mirrors/xrdp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2601 from matt335672/add_sesmanlib

Browse Source 
Add sesmanlib
This commit is contained in:
matt335672 2023-04-03 09:53:02 +01:00 committed by GitHub
commit 65330761a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 353 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -138,7 +138,7 @@ xrdp
├── scripts ····· build scripts
├┬─ sesman ······ session manager for xrdp
|├── chansrv ···· channel server for xrdp
|├── libscp ····· authorization library
|├── libsesman ·· Code common to sesman and its related executables
|└── tools ······ session management tools for sys admins
├── tests ······· tests for the code
├┬─ tools ······· tools

17
configure.ac
View File

@ -331,39 +331,34 @@ AM_CONDITIONAL([USE_FREETYPE2], [test "x$use_freetype2" = xyes])
# Check only one auth mechanism is specified, and give it a name
auth_cnt=0
auth_mech="Builtin"
AUTHMOD_SRC=verify_user.c
AUTHMOD_OBJ=verify_user.${OBJEXT}
AUTHMOD_OBJ=verify_user.lo
AUTHMOD_LIB=-lcrypt
if test x$enable_pam = xyes
then
auth_cnt=`expr $auth_cnt + 1`
auth_mech="PAM"
AUTHMOD_SRC=verify_user_pam.c
AUTHMOD_OBJ=verify_user_pam.${OBJEXT}
AUTHMOD_OBJ=verify_user_pam.lo
AUTHMOD_LIB=-lpam
fi
if test x$bsd = xtrue
then
auth_cnt=`expr $auth_cnt + 1`
auth_mech="BSD"
AUTHMOD_SRC=verify_user_bsd.c
AUTHMOD_OBJ=verify_user_bsd.${OBJEXT}
AUTHMOD_OBJ=verify_user_bsd.lo
AUTHMOD_LIB=
fi
if test x$enable_kerberos = xyes
then
auth_cnt=`expr $auth_cnt + 1`
auth_mech="Kerberos"
AUTHMOD_SRC=verify_user_kerberos.c
AUTHMOD_OBJ=verify_user_kerberos.${OBJEXT}
AUTHMOD_OBJ=verify_user_kerberos.lo
AUTHMOD_LIB=-lkrb5
fi
if test x$enable_pamuserpass = xyes
then
auth_cnt=`expr $auth_cnt + 1`
auth_mech="PAM userpass"
AUTHMOD_SRC=verify_user_pam_userpass.c
AUTHMOD_OBJ=verify_user_pam_userpass.${OBJEXT}
AUTHMOD_OBJ=verify_user_pam_userpass.lo
AUTHMOD_LIB="-lpam -lpam_userpass"
fi
@ -372,7 +367,6 @@ then
AC_MSG_ERROR([--enable-pam, --enable-bsd, --enable-pamuserpass and --enable-kerberos are mutually exclusive])
fi
AC_SUBST([AUTHMOD_SRC])
AC_SUBST([AUTHMOD_OBJ])
AC_SUBST([AUTHMOD_LIB])
@ -591,6 +585,7 @@ AC_CONFIG_FILES([
pkgconfig/Makefile
pkgconfig/xrdp.pc
pkgconfig/xrdp-uninstalled.pc
sesman/libsesman/Makefile
sesman/chansrv/Makefile
sesman/Makefile
sesman/tools/Makefile

29
sesman/Makefile.am
View File

@ -2,15 +2,13 @@ EXTRA_DIST = \
Doxyfile
AM_CPPFLAGS = \
-DXRDP_SYSCONF_PATH=\"${sysconfdir}\" \
-DXRDP_CFG_PATH=\"${sysconfdir}/xrdp\" \
-DXRDP_SBIN_PATH=\"${sbindir}\" \
-DXRDP_LIBEXEC_PATH=\"${libexecdir}/xrdp\" \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
-DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \
-DSESMAN_RUNTIME_PATH=\"${sesmanruntimedir}\" \
-I$(top_srcdir)/sesman/libsesman \
-I$(top_srcdir)/common \
-I$(top_srcdir)/libipm
@ -18,11 +16,6 @@ sbin_PROGRAMS = \
xrdp-sesman
xrdp_sesman_SOURCES = \
access.c \
access.h \
auth.h \
config.c \
config.h \
env.c \
env.h \
lock_uds.c \
@ -42,25 +35,10 @@ xrdp_sesman_SOURCES = \
xwait.c \
xwait.h
# Possible authentication modules
# See https://www.gnu.org/software/automake/manual/html_node/Conditional-Sources.html
EXTRA_xrdp_sesman_SOURCES = \
verify_user.c \
verify_user_bsd.c \
verify_user_kerberos.c \
verify_user_pam.c \
verify_user_pam_userpass.c
# Make sure the right authentication module is pulled in
xrdp_sesman_DEPENDENCIES = $(AUTHMOD_OBJ)
# Make sure the right authentication module is linked with
xrdp_sesman_LDADD = \
$(AUTHMOD_OBJ) \
$(top_builddir)/sesman/libsesman/libsesman.la \
$(top_builddir)/libipm/libipm.la \
$(top_builddir)/common/libcommon.la \
$(AUTHMOD_LIB) \
-lpthread
$(top_builddir)/common/libcommon.la
sesmansysconfdir=$(sysconfdir)/xrdp
@ -83,5 +61,6 @@ dist_sesmansysconf_SCRIPTS = \
reconnectwm.sh
SUBDIRS = \
libsesman \
tools \
chansrv

2
sesman/chansrv/Makefile.am
View File

@ -9,6 +9,7 @@ AM_CPPFLAGS = \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
-I$(top_srcdir)/sesman/libsesman \
-I$(top_srcdir)/common
CHANSRV_EXTRA_LIBS =
@ -82,5 +83,6 @@ xrdp_chansrv_LDFLAGS = \
xrdp_chansrv_LDADD = \
$(top_builddir)/common/libcommon.la \
$(top_builddir)/sesman/libsesman/libsesman.la \
$(X_PRE_LIBS) -lXfixes -lXrandr -lX11 $(X_EXTRA_LIBS) \
$(CHANSRV_EXTRA_LIBS)

61
sesman/chansrv/chansrv_config.c
View File

@ -33,6 +33,7 @@
#include "chansrv_common.h"
#include "chansrv_config.h"
#include "string_calls.h"
#include "sesman_clip_restrict.h"
/* Default settings */
#define DEFAULT_RESTRICT_OUTBOUND_CLIPBOARD 0
@ -52,21 +53,6 @@ printflike(2, 3)
enum logReturns (*log_func_t)(const enum logLevels lvl,
const char *msg, ...);
/* Map clipboard strings into bitmask values */
static const struct bitmask_string clip_restrict_map[] =
{
{ CLIP_RESTRICT_TEXT, "text"},
{ CLIP_RESTRICT_FILE, "file"},
{ CLIP_RESTRICT_IMAGE, "image"},
{ CLIP_RESTRICT_ALL, "all"},
{ CLIP_RESTRICT_NONE, "none"},
/* Compatibility values */
{ CLIP_RESTRICT_ALL, "true"},
{ CLIP_RESTRICT_ALL, "yes"},
{ CLIP_RESTRICT_NONE, "false"},
BITMASK_STRING_END_OF_LIST
};
/***************************************************************************//**
* @brief Error logging function to use to log to stdout
*
@ -113,8 +99,8 @@ read_config_security(log_func_t logmsg,
if (g_strcasecmp(name, "RestrictOutboundClipboard") == 0)
{
cfg->restrict_outbound_clipboard =
g_str_to_bitmask(value, clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
value, unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -125,8 +111,8 @@ read_config_security(log_func_t logmsg,
if (g_strcasecmp(name, "RestrictInboundClipboard") == 0)
{
cfg->restrict_inbound_clipboard =
g_str_to_bitmask(value, clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
value, unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -300,35 +286,16 @@ config_dump(struct config_chansrv *config)
char buf[256];
g_writeln("\nSecurity configuration:");
if (config->restrict_outbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictOutboundClipboard: %s", "none");
}
else if (config->restrict_outbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictOutboundClipboard: %s", "all");
}
else
{
g_bitmask_to_str(config->restrict_outbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictOutboundClipboard: %s", buf);
}
sesman_clip_restrict_mask_to_string(
config->restrict_outbound_clipboard,
buf, sizeof(buf));
g_writeln(" RestrictOutboundClipboard: %s", buf);
sesman_clip_restrict_mask_to_string(
config->restrict_inbound_clipboard,
buf, sizeof(buf));
g_writeln(" RestrictInboundClipboard: %s", buf);
if (config->restrict_inbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictInboundClipboard: %s", "none");
}
else if (config->restrict_inbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictInboundClipboard: %s", "all");
}
else
{
g_bitmask_to_str(config->restrict_inbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictInboundClipboard: %s", buf);
}
g_writeln("\nChansrv configuration:");
g_writeln(" EnableFuseMount %s",
g_bool2text(config->enable_fuse_mount));

2
sesman/env.c
View File

@ -31,7 +31,7 @@
#include <grp.h>
#include "env.h"
#include "config.h"
#include "sesman_config.h"
#include "list.h"
#include "log.h"
#include "os_calls.h"

67
sesman/libsesman/Makefile.am Normal file
View File

@ -0,0 +1,67 @@
#EXTRA_DIST = \
#xrdp_surface.c
AM_CPPFLAGS = \
-DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \
-DXRDP_CFG_PATH=\"${sysconfdir}/xrdp\" \
-I$(top_srcdir)/libipm \
-I$(top_srcdir)/common
# -DXRDP_SBIN_PATH=\"${sbindir}\" \
# -DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
# -DXRDP_PID_PATH=\"${localstatedir}/run\"
#AM_CFLAGS = $(OPENSSL_CFLAGS)
#AM_LDFLAGS =
#LIBXRDP_EXTRA_LIBS =
#if XRDP_NEUTRINORDP
#AM_CPPFLAGS += -DXRDP_NEUTRINORDP
#LIBXRDP_EXTRA_LIBS += $(FREERDP_LIBS)
#endif
#if XRDP_RFXCODEC
#AM_CPPFLAGS += -DXRDP_RFXCODEC
#endif
#if XRDP_TJPEG
#AM_CPPFLAGS += -DXRDP_JPEG -DXRDP_TJPEG @TurboJpegIncDir@
#AM_LDFLAGS += @TurboJpegLibDir@
#LIBXRDP_EXTRA_LIBS += -lturbojpeg
#else
#if XRDP_JPEG
#AM_CPPFLAGS += -DXRDP_JPEG
#LIBXRDP_EXTRA_LIBS += -ljpeg
#endif
#endif
module_LTLIBRARIES = \
libsesman.la
# Possible authentication modules
# See https://www.gnu.org/software/automake/manual/html_node/Conditional-Sources.html
EXTRA_libsesman_la_SOURCES = \
verify_user.c \
verify_user_bsd.c \
verify_user_kerberos.c \
verify_user_pam.c \
verify_user_pam_userpass.c
# Make sure the right authentication module is pulled in
libsesman_la_DEPENDENCIES = $(AUTHMOD_OBJ)
libsesman_la_SOURCES = \
sesman_access.h \
sesman_access.c \
sesman_auth.h \
sesman_config.h \
sesman_config.c \
sesman_clip_restrict.h \
sesman_clip_restrict.c
libsesman_la_LIBADD = \
$(AUTHMOD_OBJ) \
$(top_builddir)/libipm/libipm.la \
$(top_builddir)/common/libcommon.la \
$(AUTHMOD_LIB)

28
sesman/access.c → sesman/libsesman/sesman_access.c
View File

@ -18,7 +18,7 @@
/**
*
* @file access.c
* @file sesman_access.c
* @brief User access control code
* @author Simone Fedele
*
@ -30,28 +30,27 @@
#include "arch.h"
#include "access.h"
#include "config.h"
#include "sesman_access.h"
#include "sesman_config.h"
#include "log.h"
#include "sesman.h"
#include "os_calls.h"
#include "string_calls.h"
/******************************************************************************/
int
access_login_allowed(const char *user)
access_login_allowed(const struct config_security *cfg_sec, const char *user)
{
int gid;
int ok;
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
{
LOG(LOG_LEVEL_WARNING,
"ROOT login attempted, but root login is disabled");
return 0;
}
if ((0 == g_cfg->sec.ts_users_enable) && (0 == g_cfg->sec.ts_always_group_check))
if ((0 == cfg_sec->ts_users_enable) && (0 == cfg_sec->ts_always_group_check))
{
LOG(LOG_LEVEL_INFO, "Terminal Server Users group is disabled, allowing authentication");
return 1;
@ -63,13 +62,13 @@ access_login_allowed(const char *user)
return 0;
}
if (g_cfg->sec.ts_users == gid)
if (cfg_sec->ts_users == gid)
{
LOG(LOG_LEVEL_DEBUG, "ts_users is user's primary group");
return 1;
}
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_users, &ok))
if (0 != g_check_user_in_group(user, cfg_sec->ts_users, &ok))
{
LOG(LOG_LEVEL_ERROR, "Cannot read group info! - login denied");
return 0;
@ -87,19 +86,20 @@ access_login_allowed(const char *user)
/******************************************************************************/
int
access_login_mng_allowed(const char *user)
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user)
{
int gid;
int ok;
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
{
LOG(LOG_LEVEL_WARNING,
"[MNG] ROOT login attempted, but root login is disabled");
return 0;
}
if (0 == g_cfg->sec.ts_admins_enable)
if (0 == cfg_sec->ts_admins_enable)
{
LOG(LOG_LEVEL_INFO, "[MNG] Terminal Server Admin group is disabled, "
"allowing authentication");
@ -112,13 +112,13 @@ access_login_mng_allowed(const char *user)
return 0;
}
if (g_cfg->sec.ts_admins == gid)
if (cfg_sec->ts_admins == gid)
{
LOG(LOG_LEVEL_INFO, "[MNG] ts_users is user's primary group");
return 1;
}
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_admins, &ok))
if (0 != g_check_user_in_group(user, cfg_sec->ts_admins, &ok))
{
LOG(LOG_LEVEL_ERROR, "[MNG] Cannot read group info! - login denied");
return 0;

14
sesman/access.h → sesman/libsesman/sesman_access.h
View File

@ -18,14 +18,16 @@
/**
*
* @file access.h
* @file sesman_access.h
* @brief User access control definitions
* @author Simone Fedele
*
*/
#ifndef ACCESS_H
#define ACCESS_H
#ifndef SESMAN_ACCESS_H
#define SESMAN_ACCESS_H
struct config_security;
/**
*
@ -35,7 +37,8 @@
*
*/
int
access_login_allowed(const char *user);
access_login_allowed(const struct config_security *cfg_sec,
const char *user);
/**
*
@ -45,6 +48,7 @@ access_login_allowed(const char *user);
*
*/
int
access_login_mng_allowed(const char *user);
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user);
#endif

6
sesman/auth.h → sesman/libsesman/sesman_auth.h
View File

@ -18,14 +18,14 @@
/**
*
* @file auth.h
* @file sesman_auth.h
* @brief User authentication definitions
* @author Jay Sorg
*
*/
#ifndef AUTH_H
#define AUTH_H
#ifndef SESMAN_AUTH_H
#define SESMAN_AUTH_H
/**
* Opaque type used to represent an authentication handle

88
sesman/libsesman/sesman_clip_restrict.c Normal file
View File

@ -0,0 +1,88 @@
/**
* xrdp: A Remote Desktop Protocol server.
*
* Copyright (C) Jay Sorg 2004-2013
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
*
* @file sesman_clip_restrict.c
* @brief Routine for parsing clip restrict strings
*
*/
#if defined(HAVE_CONFIG_H)
#include <config_ac.h>
#endif
#include <stdio.h>
#include "arch.h"
#include "sesman_clip_restrict.h"
#include "string_calls.h"
/*
Map clipboard strings into bitmask values.
*/
static const struct bitmask_string clip_restrict_map[] =
{
{ CLIP_RESTRICT_TEXT, "text"},
{ CLIP_RESTRICT_FILE, "file"},
{ CLIP_RESTRICT_IMAGE, "image"},
{ CLIP_RESTRICT_ALL, "all"},
{ CLIP_RESTRICT_NONE, "none"},
/* Compatibility values */
{ CLIP_RESTRICT_ALL, "true"},
{ CLIP_RESTRICT_ALL, "yes"},
{ CLIP_RESTRICT_NONE, "false"},
BITMASK_STRING_END_OF_LIST
};
/******************************************************************************/
int
sesman_clip_restrict_string_to_bitmask(
const char *inputstr,
char *unrecognised,
unsigned int unrecognised_len)
{
return g_str_to_bitmask(inputstr, clip_restrict_map, ",",
unrecognised, unrecognised_len);
}
/******************************************************************************/
int
sesman_clip_restrict_mask_to_string(
int mask,
char output[],
unsigned int output_len)
{
int rv;
if (mask == CLIP_RESTRICT_NONE)
{
rv = snprintf(output, output_len, "none");
}
else if (mask == CLIP_RESTRICT_ALL)
{
rv = snprintf(output, output_len, "all");
}
else
{
rv = g_bitmask_to_str(mask, clip_restrict_map, ',', output, output_len);
}
return rv;
}

59
sesman/libsesman/sesman_clip_restrict.h Normal file
View File

@ -0,0 +1,59 @@
/**
* xrdp: A Remote Desktop Protocol server.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file contains the chansrv configuration parameters from sesman.ini
*/
#ifndef SESMAN_CLIP_RESTRICT_H
#define SESMAN_CLIP_RESTRICT_H
#define CLIP_RESTRICT_NONE 0
#define CLIP_RESTRICT_TEXT (1<<0)
#define CLIP_RESTRICT_FILE (1<<1)
#define CLIP_RESTRICT_IMAGE (1<<2)
#define CLIP_RESTRICT_ALL 0x7fffffff
/**
* Converts a sesman clip restrict string to a bitmask
*
* @param inputstr Input string
* @param unrecognised buffer for unrecognised tokens
* @param unrecognised_len Length of the above
* @return Bitmask
*
* The input is a comma-separated list of tokens as documented in
* the sesman.ini manpage */
int
sesman_clip_restrict_string_to_bitmask(
const char *inputstr,
char *unrecognised,
unsigned int unrecognised_len);
/**
* Converts a sesman clip restrict bitmask to a string
*
* @param mask Input mask
* @param output buffer for output string
* @param output_len Length of the above
* @return Length as for snprintf()
*/
int
sesman_clip_restrict_mask_to_string(
int mask,
char output[],
unsigned int output_len);
#endif /* SESMAN_CLIP_RESTRICT_H */

117
sesman/config.c → sesman/libsesman/sesman_config.c
View File

@ -29,15 +29,58 @@
#endif
#include "arch.h"
#include "config.h"
#include "sesman_config.h"
#include "sesman_clip_restrict.h"
#include "list.h"
#include "file.h"
#include "log.h"
#include "os_calls.h"
#include "string_calls.h"
#include "chansrv/chansrv_common.h"
//#include "chansrv/chansrv_common.h"
#include "scp.h"
#define SESMAN_CFG_GLOBALS "Globals"
#define SESMAN_CFG_DEFWM "DefaultWindowManager"
#define SESMAN_CFG_ADDRESS "ListenAddress"
#define SESMAN_CFG_PORT "ListenPort"
#define SESMAN_CFG_ENABLE_USERWM "EnableUserWindowManager"
#define SESMAN_CFG_USERWM "UserWindowManager"
#define SESMAN_CFG_AUTH_FILE_PATH "AuthFilePath"
#define SESMAN_CFG_RECONNECT_SH "ReconnectScript"
#define SESMAN_CFG_XORG_PARAMS "Xorg"
#define SESMAN_CFG_VNC_PARAMS "Xvnc"
#define SESMAN_CFG_SESSION_VARIABLES "SessionVariables"
/*
#define SESMAN_CFG_LOGGING "Logging"
#define SESMAN_CFG_LOG_FILE "LogFile"
#define SESMAN_CFG_LOG_LEVEL "LogLevel"
#define SESMAN_CFG_LOG_ENABLE_SYSLOG "EnableSyslog"
#define SESMAN_CFG_LOG_SYSLOG_LEVEL "SyslogLevel"
*/
#define SESMAN_CFG_SECURITY "Security"
#define SESMAN_CFG_SEC_LOGIN_RETRY "MaxLoginRetry"
#define SESMAN_CFG_SEC_ALLOW_ROOT "AllowRootLogin"
#define SESMAN_CFG_SEC_USR_GROUP "TerminalServerUsers"
#define SESMAN_CFG_SEC_ADM_GROUP "TerminalServerAdmins"
#define SESMAN_CFG_SEC_ALWAYSGROUPCHECK "AlwaysGroupCheck"
#define SESMAN_CFG_SEC_RESTRICT_OUTBOUND_CLIPBOARD "RestrictOutboundClipboard"
#define SESMAN_CFG_SEC_RESTRICT_INBOUND_CLIPBOARD "RestrictInboundClipboard"
#define SESMAN_CFG_SESSIONS "Sessions"
#define SESMAN_CFG_SESS_MAX "MaxSessions"
#define SESMAN_CFG_SESS_KILL_DISC "KillDisconnected"
#define SESMAN_CFG_SESS_IDLE_LIMIT "IdleTimeLimit"
#define SESMAN_CFG_SESS_DISC_LIMIT "DisconnectedTimeLimit"
#define SESMAN_CFG_SESS_X11DISPLAYOFFSET "X11DisplayOffset"
#define SESMAN_CFG_SESS_POLICY_S "Policy"
#define SESMAN_CFG_SESS_POLICY_DFLT_S "Default"
#define SESMAN_CFG_SESS_POLICY_SEP_S "Separate"
static const struct bitmask_char policy_bits[] =
{
{ SESMAN_CFG_SESS_POLICY_U, 'U' },
@ -234,26 +277,6 @@ config_read_globals(int file, struct config_sesman *cf, struct list *param_n,
return 0;
}
/*
Map clipboard strings into bitmask values.
Duplicated definition exists in chansrv_config,
because it avoids build failure for xrdp-sesman and xrdp-sesrun.
It should be unified in the future.
*/
static const struct bitmask_string clip_restrict_map[] =
{
{ CLIP_RESTRICT_TEXT, "text"},
{ CLIP_RESTRICT_FILE, "file"},
{ CLIP_RESTRICT_IMAGE, "image"},
{ CLIP_RESTRICT_ALL, "all"},
{ CLIP_RESTRICT_NONE, "none"},
/* Compatibility values */
{ CLIP_RESTRICT_ALL, "true"},
{ CLIP_RESTRICT_ALL, "yes"},
{ CLIP_RESTRICT_NONE, "false"},
BITMASK_STRING_END_OF_LIST
};
/***************************************************************************//**
*
* @brief Reads sesman [Security] configuration section
@ -326,9 +349,9 @@ config_read_security(int file, struct config_security *sc,
{
char unrecognised[256];
sc->restrict_outbound_clipboard =
g_str_to_bitmask((const char *)list_get_item(param_v, i),
clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
(const char *)list_get_item(param_v, i),
unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -340,9 +363,9 @@ config_read_security(int file, struct config_security *sc,
{
char unrecognised[256];
sc->restrict_inbound_clipboard =
g_str_to_bitmask((const char *)list_get_item(param_v, i),
clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
(const char *)list_get_item(param_v, i),
unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -589,6 +612,7 @@ config_dump(struct config_sesman *config)
se = &(config->sess);
sc = &(config->sec);
char policy_s[64];
char restrict_s[64];
/* Global sesman configuration */
g_writeln("Filename: %s", config->sesman_ini);
@ -617,36 +641,13 @@ config_dump(struct config_sesman *config)
g_writeln(" AllowRootLogin: %d", sc->allow_root);
g_writeln(" MaxLoginRetry: %d", sc->login_retry);
g_writeln(" AlwaysGroupCheck: %d", sc->ts_always_group_check);
if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictOutboundClipboard: %s", "none");
}
else if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictOutboundClipboard: %s", "all");
}
else
{
char buf[256];
g_bitmask_to_str(sc->restrict_outbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictOutboundClipboard: %s", buf);
}
if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictInboundClipboard: %s", "none");
}
else if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictInboundClipboard: %s", "all");
}
else
{
char buf[256];
g_bitmask_to_str(sc->restrict_inbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictInboundClipboard: %s", buf);
}
sesman_clip_restrict_mask_to_string(sc->restrict_outbound_clipboard,
restrict_s, sizeof(restrict_s));
g_writeln(" RestrictOutboundClipboard: %s", restrict_s);
sesman_clip_restrict_mask_to_string(sc->restrict_inbound_clipboard,
restrict_s, sizeof(restrict_s));
g_writeln(" RestrictInboundClipboard: %s", restrict_s);
g_printf( " TSUsersGroup: ");
if (sc->ts_users_enable)

48
sesman/config.h → sesman/libsesman/sesman_config.h
View File

@ -18,61 +18,19 @@
/**
*
* @file config.h
* @file sesman_config.h
* @brief User authentication definitions
* @author Simone Fedele @< simo [at] esseemme [dot] org @>
*
*/
#ifndef CONFIG_H
#define CONFIG_H
#ifndef SESMAN_CONFIG_H
#define SESMAN_CONFIG_H
#include "arch.h"
#include "list.h"
#include "log.h"
#define SESMAN_CFG_GLOBALS "Globals"
#define SESMAN_CFG_DEFWM "DefaultWindowManager"
#define SESMAN_CFG_ADDRESS "ListenAddress"
#define SESMAN_CFG_PORT "ListenPort"
#define SESMAN_CFG_ENABLE_USERWM "EnableUserWindowManager"
#define SESMAN_CFG_USERWM "UserWindowManager"
#define SESMAN_CFG_MAX_SESSION "MaxSessions"
#define SESMAN_CFG_AUTH_FILE_PATH "AuthFilePath"
#define SESMAN_CFG_RECONNECT_SH "ReconnectScript"
#define SESMAN_CFG_XORG_PARAMS "Xorg"
#define SESMAN_CFG_VNC_PARAMS "Xvnc"
#define SESMAN_CFG_SESSION_VARIABLES "SessionVariables"
/*
#define SESMAN_CFG_LOGGING "Logging"
#define SESMAN_CFG_LOG_FILE "LogFile"
#define SESMAN_CFG_LOG_LEVEL "LogLevel"
#define SESMAN_CFG_LOG_ENABLE_SYSLOG "EnableSyslog"
#define SESMAN_CFG_LOG_SYSLOG_LEVEL "SyslogLevel"
*/
#define SESMAN_CFG_SECURITY "Security"
#define SESMAN_CFG_SEC_LOGIN_RETRY "MaxLoginRetry"
#define SESMAN_CFG_SEC_ALLOW_ROOT "AllowRootLogin"
#define SESMAN_CFG_SEC_USR_GROUP "TerminalServerUsers"
#define SESMAN_CFG_SEC_ADM_GROUP "TerminalServerAdmins"
#define SESMAN_CFG_SEC_ALWAYSGROUPCHECK "AlwaysGroupCheck"
#define SESMAN_CFG_SEC_RESTRICT_OUTBOUND_CLIPBOARD "RestrictOutboundClipboard"
#define SESMAN_CFG_SEC_RESTRICT_INBOUND_CLIPBOARD "RestrictInboundClipboard"
#define SESMAN_CFG_SESSIONS "Sessions"
#define SESMAN_CFG_SESS_MAX "MaxSessions"
#define SESMAN_CFG_SESS_KILL_DISC "KillDisconnected"
#define SESMAN_CFG_SESS_IDLE_LIMIT "IdleTimeLimit"
#define SESMAN_CFG_SESS_DISC_LIMIT "DisconnectedTimeLimit"
#define SESMAN_CFG_SESS_X11DISPLAYOFFSET "X11DisplayOffset"
#define SESMAN_CFG_SESS_POLICY_S "Policy"
#define SESMAN_CFG_SESS_POLICY_DFLT_S "Default"
#define SESMAN_CFG_SESS_POLICY_SEP_S "Separate"
enum SESMAN_CFG_SESS_POLICY_BITS
{
/* If these two are set, they override everything else */

2
sesman/verify_user.c → sesman/libsesman/verify_user.c
View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#include "log.h"
#include "os_calls.h"
#include "string_calls.h"

2
sesman/verify_user_bsd.c → sesman/libsesman/verify_user_bsd.c
View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#define _XOPEN_SOURCE
#include <stdio.h>

2
sesman/verify_user_kerberos.c → sesman/libsesman/verify_user_kerberos.c
View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#include "os_calls.h"
#include "string_calls.h"
#include "log.h"

2
sesman/verify_user_pam.c → sesman/libsesman/verify_user_pam.c
View File

@ -32,7 +32,7 @@
#include "os_calls.h"
#include "log.h"
#include "string_calls.h"
#include "auth.h"
#include "sesman_auth.h"
#include <stdio.h>
#include <security/pam_appl.h>

2
sesman/verify_user_pam_userpass.c → sesman/libsesman/verify_user_pam_userpass.c
View File

@ -32,7 +32,7 @@
#include "os_calls.h"
#include "log.h"
#include "string_calls.h"
#include "auth.h"
#include "sesman_auth.h"
#include <security/pam_userpass.h>

8
sesman/scp_process.c
View File

@ -31,11 +31,11 @@
#include "trans.h"
#include "os_calls.h"
#include "scp.h"
#include "config.h"
#include "sesman_config.h"
#include "scp_process.h"
#include "access.h"
#include "auth.h"
#include "sesman_access.h"
#include "sesman_auth.h"
#include "guid.h"
#include "os_calls.h"
#include "session_list.h"
@ -132,7 +132,7 @@ authenticate_and_authorize_connection(struct sesman_con *sc,
"Unexpected status return %d from auth call",
(int)status);
}
else if (!access_login_allowed(username))
else if (!access_login_allowed(&g_cfg->sec, username))
{
status = E_SCP_LOGIN_NOT_AUTHORIZED;
LOG(LOG_LEVEL_INFO, "Username okay but group problem for "

4
sesman/sesman.c
View File

@ -33,8 +33,8 @@
#include "arch.h"
#include "sesman.h"
#include "auth.h"
#include "config.h"
#include "sesman_auth.h"
#include "sesman_config.h"
#include "lock_uds.h"
#include "os_calls.h"
#include "scp.h"

4
sesman/session.c
View File

@ -42,8 +42,8 @@
#include "arch.h"
#include "session.h"
#include "auth.h"
#include "config.h"
#include "sesman_auth.h"
#include "sesman_config.h"
#include "env.h"
#include "guid.h"
#include "list.h"

4
sesman/session_list.c
View File

@ -36,8 +36,8 @@
#include "arch.h"
#include "session_list.h"
#include "auth.h"
#include "config.h"
#include "sesman_auth.h"
#include "sesman_config.h"
#include "log.h"
#include "os_calls.h"
#include "sesman.h"

2
sesman/sig.c
View File

@ -31,7 +31,7 @@
#include "arch.h"
#include "sig.h"
#include "config.h"
#include "sesman_config.h"
#include "log.h"
#include "os_calls.h"
#include "sesman.h"

15
sesman/tools/Makefile.am
View File

@ -1,15 +1,9 @@
AM_CPPFLAGS = \
-DXRDP_SYSCONF_PATH=\"${sysconfdir}\" \
-DXRDP_CFG_PATH=\"${sysconfdir}/xrdp\" \
-DXRDP_SBIN_PATH=\"${sbindir}\" \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
-DXRDP_PAMCONF_PATH=\"${pamconfdir}\" \
-DXRDP_AUTHMOD_SRC=\"../${AUTHMOD_SRC}\" \
-I$(top_srcdir)/sesman/libsesman \
-I$(top_srcdir)/common \
-I$(top_srcdir)/libipm \
-I$(top_srcdir)/sesman
-I$(top_srcdir)/libipm
AM_CFLAGS = $(X_CFLAGS)
@ -24,7 +18,6 @@ noinst_PROGRAMS = \
xrdp_sesrun_SOURCES = \
sesrun.c \
config.c \
tools_common.h \
tools_common.c
@ -43,14 +36,15 @@ xrdp_xcon_SOURCES = \
xcon.c
xrdp_authtest_SOURCES = \
authmod.c \
authtest.c
xrdp_sesrun_LDADD = \
$(top_builddir)/sesman/libsesman/libsesman.la \
$(top_builddir)/common/libcommon.la \
$(top_builddir)/libipm/libipm.la
xrdp_sesadmin_LDADD = \
$(top_builddir)/sesman/libsesman/libsesman.la \
$(top_builddir)/common/libcommon.la \
$(top_builddir)/libipm/libipm.la
@ -61,6 +55,7 @@ xrdp_xcon_LDADD = \
$(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS)
xrdp_authtest_LDADD = \
$(top_builddir)/sesman/libsesman/libsesman.la \
$(top_builddir)/common/libcommon.la \
$(top_builddir)/libipm/libipm.la \
$(AUTHMOD_LIB)

2
sesman/tools/authtest.c
View File

@ -31,7 +31,7 @@
#include <unistd.h>
#include "log.h"
#include "auth.h"
#include "sesman_auth.h"
#include "os_calls.h"
#include "string_calls.h"

5
sesman/tools/config.c
View File

@ -1,5 +0,0 @@
#if defined(HAVE_CONFIG_H)
#include <config_ac.h>
#endif
#include "../config.c"

2
sesman/tools/sesrun.c
View File

@ -35,7 +35,7 @@
#include "parse.h"
#include "trans.h"
#include "os_calls.h"
#include "config.h"
#include "sesman_config.h"
#include "log.h"
#include "string_calls.h"
#include "guid.h"