From 200e4d84f44fd44d332915c5ca55d59092d8dc31 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Wed, 28 Feb 2024 16:48:29 +0000 Subject: [PATCH] Fix permissions on user socket directory The user socket directory needs to be SGID so that they inherit the group ownnership. Then xrdp can write to them. --- sesman/scp_process.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sesman/scp_process.c b/sesman/scp_process.c index 3f0c3630..f05e7db4 100644 --- a/sesman/scp_process.c +++ b/sesman/scp_process.c @@ -323,6 +323,9 @@ process_logout_request(struct pre_session_item *psi) static int create_xrdp_socket_path(uid_t uid) { + // Owner all permissions, group read+execute +#define RWX_PERMS 0x750 + int rv = 1; const char *sockdir_group = g_cfg->sec.session_sockdir_group; int gid = 0; // Default if no group specified @@ -330,14 +333,21 @@ create_xrdp_socket_path(uid_t uid) char sockdir[XRDP_SOCKETS_MAXPATH]; g_snprintf(sockdir, sizeof(sockdir), XRDP_SOCKET_PATH, (int)uid); - // Create directory permissions 0x750, if it doesn't exist already. - int old_umask = g_umask_hex(0x750 ^ 0x777); + // Create directory permissions RWX_PERMS, if it doesn't exist already + // (our os_calls layer doesn't allow us to set the SGID bit here) + int old_umask = g_umask_hex(RWX_PERMS ^ 0x777); if (!g_directory_exist(sockdir) && !g_create_dir(sockdir)) { LOG(LOG_LEVEL_ERROR, "create_xrdp_socket_path: Can't create %s [%s]", sockdir, g_get_strerror()); } + else if (g_chmod_hex(sockdir, RWX_PERMS | 0x2000) != 0) + { + LOG(LOG_LEVEL_ERROR, + "create_xrdp_socket_path: Can't set SGID bit on %s [%s]", + sockdir, g_get_strerror()); + } else if (sockdir_group != NULL && sockdir_group[0] != '\0' && g_getgroup_info(sockdir_group, &gid) != 0) { @@ -358,6 +368,7 @@ create_xrdp_socket_path(uid_t uid) (void)g_umask_hex(old_umask); return rv; +#undef RWX_PERMS } /******************************************************************************/