Commit Graph

998 Commits

Author SHA1 Message Date
matt335672
02a3821f4d Remove libipm_msg_in_start()
The semantics of this call allowed it to be called more than once when
parsing a message to restart a parse. This is not likely to be
useful in practice, and it also makes reading file descriptors
more complicated. Consequently this function has been removed and
replaced with with libipm_msg_in_get_msgno()
2023-01-30 14:31:16 +00:00
matt335672
5f030a95b7 Don't try to listen on the scard socket if it isn't there
If the scard local socket can't be created, there's no point
in trying to listen on it. This will just fill the chansrv log
file with errors.
2023-01-16 13:41:18 +00:00
matt335672
9b846b7b7e
Merge pull request #2473 from matt335672/bsd_setusercontext
Implement BSD setusercontext
2023-01-13 11:24:09 +00:00
matt335672
af69606e0b Remove support for x11rdp
X11rdp has been deprecated now since xrdp v0.9.7 (June 2018). This
commit removes support for it from xrdp itself.
2023-01-05 11:26:44 +00:00
matt335672
a35082e6c5 Call g_set_allusercontext() on appropriate systems 2023-01-05 10:52:08 +00:00
matt335672
cd58d14cef Fix compilation on OpenBSD 2023-01-05 10:52:08 +00:00
matt335672
851bed680c Update sesman tools for new interfaces
The sesman tools sesrun and sesadmin now use the separate
authentication/authorization (AA) interface introduced to
sesman by the previous comment.

sesrun can use either password or UDS authentication. With some
limitations, this can allow for automatic creation of sessions for local
users without a password being needed.

sesadmin now operates using UDS logins only and so a username and
password are not required. To use sesadmin for another user, use
su/sudo/doas to authenticate as the other user.
2022-12-22 11:35:02 +00:00
matt335672
fd99653957 Update sesman authentication processing
Update sesman to cope with separate authentication/authorization (AA) and
command processing.

Also, internally users are now tracked by UID rather thn username.
This addresses a problem found by some users using federated naming
services (e.g. Active Directory) where the same user can be referred to
in more than one way. See https://github.com/neutrinolabs/xrdp/issues/1823

The separation of AA in this way allows for multiple attempts to be made
on one connection to get a password right. This addresses MaxLoginRetry
not working (https://github.com/neutrinolabs/xrdp/issues/1739)
2022-12-22 11:35:02 +00:00
matt335672
c5b6479985 Update authtest utility
This change allows the authtest utility to exercise the updated
auth module interface which includes UDS authentication and
improved error logging.
2022-12-22 11:35:02 +00:00
matt335672
d2a5fcdcd8 Update other auth modules to use new interface
The previous commit introduced a new interface for the auth modules.  This
commit simply updates the other auth modules to use the new interface.

The basic auth module is also updated so that if a user has a shadow
password entry indicated, but the shadow entry cannot be found, an error
is logged rather than silently succeeding.

The BSD authentication module is also updated to allow it to be
compiled on a Linux system for basic testing.
2022-12-22 11:35:02 +00:00
matt335672
2a3cec4125 Update PAM auth module for UDS logins
An extra method auth_uds() is added to the PAM module to
allow a 'struct auth_info' to be created for a UDS login. The PAM stack
is used to check the UDS user can be authorized.

Also, an error code is returned from the auth module rather than a
simple boolean. This allows a more complete status to be communicated
to the user. See https://github.com/neutrinolabs/xrdp/discussions/1921
and also #909 and #642
2022-12-22 11:35:02 +00:00
matt335672
891efed9ad Remove nested includes from sesman.h
The intention is to improve decoupling of the modules making up
sesman.
2022-12-22 11:35:02 +00:00
matt335672
a16e56f711 Add function to get user information by UID
Moving to a uid_t to store the user information makes a lot
of sense. When doing this, we need a function to get information
about a user from the uid_t

As well as creating the function g_getuser_info_by_uid() we also
rename g_getuser_info() to g_getuser_info_by_name() and make the
parameter ordering more usual.
2022-12-22 11:35:02 +00:00
otaconix
c04bf92552
Tiny fix in pseudocode description of startwm.sh
I realize there's not much value in this PR, but I noticed this, so I thought I'd fix it 🙂
2022-12-21 11:54:05 +01:00
matt335672
a6714225e6 Changes to verify_user_kerberos.c 2022-12-13 11:09:33 +00:00
matt335672
767d861df4 Add authtest
Also, change the sesman Makefile generation to make it easy to pick the
correct authorization module for the authtest utility.
2022-12-13 11:09:33 +00:00
metalefty
321f124c73
Merge pull request #2459 from matt335672/pcscd_sock_permissions
Set permissions on pcsc socket dir to owner only
2022-12-10 21:11:44 +09:00
matt335672
b5b047458e Remove unused g_full_name_for_filesystem
Not only was this unused, the way it was read could lead to a
buffer overflow (CVE-2022-23480)
2022-12-09 18:11:03 +00:00
matt335672
ae7c17e1f6 CVE-2022-23480
Added length checking to redirector response parsing
2022-12-09 18:11:03 +00:00
matt335672
96afae1ec5 CVE-2022-23477
Prevent buffer overflow for oversized audio format from client
2022-12-09 17:33:34 +00:00
matt335672
89c873e4aa Set permissions on pcsc socket dir to owner only
There is no reason for any user other than the current one to be able
to communicate with the remote smartcard.
2022-12-09 11:55:31 +00:00
matt335672
8fc5610dad
Remove unnecesssary data from struct auth_info (#2438)
When using PAM authentication, a copy is made of the username and password in the auth_info structure.

The password copy is not cleared from memory when the structure is deallocated. This could mean the password is revealed to an attacker from a coredump.

One solution is to clear the password when the struct is deallocated. However, the username and password in the auth_info struct are only required for the duration of the PAM conversation function. A better solution is to remove the username and password from the auth_info struct entirely, and just use pointers for the duration of the time the callback function is used.
2022-11-28 10:05:20 +00:00
matt335672
3a0a932472 Add --reload option to sesman
Adds a --reload switch to sesman and plumbs this in
to systemctl reload xrdp-sesman.service
2022-11-09 09:46:36 +00:00
matt335672
660ac303f0 Replace various types used for auth_info
The loadable sesman authentication modules use different types for the
authentication handle returned from auth_userpass(). The PAM module
uses a pointer, and the other modules use (effectively) a boolean. Within
sesman itself, a long or tbus (intptr_t) is used.

This PR replaces all of these types with a pointer to an incomplete type.

Consequently:-
- A single better-labelled type is used it all places within sesman so
  it's more obvious what's being handled.
- There is no need to cast the authentication handle within the PAM
  module to a long and back again.
- The compiler can check function signatures between auth.h and the
  various verify modules.
2022-09-16 10:46:53 +01:00
Khem Raj
fc2d61e0c8 mark count with unused attribute
This may throw a warning with clang-15+ when devel logs are disabled
Fixes
../../../xrdp-0.9.19/sesman/chansrv/chansrv.c:198:9: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-09-05 22:58:07 -07:00
a1346054
5ff68740e5
remove executable bit from text files 2022-09-03 02:02:14 +00:00
a1346054
7fe18cc1c0
fix typos 2022-09-03 02:01:48 +00:00
matt335672
686bb4e075
Merge pull request #2348 from metalefty/sesman-ini
sesman.ini: mention FreeBSD Xorg path
2022-08-27 12:06:29 +01:00
Koichiro IWAO
235d264a02 sesman.ini: mention FreeBSD Xorg path 2022-08-26 13:56:52 +09:00
Koichiro IWAO
2c25e60abc
sesman: fix spacing in log
[20220301-18:25:01] [INFO ] Starting window manager on display 12from user home directory: /home/user/startwm.sh
                                                                ^^
2022-05-28 01:27:47 +09:00
matt335672
3e488773d7 Updated session allocation policy for sesman
Made session allocation policies more readable and maintainable.

The 'C' policy which was confusing before has been replaced with the
'Separate' keyword. This is a public interface change, but is unlikely
to affect many users.

The logging in session_get_bydata() is substantially improved, making
it far easier to spot why sessions are getting matched or not matched.
2022-05-18 12:35:07 +01:00
matt335672
a4c6c36cf2 Add PAM_RHOST support
Supplies the IP address that an authentication event is
received from as the PAM parameter PAM_RHOST for PAM-capable systems.
2022-05-18 12:35:07 +01:00
matt335672
79bec8110c Unify connection fields for the connected client
The connected client is currently described in two places in
the xrdp_client_info structure:-

1) In the connection_description field. This was introduced as
   field client_ip by commit d797b2cf49
   for xrdp v0.6.0

2) In the client_addr and client_port fields introduced by commit
   25369460a1 for xrdp v0.8.0

This commit unifies these two sets of fields into a single
set of fields describing the connection IP and port (for
AF_INET/AF_INET6 connections only) and a connection description
for all connection types.

The code in os_calls to provide client logging has been simplified
somewhat which should make it easier to add new connection types (e.g.
AF_VSOCK).

The old connection_description field used to be passed to sesman to
inform sesman of the IP address of the client, and also to provide
a string for 'C' field session policy matching. 'C' field session policy
matching does not actually need this string (see #2239), and so now only
the IP field is passed to sesman.
2022-05-18 12:35:07 +01:00
matt335672
34fe9b60eb
Merge pull request #1983 from matt335672/pam_group_fix
Moved g_initgroups() call to before auth_start_session()
2022-05-04 09:29:15 +01:00
matt335672
8f1bdaa95e Remove TCP socket support fron chansrv
The code in xrdp_mm.c to connect to chansrv over a TCP socket has
been removed, with the move to UDS. This PR simply removes the
chansrv TCP listening code. Without doing this, some configurations
result in a failure of xrdp to connect to chansrv.
2022-05-03 10:57:41 +01:00
matt335672
0db849fc5c Move SCP to a Unix Domain Socket
The TCP socket implementation of sesman has a number of limitations,
namely that it is affected by firewalls, and also that determining the
user on the other end requires a full authentication process.

The advantage of the TCP socket is that sesman and xrdp can be run on
separate machines. This is however not supported by the xorgxrdp
backend (shared memory), and is insecure, in that passwords are sent
in-the-clear, and the connection is susceptible to MitM attacks. This
architecture has been deprecated in release notes since xrdp v0.9.17,
and although it will continue to be supported in any further releases
in the x0.9.x series, it will not be supported in the next major
version.
2022-04-18 09:12:35 +01:00
matt335672
9c30d4c2f8 Add lock_uds module to sesman
When sesman used a standard TCP socket, we were guaranteed only one copy
of sesman could run on on address, as standard TCP listening rules
enforced this. This isn't the case with Unix Domain sockets. This
module implements a locking mechanism for a UDS which emulates the
standard TCP socket behaviour.
2022-04-18 09:09:46 +01:00
matt335672
4183d8ddbf Moved initgroups call to before auth_start_session()
This is required for PAM systems that depend on group membership being
available during PAM processing. This is used by pam_group on FreeBSD
and pam_group on Linux-PAM, although the functionality of both is
different.
2022-04-05 16:07:26 +01:00
matt335672
104304aad1 Open log in sesman before reading config 2022-03-28 19:00:23 +01:00
matt335672
8e27f231fd Add fail2ban logging to PAM authentication requests 2022-03-15 10:45:00 +00:00
matt335672
1746ac2f79 Remove SCP V0 and V1 files 2022-03-15 10:45:00 +00:00
matt335672
bb820cca87 tools: Moved to new SCP interface 2022-03-15 10:45:00 +00:00
matt335672
a952ff8542 Remove unused tcp module from tools 2022-03-15 10:45:00 +00:00
matt335672
32f644a907 Removed sestest utility 2022-03-15 10:45:00 +00:00
matt335672
c0cb03801c Move sesman to new SCP interface 2022-03-15 10:45:00 +00:00
matt335672
8bd597a038 Fix signal handling in sesman 2022-03-04 11:37:45 +00:00
matt335672
2484928a5a Change 3rd parameter of log_start() to flags field 2022-03-04 11:37:45 +00:00
matt335672
fcd991844a sesman : Move global declarations to sesman.h 2022-03-03 17:01:55 +00:00
matt335672
b689707d15 Remove unnecessary log message 2022-02-16 11:59:56 +00:00
bin zhong
f8f18e27c5
Merge branch 'neutrinolabs:devel' into devel 2022-02-15 09:52:28 +08:00