Commit Graph

133 Commits

Author SHA1 Message Date
matt335672 c51ec2e8e9 Remove sesmanruntimedir
Now we've made the XRDP_SOCKET_PATH only writeable by root, it's
safe to move the sesman socket back into this directory. We no longer
need a separate sesmanruntimedir
2023-10-23 18:14:46 +01:00
matt335672 675dd77807 Parameterise the sockdir with the UID of the user
The top level socket directory is now called XRDP_SOCKET_ROOT_PATH.
Below that are user-specific directories referred to with the
XRDP_SOCKET_PATH macro - this name is hard-coded into xorgxrdp and
the audio modules as an environment variable.

XRDP_SOCKET_PATH now looks like $XRDP_SOCKET_ROOT_PATH/<uid>

XRDP_SOCKET_PATH is only writeable by the user, and readable by the user
and the xrdp process.
2023-10-23 18:14:46 +01:00
Daniel Richard G fdfe47668b Add XorgNoNewPrivileges configuration option
This allows Linux's no_new_privs restriction to be disabled when starting
the X server, which may be desirable if xrdp is running inside a kernel
confinement framework such as AppArmor or SELinux.
2023-05-15 17:40:46 -04:00
matt335672 06580ec448 sesman config: Add MaxDisplayNumber
When allocating a display number, we should be aware that
IANA only allow TCP displays up to :63. This PR adds that restriction in
to sesman.ini as a default, to prevent us allocating unavailable TCP
ports.

By default TCP ports are not enabled for X servers, but users can easily
change this if they wish to access X displays directly over the network.

This restriction is in addition to the MaxSessions limit already present
in sesman.ini
2023-05-02 11:55:22 +01:00
Lennart Sauerbeck 5741653900 sesman: Prevent the use of 'alternate shell'
By setting the new config value 'AllowAlternateShell' to 'no' it is now
possible to prevent the use of an alternate shell, which can be set by
the connecting user.
The default remains unchanged and any shell is allowed if the config
value is not specified. It can also be set explicitly to 'yes' to achieve
the same outcome.

Fixes: #850
2023-04-19 10:16:56 +01:00
Hiero32 9fe9ae3bc0 Support to set parameters from sesman.ini. 2023-03-28 21:20:54 +09:00
Michael Saxl 367a045f00 [chansrv-fuse] update documentation 2023-01-31 20:13:34 +01:00
akarl10 5bcac32bf1 [chansrv-fuse] update documentation 2023-01-31 19:41:17 +01:00
matt335672 af69606e0b Remove support for x11rdp
X11rdp has been deprecated now since xrdp v0.9.7 (June 2018). This
commit removes support for it from xrdp itself.
2023-01-05 11:26:44 +00:00
matt335672 1a48527df9 Update xrdp for separate AA and session creation
xrdp is updated to use the separate authenticate/authorization (AA) and
command processing interface now provided by sesman.

PAM processing has been removed entirely and moved into the seman PAM
module. As a result, gateway processing for proxy use-cases can be
made use of by non-PAM systems.
2022-12-22 11:35:02 +00:00
matt335672 851bed680c Update sesman tools for new interfaces
The sesman tools sesrun and sesadmin now use the separate
authentication/authorization (AA) interface introduced to
sesman by the previous comment.

sesrun can use either password or UDS authentication. With some
limitations, this can allow for automatic creation of sessions for local
users without a password being needed.

sesadmin now operates using UDS logins only and so a username and
password are not required. To use sesadmin for another user, use
su/sudo/doas to authenticate as the other user.
2022-12-22 11:35:02 +00:00
matt335672 cce78b0698
Merge pull request #2407 from alexpevzner/devel
LogFile=- redirects log to stdout, which is useful for debugging
2022-12-12 20:33:04 +00:00
Alexander Pevzner 5d6123a046 Documentation of log file redirection to <stdout> updated
Since multiple processes can write logs simultaneously, and there
is no explicit synchronization between them, logs redirected to
stdout may interleave. When logging to the disk file, synchronization
is obtained by using a combination of O_APPEND and O_SYNC flags when
log file is being opened, which is not possible when <stdout>
redirection is in use.

So documentation is updated to cleanly notify that this is debug-only
feature, not for regular use
2022-12-12 19:14:54 +03:00
matt335672 3a0a932472 Add --reload option to sesman
Adds a --reload switch to sesman and plumbs this in
to systemctl reload xrdp-sesman.service
2022-11-09 09:46:36 +00:00
Alexander Pevzner 6c2bc83ec9 LogFile in sesman.ini(5) updated too
docs/man/sesman.ini.5.in
2022-11-04 22:34:53 +03:00
Alexander Pevzner d6e888cf38 Use LogFile=<stdiut> instead of LogFile=- to redirect log to stdout 2022-11-03 14:44:58 +03:00
Alexander Pevzner 59ca0e1c58 LogFile=- redirects log to stdout, which is useful for debugging 2022-11-02 17:00:44 +03:00
Alexander Georgievskiy fa138f80f7
xrdp.ini.5.in: Fix mixed up config options 2022-10-12 17:10:34 +03:00
matt335672 a417ab0542 Add font control variables to xrdp.ini
This commit adds the variables fv1_select and default_dpi to
xrdp.ini. These variables allow for a different font to be
loaded, depending on the DPI of the login screen.
2022-09-06 09:42:14 +01:00
matt335672 ae6a55dbac Replace Windows font utility with native utilities
To generate new fonts, the freetype2 library is required. This
can now be specified by configure in the usual way. If it's missing,
new fonts cannot be generated.
2022-09-06 09:31:47 +01:00
a1346054 7fe18cc1c0
fix typos 2022-09-03 02:01:48 +00:00
matt335672 3e488773d7 Updated session allocation policy for sesman
Made session allocation policies more readable and maintainable.

The 'C' policy which was confusing before has been replaced with the
'Separate' keyword. This is a public interface change, but is unlikely
to affect many users.

The logging in session_get_bydata() is substantially improved, making
it far easier to spot why sessions are getting matched or not matched.
2022-05-18 12:35:07 +01:00
matt335672 0db849fc5c Move SCP to a Unix Domain Socket
The TCP socket implementation of sesman has a number of limitations,
namely that it is affected by firewalls, and also that determining the
user on the other end requires a full authentication process.

The advantage of the TCP socket is that sesman and xrdp can be run on
separate machines. This is however not supported by the xorgxrdp
backend (shared memory), and is insecure, in that passwords are sent
in-the-clear, and the connection is susceptible to MitM attacks. This
architecture has been deprecated in release notes since xrdp v0.9.17,
and although it will continue to be supported in any further releases
in the x0.9.x series, it will not be supported in the next major
version.
2022-04-18 09:12:35 +01:00
Kentaro Hayashi 8487c298ba Update sesman.ini.5 explanation about RestrictOutboundClipboard,RestrictOutboundClipboard
RestrictOutboundClipboard,RestrictOutboundClipboard are extended to
accept text,file,image configuration value.
2022-01-14 10:17:02 +09:00
matt335672 2dbec63327 Add Nautilus 3 compatibility 2021-09-16 10:02:02 +01:00
matt335672 32b676472a Add DISPLAY(n) ass a valid form of chansrvport 2021-04-13 12:16:02 +01:00
matt335672 9d229d2318 Minor manpage fixes 2021-01-20 12:55:35 +00:00
matt335672 1e13533048 Remove output on stdout by default on daemon startuip 2021-01-07 10:50:16 +00:00
matt335672 aa5c5daf7e
Merge pull request #1703 from matt335672/issue1048-2
Allow FuseMountName for chansrv to be absolute path (#1048)
Move string funcs from os_calls.h to string_calls.h
2020-12-22 12:10:43 +00:00
aquesnel 4f4458c3a9
Fix typo in sesman.ini man page
The ChansrvLogging section name was added and changed in #1633 but this documentation line was missed when renaming the section name.
2020-12-21 11:43:24 -05:00
matt335672 5523847540 Allow FuseMountName for chansrv to be absolute path 2020-12-21 12:36:31 +00:00
metalefty 835536b406
Merge pull request #1741 from matt335672/sesrun-improvements
sesrun improvements and doc fixes
2020-12-21 13:45:57 +09:00
Koichiro IWAO 6562c9d958 man page fixes after neutrinolabs/xorgxrdp#175 2020-12-18 15:21:21 +09:00
matt335672 633716bbad sesrun improvements and doc fixes 2020-12-09 11:44:17 +00:00
matt335672 e6c1df64d3 Added --config/-c to sesman 2020-12-09 10:19:14 +00:00
robertoetcheverryr 8270331646 Updated man and .ini file regarding address:port parameters. 2020-10-20 23:25:13 -03:00
Alexandre Quesnel a9ec1ebd99 Unifying logging in chanserv
This commit adds:
* replace multiple logging macros with LOG and LOG_DEVEL
* logging configuration for chanserv
* logging configuration for console output
* logging configuration for per file or method log level filtering for
debug builds
* file, line, and method name in log message for debug builds
2020-10-19 05:10:47 +00:00
matt335672 ebc21fe180 Added -c / --config to xrdp 2020-10-16 10:55:23 +01:00
matt335672 68f0fa7e4d
Merge pull request #1668 from bolkedebruin/enable_token_sso
Add support for token authentication
2020-09-09 10:10:13 +01:00
Bolke de Bruin 0b82f19318 Improve documentation 2020-09-09 09:13:37 +02:00
matt335672 edda1b064d chansrv improved config support 2020-09-08 16:58:03 +01:00
matt335672 a2ca01fdf5 Minor manpage fixes 2020-06-18 12:23:32 +01:00
matt335672 3c4b42b1aa Implemented resize and multimon support for VNC backend 2020-06-04 15:10:35 +01:00
matt335672 4d8f2b5a31 Significant remote file system improvements
- Reimplemented inode store in separate module chansrv_xfs.[hc]
- Allowed atimes and mtimes to be written to Windows side
- Mapped file user write bit to (inverted) Windows FILE_ATTRIBUTE_READONLY bit
- Mapped file user execute bit to Windows FILE_ATTRIBUTE_SYSTEM bit
- Implemented improved security for remotely mounted drives
- Implemented USB device removal, allowing hot-plug/remove of memory sticks
- Fixed pagefile.sys breaking Ubuntu file browser
- Fixed write offset bug
- Allowed renaming of open files
- Improved reported error codes
- Fixed various memory leaks
- Addressed valgrind errors related to struct fuse_file_info pointers.
2019-12-05 11:41:32 +00:00
Koichiro IWAO 46b4a9b7c8
docs: sesman and sesrun now have xrdp- prefix 2019-03-20 16:55:02 +09:00
Krzysztof Adamski 751cd97018 reapply outboud-resitrcted clipboard 2019-02-26 07:40:17 +01:00
Koichiro IWAO 5ea403430a
Sort & reword description of IdleTimeLimit 2018-10-16 16:53:33 +09:00
Koichiro IWAO f84f3de478
docs: ressurect IdleTimeLimit
This reverts commit 513f767996.
2018-10-10 17:47:12 +09:00
Koichiro IWAO 1ad8cbb2a0
Document TLSv1.3 support 2018-09-14 11:50:55 +09:00
Koichiro IWAO 5d9ff0f544
docs: fix xrdp's LogFile path in man 2018-07-12 18:04:32 +09:00