2, &(*authDataEntries)[i]);
-
- IceSetHostBasedAuthProc(listenObjs[i / 2], HostBasedAuthProc);
}
fclose(addAuthFile);
fclose(remAuthFile);
@@ -397,9 +359,6 @@ Status SetAuthentication(int count, IceListenObj *listenObjs, IceAuthDataEntry *
void FreeAuthenticationData(int count, IceAuthDataEntry *authDataEntries)
{
/* Each transport has entries for ICE and XSMP */
- if (only_local)
- return;
-
for (int i = 0; i < count * 2; i++) {
free(authDataEntries[i].network_id);
free(authDataEntries[i].auth_data);
@@ -542,16 +501,14 @@ KSMServer::KSMServer(InitFlags flags)
clientInteracting = nullptr;
xonCommand = config.readEntry("xonCommand", "xon");
- only_local = flags.testFlag(InitFlag::OnlyLocal);
#ifdef HAVE__ICETRANSNOLISTEN
- if (only_local)
+ if (flags.testFlag(InitFlag::OnlyLocal)) {
_IceTransNoListen("tcp");
-#else
- only_local = false;
+ }
#endif
char errormsg[256];
- if (!SmsInitialize((char *)KSMVendorString, (char *)KSMReleaseString, KSMNewClientProc, (SmPointer)this, HostBasedAuthProc, 256, errormsg)) {
+ if (!SmsInitialize((char *)KSMVendorString, (char *)KSMReleaseString, KSMNewClientProc, (SmPointer)this, nullptr, 256, errormsg)) {
qCWarning(KSMSERVER, "KSMServer: could not register XSM protocol");
}
@@ -594,12 +551,8 @@ KSMServer::KSMServer(InitFlags flags)
free(session_manager);
}
- if (only_local) {
- if (!SetAuthentication_local(numTransports, listenObjs))
- qFatal("KSMSERVER: authentication setup failed.");
- } else {
- if (!SetAuthentication(numTransports, listenObjs, &authDataEntries))
- qFatal("KSMSERVER: authentication setup failed.");
+ if (!SetAuthentication(numTransports, listenObjs, &authDataEntries)) {
+ qFatal("KSMSERVER: authentication setup failed.");
}
IceAddConnectionWatch(KSMWatchProc, (IcePointer)this);
--
2.44.0
