Re: Ignore /tmp/.Xauth* in daily

Sat, 06 Mar 2021 12:15:00 -0800 

On Sat, Mar 06, 2021 at 09:52:58PM +0300, Vadim Zhukov wrote:
> сб, 6 мар. 2021 г. в 21:30, Theo de Raadt <dera...@openbsd.org>:
> >
> > Matthieu Herrb <matth...@openbsd.org> wrote:
> >
> > > Linux, systemd and XDG have inventend this /run/user/$uid tmpfs that
> > > is created automagically and they use that in place of /tmp for
> > > volatile things that don't beloing to $HOME, but this is not a can of
> > > worms I want to open now.
> >
> > Awesome, another directory to drop stuff and run a filesystem out of space
> > with unclear consequences...
> >
> > This does not fit with our direction either.
> 
> So this code appeared in X11R4. There was no VCS repo, I suppose, so no 
> history.
> 
> There are basically four cases why xdm may fail to create ~/.Xauthority:
> 
> a) home directory doesn't exist
> b) home directory is non-writeable due to permissions
> c) /home is full
> d) /home is on NFS and there are locking/network issues.
> 
> I'm not sure if (a) is a valid case. (b) is a variant of my case, as I
> said, I can live without this feature. In the case of (c) users
> (non-admins) won't be able to do something anyway. Can't speak for NFS
> (I've quit the job where /home on NFS has been set up a few years ago)
> so no opinion on (d).
> 

I think 4 his not an issue anymore.the locking mecanism used by xauth
is working with all current NFS implementations (including
OpenBSD's).

Here is a patch to remve the backup authorization file. Unfortunatly
there is no simple way to display an explicit error message. One will
need to check the xenodm.log file.

Xsession can be patched too to remove the fallback to /tmp/xes- log
file if ~/.xsession-errors cannot be writen. This will be a separate
diff.

Index: include/dm.h
===================================================================
RCS file: /cvs/OpenBSD/xenocara/app/xenodm/include/dm.h,v
retrieving revision 1.15
diff -u -p -u -r1.15 dm.h
--- include/dm.h        10 Jan 2021 09:18:30 -0000      1.15
+++ include/dm.h        6 Mar 2021 17:53:44 -0000
@@ -122,7 +122,6 @@ struct display {
        char            **authNames;    /* authorization protocol names */
        unsigned short  *authNameLens;  /* authorization protocol name lens */
        char            *clientAuthFile;/* client specified auth file */
-       char            *userAuthDir;   /* backup directory for tickets */
        int             authComplain;   /* complain when no auth for XDMCP */
 
        /* information potentially derived from resources */
Index: man/xenodm.man
===================================================================
RCS file: /cvs/OpenBSD/xenocara/app/xenodm/man/xenodm.man,v
retrieving revision 1.11
diff -u -p -u -r1.11 xenodm.man
--- man/xenodm.man      15 Aug 2019 16:23:33 -0000      1.11
+++ man/xenodm.man      6 Mar 2021 17:53:44 -0000
@@ -582,18 +582,6 @@ to occur, during which time the new auth
 The default is
 .Cm false ,
 which will work for all MIT servers.
-.It Ic DisplayManager. Ns Ar DISPLAY Ns Ic .userAuthDir
-When
-.Nm
-is unable to write to the usual user authorization file
-.Pq Pa $HOME/.Xauthority ,
-it creates a unique file name in this directory and points the environment
-variable
-.Ev XAUTHORITY
-at the created file.
-It uses
-.Pa /tmp
-by default.
 .El
 .Sh CONFIGURATION FILE
 First, the
Index: xenodm/auth.c
===================================================================
RCS file: /cvs/OpenBSD/xenocara/app/xenodm/xenodm/auth.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 auth.c
--- xenodm/auth.c       1 Jan 2021 18:09:07 -0000       1.15
+++ xenodm/auth.c       6 Mar 2021 17:53:44 -0000
@@ -752,7 +752,7 @@ void
 SetUserAuthorization (struct display *d, struct verify_info *verify)
 {
     FILE       *old = NULL, *new;
-    char       home_name[1024], backup_name[1024], new_name[1024];
+    char       home_name[1024], new_name[1024];
     char       *name = NULL;
     char       *home;
     char       *envname = NULL;
@@ -762,7 +762,6 @@ SetUserAuthorization (struct display *d,
     struct stat        statb;
     int                i;
     int                magicCookie;
-    int                fd;
 
     Debug ("SetUserAuthorization\n");
     auths = d->authorizations;
@@ -793,45 +792,10 @@ SetUserAuthorization (struct display *d,
            }
        }
        if (lockStatus != LOCK_SUCCESS) {
-           snprintf (backup_name, sizeof(backup_name),
-                     "%s/.XauthXXXXXX", d->userAuthDir);
-           fd = mkstemp (backup_name);
-           if (fd >= 0) {
-               old = fdopen (fd, "r");
-               if (old == NULL)
-                   (void) close(fd);
-           }
-
-           if (old != NULL)
-           {
-               lockStatus = XauLockAuth (backup_name, 1, 2, 10);
-               Debug ("backup lock is %d\n", lockStatus);
-               if (lockStatus == LOCK_SUCCESS) {
-                   if (openFiles (backup_name, new_name, sizeof(new_name),
-                                   &old, &new)
-                       && (old != NULL) && (new != NULL)) {
-                       name = backup_name;
-                       setenv = 1;
-                   } else {
-                       XauUnlockAuth (backup_name);
-                       lockStatus = LOCK_ERROR;
-                       if (old != NULL) {
-                           (void) fclose (old);
-                           old = NULL;
-                       }
-                       if (new != NULL)
-                           (void) fclose (new);
-                   }
-               } else {
-                   (void) fclose (old);
-               }
-           }
-       }
-       if (lockStatus != LOCK_SUCCESS) {
-           Debug ("can't lock auth file %s or backup %s\n",
-                           home_name, backup_name);
-           LogError ("can't lock authorization file %s or backup %s\n",
-                           home_name, backup_name);
+           Debug ("can't lock auth file %s\n",
+                           home_name);
+           LogError ("can't lock authorization file %s\n",
+                           home_name);
            return;
        }
        initAddrs ();
Index: xenodm/dpylist.c
===================================================================
RCS file: /cvs/OpenBSD/xenocara/app/xenodm/xenodm/dpylist.c,v
retrieving revision 1.3
diff -u -p -u -r1.3 dpylist.c
--- xenodm/dpylist.c    10 Jan 2021 09:18:30 -0000      1.3
+++ xenodm/dpylist.c    6 Mar 2021 17:53:44 -0000
@@ -128,7 +128,6 @@ RemoveDisplay (struct display *old)
            if (d->authFile)
                (void) unlink (d->authFile);
            free (d->authFile);
-           free (d->userAuthDir);
            for (x = d->authNames; x && *x; x++)
                free (*x);
            free (d->authNames);
@@ -195,7 +194,6 @@ NewDisplay (char *name, char *class)
     d->authNameNum = 0;
     d->clientAuthFile = NULL;
     d->authFile = NULL;
-    d->userAuthDir = NULL;
     d->authNames = NULL;
     d->authNameLens = NULL;
     d->authComplain = 1;
Index: xenodm/resource.c
===================================================================
RCS file: /cvs/OpenBSD/xenocara/app/xenodm/xenodm/resource.c,v
retrieving revision 1.5
diff -u -p -u -r1.5 resource.c
--- xenodm/resource.c   3 Nov 2018 18:04:45 -0000       1.5
+++ xenodm/resource.c   6 Mar 2021 17:53:44 -0000
@@ -200,8 +200,6 @@ struct displayResource sessionResources[
                                DEF_SYSTEM_SHELL },
 { "failsafeClient","FailsafeClient",   DM_STRING,      boffset(failsafeClient),
                                DEF_FAILSAFE_CLIENT },
-{ "userAuthDir","UserAuthDir", DM_STRING,      boffset(userAuthDir),
-                               DEF_USER_AUTH_DIR },
 };
 
 #define NUM_SESSION_RESOURCES  (sizeof sessionResources/\

-- 
Matthieu Herrb

Reply via email to