Commit Graph

7 Commits

Author SHA1 Message Date
matt335672
c51ec2e8e9 Remove sesmanruntimedir
Now we've made the XRDP_SOCKET_PATH only writeable by root, it's
safe to move the sesman socket back into this directory. We no longer
need a separate sesmanruntimedir
2023-10-23 18:14:46 +01:00
matt335672
675dd77807 Parameterise the sockdir with the UID of the user
The top level socket directory is now called XRDP_SOCKET_ROOT_PATH.
Below that are user-specific directories referred to with the
XRDP_SOCKET_PATH macro - this name is hard-coded into xorgxrdp and
the audio modules as an environment variable.

XRDP_SOCKET_PATH now looks like $XRDP_SOCKET_ROOT_PATH/<uid>

XRDP_SOCKET_PATH is only writeable by the user, and readable by the user
and the xrdp process.
2023-10-23 18:14:46 +01:00
matt335672
dec05f91fa libipm: Add ERCP 2023-05-02 11:55:22 +01:00
matt335672
c3f02f5107 libipm: Add EICP 2023-05-02 11:55:22 +01:00
matt335672
4c4bdc9782 SCP: separate authentication from session creation
Messaging changes:-
- Implement sys_login request message with username, password and
  IP address
- Implement UDS login message for current user connected to sesman
- Implement common login response message for login requests
- Implement logout message so gateway authentications can be handled
- with login/logout messages
- Remove login info from the create session request
- Existing gateway request/response messages removed
- Add close connection message so that sesman can close terminated
  connections without displaying ERROR messages in the log.
- Add a set_peername message so clients can send a name to sesman
  for improved logging.

Other changes:-
- Add status types for logging in and session creation, so that the
  front-end can supply the user with more informative errors in the
  event of an error occurring.
- Users identities are now carried by UID rather than username, as
  xrdp and sesman are guaranteed to be on the same machine.
2022-12-22 11:35:02 +00:00
matt335672
0db849fc5c Move SCP to a Unix Domain Socket
The TCP socket implementation of sesman has a number of limitations,
namely that it is affected by firewalls, and also that determining the
user on the other end requires a full authentication process.

The advantage of the TCP socket is that sesman and xrdp can be run on
separate machines. This is however not supported by the xorgxrdp
backend (shared memory), and is insecure, in that passwords are sent
in-the-clear, and the connection is susceptible to MitM attacks. This
architecture has been deprecated in release notes since xrdp v0.9.17,
and although it will continue to be supported in any further releases
in the x0.9.x series, it will not be supported in the next major
version.
2022-04-18 09:12:35 +01:00
matt335672
e059336dff Add libipm facility 2022-03-15 10:23:27 +00:00