deny access if group is undefined

2013-01-31 15:19:58 +01:00 · 2013-01-31 15:19:58 +01:00 · 876f356dad
commit 876f356dad
parent 0770f217fa
5 changed files with 18 additions and 4 deletions
--- a/sesman/access.c
+++ b/sesman/access.c
@ -42,7 +42,7 @@ access_login_allowed(char *user)
        return 0;
    }

-    if (0 == g_cfg->sec.ts_users_enable)
+    if ((0 == g_cfg->sec.ts_users_enable) && (0==g_cfg->sec.ts_always_group_check))
    {
        LOG_DBG("Terminal Server Users group is disabled, allowing authentication",
                1);
@ -57,7 +57,7 @@ access_login_allowed(char *user)

    if (g_cfg->sec.ts_users == gid)
    {
-        LOG_DBG("ts_users is user's primary group");
+        log_message(LOG_LEVEL_DEBUG,"ts_users is user's primary group");
        return 1;
    }

--- a/sesman/config.c
+++ b/sesman/config.c
@ -286,13 +286,18 @@ config_read_security(int file, struct config_security *sc,
                sc->ts_admins = gid;
            }
        }
+        if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALWAYSGROUPCHECK))
+        {
+            sc->ts_always_group_check = text2bool((char *)list_get_item(param_v, i));
+        }	
    }

    /* printing security config */
    g_printf("security configuration:\r\n");
    g_printf("\tAllowRootLogin:       %i\r\n", sc->allow_root);
    g_printf("\tMaxLoginRetry:        %i\r\n", sc->login_retry);
-
+    g_printf("\tAlwaysGroupCheck:     %i\r\n", sc->ts_always_group_check);
+    
    if (sc->ts_users_enable)
    {
        g_printf("\tTSUsersGroup:         %i\r\n", sc->ts_users);
--- a/sesman/config.h
+++ b/sesman/config.h
@ -56,6 +56,7 @@
 #define SESMAN_CFG_SEC_ALLOW_ROOT    "AllowRootLogin"
 #define SESMAN_CFG_SEC_USR_GROUP     "TerminalServerUsers"
 #define SESMAN_CFG_SEC_ADM_GROUP     "TerminalServerAdmins"
+#define SESMAN_CFG_SEC_ALWAYSGROUPCHECK "AlwaysGroupCheck"

 #define SESMAN_CFG_SESSIONS          "Sessions"
 #define SESMAN_CFG_SESS_MAX          "MaxSessions"
@ -93,6 +94,11 @@ struct config_security
   */
  int ts_admins_enable;
  int ts_admins;
+  /**
+   * @var ts_always_group_check
+   * @brief if the Groups are not found deny access
+   */
+  int ts_always_group_check;
 };

 /**
--- a/sesman/sesman.ini
+++ b/sesman/sesman.ini
@ -10,6 +10,9 @@ AllowRootLogin=1
 MaxLoginRetry=4
 TerminalServerUsers=tsusers
 TerminalServerAdmins=tsadmins
+# When AlwaysGroupCheck = false access will be permitted 
+# if the group TerminalServerUsers is not defined.
+AlwaysGroupCheck = false

 [Sessions]
 X11DisplayOffset=10
--- a/xrdp/xrdp_wm.c
+++ b/xrdp/xrdp_wm.c
@ -455,7 +455,7 @@ xrdp_wm_load_static_colors_plus(struct xrdp_wm *self, char *autorun_name)
                    else if (g_strcasecmp(val, "pamerrortxt") == 0)
                    {
                        val = (char *)list_get_item(values, index);
-                        g_strncpy(self->pamerrortxt,val,256);
+                        g_strncpy(self->pamerrortxt,val,255);
                    }
                }
            }