From 8b4d057af26319d314706b6e46bf8e785b6da4d7 Mon Sep 17 00:00:00 2001 From: Ben Cohen Date: Fri, 23 Jun 2017 18:07:32 +0100 Subject: [PATCH] Allow UDS connection from non-root users If you run xrdp with a Unix Domain Socket (UDS) for the port specified in /etc/xrdp/xrdp.ini then only root can connect to it. Test case: 1. Edit /etc/xrdp/xrdp.ini to set "port=/var/run/xrdp-local.socket". 2. Restart xrdp. 3. Run the following, as a non-root user. socat TCP-LISTEN:12345 UNIX-CONNECT:/var/run/xrdp-local.socket & rdesktop localhost:12345 Expected behaviour: rdesktop starts up and displays the logon dialog. Observed behaviour: rdesktop exits with "ERROR: Connection closed" and socat exits with "Permission denied". (But it suceeds if root runs socat.) UDS files are created by trans_listen_address() and given permissions 0660, so only root can connect to it. In this case, for the RDP client connection, it it fine for any user to connect so it should be given permissions 0666. Note that this is only relevant when the port in /etc/xrdp/xrdp.ini has been set to create a UDS instead of a TCP socket. When a TCP port is created any user (including remote users, unless the loopback interface is used) can connect so this is not less secure. --- xrdp/xrdp_listen.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xrdp/xrdp_listen.c b/xrdp/xrdp_listen.c index e6443bc9..0ab56148 100644 --- a/xrdp/xrdp_listen.c +++ b/xrdp/xrdp_listen.c @@ -372,6 +372,10 @@ xrdp_listen_main_loop(struct xrdp_listen *self) /* Create socket */ error = trans_listen_address(self->listen_trans, port, address); + if (port[0] == '/') + { + g_chmod_hex(port, 0x0666); + } if (error == 0) {