From 3f2a017c974c6ff0e0fbd8311cb720ae3bf8ba73 Mon Sep 17 00:00:00 2001 From: matt335672 <30179339+matt335672@users.noreply.github.com> Date: Wed, 27 Dec 2017 15:00:18 +0000 Subject: [PATCH 01/36] Make listen check before daemon fork --- sesman/sesman.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/sesman/sesman.c b/sesman/sesman.c index fd98370c..609670af 100644 --- a/sesman/sesman.c +++ b/sesman/sesman.c @@ -343,18 +343,17 @@ main(int argc, char **argv) if (daemon) { /* start of daemonizing code */ - g_pid = g_fork(); + if (sesman_listen_test(g_cfg) != 0) + { - if (0 != g_pid) + log_message(LOG_LEVEL_ERROR, "Failed to start xrdp-sesman daemon, " + "possibly address already in use."); + g_deinit(); + g_exit(1); + } + + if (0 != g_fork()) { - if (sesman_listen_test(g_cfg) != 0) - { - - log_message(LOG_LEVEL_ERROR, "Failed to start xrdp-sesman daemon, " - "possibly address already in use."); - g_deinit(); - g_exit(1); - } g_deinit(); g_exit(0); } From f2db57afb0ecc9b020046c466301c9c9f9f1e73d Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 9 Jan 2018 14:09:13 +0900 Subject: [PATCH 02/36] fix indent --- sesman/sesman.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sesman/sesman.c b/sesman/sesman.c index 609670af..a89d2f55 100644 --- a/sesman/sesman.c +++ b/sesman/sesman.c @@ -344,7 +344,7 @@ main(int argc, char **argv) { /* start of daemonizing code */ if (sesman_listen_test(g_cfg) != 0) - { + { log_message(LOG_LEVEL_ERROR, "Failed to start xrdp-sesman daemon, " "possibly address already in use."); From dcf64e43ca91474c047ba01df15feadc8e3a142c Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Fri, 15 Dec 2017 17:52:39 +0900 Subject: [PATCH 03/36] remove trailing space --- sesman/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sesman/session.c b/sesman/session.c index ae3194da..92c6002c 100644 --- a/sesman/session.c +++ b/sesman/session.c @@ -360,7 +360,7 @@ session_start_chansrv(char *username, int display) chansrv_pid = g_fork(); if (chansrv_pid == 0) { - chansrv_params = list_create(); + chansrv_params = list_create(); chansrv_params->auto_free = 1; /* building parameters */ From 08f847d74b8e5b37650746f48c1333453cb04b15 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Fri, 15 Dec 2017 17:56:45 +0900 Subject: [PATCH 04/36] sesman: refactor, change variable names session_variables1 -> env_names session_variables2 -> env_values Use the name used in callee function env_set_user(). The former names are not clear. --- sesman/config.c | 22 +++++++++++----------- sesman/config.h | 12 ++++++++++-- sesman/session.c | 20 ++++++++++---------- 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/sesman/config.c b/sesman/config.c index 794ff4c2..0363b330 100644 --- a/sesman/config.c +++ b/sesman/config.c @@ -472,29 +472,29 @@ config_read_session_variables(int file, struct config_sesman *cs, list_clear(param_v); list_clear(param_n); - cs->session_variables1 = list_create(); - cs->session_variables1->auto_free = 1; - cs->session_variables2 = list_create(); - cs->session_variables2->auto_free = 1; + cs->env_names = list_create(); + cs->env_names->auto_free = 1; + cs->env_values = list_create(); + cs->env_values->auto_free = 1; file_read_section(file, SESMAN_CFG_SESSION_VARIABLES, param_n, param_v); for (i = 0; i < param_n->count; i++) { - list_add_item(cs->session_variables1, + list_add_item(cs->env_names, (tintptr) g_strdup((char *) list_get_item(param_n, i))); - list_add_item(cs->session_variables2, + list_add_item(cs->env_values, (tintptr) g_strdup((char *) list_get_item(param_v, i))); } /* printing session variables */ g_writeln("%s parameters:", SESMAN_CFG_SESSION_VARIABLES); - for (i = 0; i < cs->session_variables1->count; i++) + for (i = 0; i < cs->env_names->count; i++) { g_writeln(" Parameter %02d %s=%s", i, - (char *) list_get_item(cs->session_variables1, i), - (char *) list_get_item(cs->session_variables2, i)); + (char *) list_get_item(cs->env_names, i), + (char *) list_get_item(cs->env_values, i)); } return 0; @@ -506,7 +506,7 @@ config_free(struct config_sesman *cs) list_delete(cs->rdp_params); list_delete(cs->vnc_params); list_delete(cs->xorg_params); - list_delete(cs->session_variables1); - list_delete(cs->session_variables2); + list_delete(cs->env_names); + list_delete(cs->env_values); g_free(cs); } diff --git a/sesman/config.h b/sesman/config.h index 87f489db..6bc10852 100644 --- a/sesman/config.h +++ b/sesman/config.h @@ -240,8 +240,16 @@ struct config_sesman */ struct config_sessions sess; - struct list* session_variables1; - struct list* session_variables2; + /** + * @var env_names + * @brief environment variable name list + */ + struct list* env_names; + /** + * @var env_values + * @brief environment variable value list + */ + struct list* env_values; }; /** diff --git a/sesman/session.c b/sesman/session.c index 92c6002c..1ce358b9 100644 --- a/sesman/session.c +++ b/sesman/session.c @@ -371,8 +371,8 @@ session_start_chansrv(char *username, int display) list_add_item(chansrv_params, 0); /* mandatory */ env_set_user(username, 0, display, - g_cfg->session_variables1, - g_cfg->session_variables2); + g_cfg->env_names, + g_cfg->env_values); /* executing chansrv */ g_execvp(exe_path, (char **) (chansrv_params->items)); @@ -513,8 +513,8 @@ session_start_fork(tbus data, tui8 type, struct SCP_CONNECTION *c, env_set_user(s->username, 0, display, - g_cfg->session_variables1, - g_cfg->session_variables2); + g_cfg->env_names, + g_cfg->env_values); if (x_server_running(display)) { auth_set_env(data); @@ -604,16 +604,16 @@ session_start_fork(tbus data, tui8 type, struct SCP_CONNECTION *c, env_set_user(s->username, &passwd_file, display, - g_cfg->session_variables1, - g_cfg->session_variables2); + g_cfg->env_names, + g_cfg->env_values); } else { env_set_user(s->username, 0, display, - g_cfg->session_variables1, - g_cfg->session_variables2); + g_cfg->env_names, + g_cfg->env_values); } @@ -857,8 +857,8 @@ session_reconnect_fork(int display, char *username) env_set_user(username, 0, display, - g_cfg->session_variables1, - g_cfg->session_variables2); + g_cfg->env_names, + g_cfg->env_values); g_snprintf(text, 255, "%s/%s", XRDP_CFG_PATH, "reconnectwm.sh"); if (g_file_exist(text)) From 5daa09171e1e6e65a1a3ab969775fdf8affffc37 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 9 Jan 2018 14:42:37 +0900 Subject: [PATCH 05/36] devredir: fix xinode leak Pointed out by: #919 --- sesman/chansrv/devredir.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c index 629b3cc9..4c6f67e3 100644 --- a/sesman/chansrv/devredir.c +++ b/sesman/chansrv/devredir.c @@ -986,6 +986,8 @@ dev_redir_proc_query_dir_response(IRP *irp, /* add this entry to xrdp file system */ fuse_data = devredir_fuse_data_peek(irp); xfuse_devredir_cb_enum_dir(fuse_data->data_ptr, xinode); + + g_free(xinode); } dev_redir_send_drive_dir_request(irp, DeviceId, 0, NULL); From b17c45d86fc2f22fcff8cb9adf31080738edd37a Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Sat, 13 Jan 2018 22:10:48 +0900 Subject: [PATCH 06/36] fix potential fd leak In most cases, checking fd > 0 is not valid. open(2) returns -1 on error, 0 on stdin, 1 on stdout, 2 on stderr, >2 . The border should be between -1 and 0. Additionally, between 2 and 3. Pointed out by: #919 --- libxrdp/xrdp_sec.c | 2 +- xrdp/xrdp_mm.c | 6 ++---- xrdp/xrdp_wm.c | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index 4de6c9ed..0436edf2 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -265,7 +265,7 @@ xrdp_load_keyboard_layout(struct xrdp_client_info *client_info) fd = g_file_open(keyboard_cfg_file); - if (fd > 0) + if (fd >= 0) { int section_found = -1; char section_rdp_layouts[256] = { 0 }; diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c index 4754ccaa..4c716d46 100644 --- a/xrdp/xrdp_mm.c +++ b/xrdp/xrdp_mm.c @@ -1310,7 +1310,7 @@ xrdp_mm_get_sesman_port(char *port, int port_bytes) g_snprintf(cfg_file, 255, "%s/sesman.ini", XRDP_CFG_PATH); fd = g_file_open(cfg_file); - if (fd > 0) + if (fd >= 0) { names = list_create(); names->auto_free = 1; @@ -1343,10 +1343,8 @@ xrdp_mm_get_sesman_port(char *port, int port_bytes) list_delete(names); list_delete(values); - } - - if (fd != -1) g_file_close(fd); + } return 0; } diff --git a/xrdp/xrdp_wm.c b/xrdp/xrdp_wm.c index 3d16fe63..8b26718d 100644 --- a/xrdp/xrdp_wm.c +++ b/xrdp/xrdp_wm.c @@ -405,7 +405,7 @@ xrdp_wm_load_static_colors_plus(struct xrdp_wm *self, char *autorun_name) g_snprintf(cfg_file, 255, "%s/xrdp.ini", XRDP_CFG_PATH); fd = g_file_open(cfg_file); - if (fd > 0) + if (fd >= 0) { names = list_create(); names->auto_free = 1; From a64cb81a36f0a0db762b6f89a52e6d3e73d786e6 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Wed, 17 Jan 2018 11:37:10 -0800 Subject: [PATCH 07/36] xrdp: fix some leaks in xrdp_encoder.c --- xrdp/xrdp_encoder.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c index 4d80214e..fddc6e45 100644 --- a/xrdp/xrdp_encoder.c +++ b/xrdp/xrdp_encoder.c @@ -169,6 +169,16 @@ xrdp_encoder_delete(struct xrdp_encoder *self) /* todo delete specific encoder */ + if (self->process_enc == process_enc_jpg) + { + } + else if (self->process_enc == process_enc_rfx) + { +#ifdef XRDP_RFXCODEC + rfxcodec_encode_destroy(self->codec_handle); +#endif + } + /* destroy wait objects used for signalling */ g_delete_wait_obj(self->xrdp_encoder_event_to_proc); g_delete_wait_obj(self->xrdp_encoder_event_processed); @@ -208,6 +218,7 @@ xrdp_encoder_delete(struct xrdp_encoder *self) } fifo_delete(fifo); } + tc_mutex_delete(self->mutex); g_free(self); } From acd05f365f885e8a4aab23d23ba4ce48b6f31f71 Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Wed, 17 Jan 2018 11:45:36 -0800 Subject: [PATCH 08/36] xrdp: xrdp_encoder.c fix compile when XRDP_RFXCODEC is not defined --- xrdp/xrdp_encoder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c index fddc6e45..5b5fc8d7 100644 --- a/xrdp/xrdp_encoder.c +++ b/xrdp/xrdp_encoder.c @@ -172,12 +172,12 @@ xrdp_encoder_delete(struct xrdp_encoder *self) if (self->process_enc == process_enc_jpg) { } +#ifdef XRDP_RFXCODEC else if (self->process_enc == process_enc_rfx) { -#ifdef XRDP_RFXCODEC rfxcodec_encode_destroy(self->codec_handle); -#endif } +#endif /* destroy wait objects used for signalling */ g_delete_wait_obj(self->xrdp_encoder_event_to_proc); From f763cb37885b02c310aa906147669a29b99405dc Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Wed, 17 Jan 2018 11:09:09 -0800 Subject: [PATCH 09/36] fix for zombie processes sometimes appearing --- xrdp/xrdp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/xrdp/xrdp.c b/xrdp/xrdp.c index adf182b9..65bd40a0 100644 --- a/xrdp/xrdp.c +++ b/xrdp/xrdp.c @@ -123,7 +123,11 @@ xrdp_shutdown(int sig) void xrdp_child(int sig) { - g_waitchild(); + int safety; + + for (safety = 0; (g_waitchild() >= 0) && (safety <= 10); safety++) + { + } } /*****************************************************************************/ From e16029cbc251fd37ab1b601ea12e9e12efed4e60 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Wed, 17 Jan 2018 16:13:22 +0900 Subject: [PATCH 10/36] fix leak of SCP_DISCONNECTED_SESSION Pointed out by: #919 --- sesman/libscp/libscp_v1c.c | 6 ++++++ sesman/libscp/libscp_v1c_mng.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/sesman/libscp/libscp_v1c.c b/sesman/libscp/libscp_v1c.c index 5401dda3..dfc3754d 100644 --- a/sesman/libscp/libscp_v1c.c +++ b/sesman/libscp/libscp_v1c.c @@ -177,6 +177,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, 8)) { + g_free(ds); return SCP_CLIENT_STATE_NETWORK_ERR; } @@ -184,6 +185,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (version != 1) { + g_free(ds); return SCP_CLIENT_STATE_VERSION_ERR; } @@ -191,6 +193,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (size < 12) { + g_free(ds); return SCP_CLIENT_STATE_SIZE_ERR; } @@ -198,6 +201,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8)) { + g_free(ds); return SCP_CLIENT_STATE_NETWORK_ERR; } @@ -205,6 +209,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (cmd != SCP_COMMAND_SET_DEFAULT) { + g_free(ds); return SCP_CLIENT_STATE_SEQUENCE_ERR; } @@ -212,6 +217,7 @@ scp_v1c_get_session_list(struct SCP_CONNECTION *c, int *scount, if (cmd != 42) { + g_free(ds); return SCP_CLIENT_STATE_SEQUENCE_ERR; } diff --git a/sesman/libscp/libscp_v1c_mng.c b/sesman/libscp/libscp_v1c_mng.c index 2ceaa95e..f1eb7cf6 100644 --- a/sesman/libscp/libscp_v1c_mng.c +++ b/sesman/libscp/libscp_v1c_mng.c @@ -144,6 +144,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, 8)) { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: network error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_NETWORK_ERR; } @@ -152,6 +153,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (version != 1) { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: version error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_VERSION_ERR; } @@ -160,6 +162,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (size < 12) { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: size error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_SIZE_ERR; } @@ -168,6 +171,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (0 != scp_tcp_force_recv(c->in_sck, c->in_s->data, size - 8)) { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: network error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_NETWORK_ERR; } @@ -176,6 +180,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (cmd != SCP_COMMAND_SET_MANAGE) { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: sequence error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_SEQUENCE_ERR; } @@ -184,6 +189,7 @@ scp_v1c_mng_get_session_list(struct SCP_CONNECTION *c, int *scount, if (cmd != SCP_CMD_MNG_LIST) /* session list */ { log_message(LOG_LEVEL_WARNING, "[v1c_mng:%d] connection aborted: sequence error", __LINE__); + g_free(ds); return SCP_CLIENT_STATE_SEQUENCE_ERR; } From 4cee6726f8645ce73582efa583048459819ff1cf Mon Sep 17 00:00:00 2001 From: Vraiment Date: Tue, 30 Jan 2018 01:00:24 -0800 Subject: [PATCH 11/36] Make changes to generate dylibs in mac again --- configure.ac | 4 ++++ mc/Makefile.am | 2 ++ vnc/Makefile.am | 2 ++ xup/Makefile.am | 2 ++ 4 files changed, 10 insertions(+) diff --git a/configure.ac b/configure.ac index cfa2c611..160fc651 100644 --- a/configure.ac +++ b/configure.ac @@ -40,12 +40,16 @@ case $host_os in *openbsd*) openbsd=yes ;; + *darwin*) + macos=yes + ;; esac AM_CONDITIONAL(LINUX, [test "x$linux" = xyes]) AM_CONDITIONAL(FREEBSD, [test "x$freebsd" = xyes]) AM_CONDITIONAL(OPENBSD, [test "x$openbsd" = xyes]) AM_CONDITIONAL(NETBSD, [test "x$netbsd" = xyes]) +AM_CONDITIONAL(MACOS, [test "x$macos" = xyes]) AC_ARG_WITH([socketdir], [AS_HELP_STRING([--with-socketdir=DIR], diff --git a/mc/Makefile.am b/mc/Makefile.am index 09d07068..130bdcfc 100644 --- a/mc/Makefile.am +++ b/mc/Makefile.am @@ -19,4 +19,6 @@ libmc_la_SOURCES = \ libmc_la_LIBADD = \ $(top_builddir)/common/libcommon.la +if !MACOS libmc_la_LDFLAGS = -avoid-version -module +endif diff --git a/vnc/Makefile.am b/vnc/Makefile.am index c4fcf3fc..92160771 100644 --- a/vnc/Makefile.am +++ b/vnc/Makefile.am @@ -19,4 +19,6 @@ libvnc_la_SOURCES = \ libvnc_la_LIBADD = \ $(top_builddir)/common/libcommon.la +if !MACOS libvnc_la_LDFLAGS = -avoid-version -module +endif diff --git a/xup/Makefile.am b/xup/Makefile.am index 0d6434c8..1a4fc35b 100644 --- a/xup/Makefile.am +++ b/xup/Makefile.am @@ -19,4 +19,6 @@ libxup_la_SOURCES = \ libxup_la_LIBADD = \ $(top_builddir)/common/libcommon.la +if !MACOS libxup_la_LDFLAGS = -avoid-version -module +endif From c50015122c58e9a23a058bec006c1552a3524882 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Mon, 5 Feb 2018 17:38:20 +0900 Subject: [PATCH 12/36] FreeBSD: rework setsid code Pull request #650 is not valid to avoid run session twice. It certainly stops running session twice but causes #1016. In FreeBSD, sesman process will run like this. The intermediate sesman is needed to detect session termination correctly. xrdp-sesman (daemon) | +- xrdp-sesman (FreeBSD specific intermediate sesman) | +- xrdp-sesman (bsd sesion leader & each session) | +- Xorg +- startwm.sh +- xrdp-chansrv To stop runninng session twice correctly, just exit before the intermediate sesman executes Xorg, WM and chansrv. --- sesman/session.c | 40 +++++++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/sesman/session.c b/sesman/session.c index 1ce358b9..0a80bd8a 100644 --- a/sesman/session.c +++ b/sesman/session.c @@ -484,22 +484,40 @@ session_start_fork(tbus data, tui8 type, struct SCP_CONNECTION *c, * $OpenBSD: session.c,v 1.252 2010/03/07 11:57:13 dtucker Exp $ * with some ideas about BSD process grouping to xrdp */ + pid_t bsdsespid = g_fork(); - /** - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group - */ - if (g_setsid() < 0) + if (bsdsespid == -1) { - log_message(LOG_LEVEL_ERROR, - "setsid failed - pid %d", g_getpid()); + } + else if (bsdsespid == 0) /* BSD session leader */ + { + /** + * Create a new session and process group since the 4.4BSD + * setlogin() affects the entire process group + */ + if (g_setsid() < 0) + { + log_message(LOG_LEVEL_ERROR, + "setsid failed - pid %d", g_getpid()); + } + + if (g_setlogin(s->username) < 0) + { + log_message(LOG_LEVEL_ERROR, + "setlogin failed for user %s - pid %d", s->username, + g_getpid()); + } } - if (g_setlogin(s->username) < 0) + g_waitpid(bsdsespid); + + if (bsdsespid > 0) { - log_message(LOG_LEVEL_ERROR, - "setlogin failed for user %s - pid %d", s->username, - g_getpid()); + g_exit(0); + /* + * intermediate sesman should exit here after WM exits. + * do not execure the following codes. + */ } #endif window_manager_pid = g_fork(); /* parent becomes X, From 09712d70adac90876ae05973759003352f297d27 Mon Sep 17 00:00:00 2001 From: Vraiment Date: Tue, 30 Jan 2018 01:42:42 -0800 Subject: [PATCH 13/36] Added PAM support for MacOS --- instfiles/Makefile.am | 4 ++++ instfiles/pam.d/Makefile.am | 1 + instfiles/pam.d/mkpamrules | 5 +++++ instfiles/pam.d/xrdp-sesman.macos | 12 ++++++++++++ 4 files changed, 22 insertions(+) create mode 100644 instfiles/pam.d/xrdp-sesman.macos diff --git a/instfiles/Makefile.am b/instfiles/Makefile.am index 1c1af39f..8d39af0c 100644 --- a/instfiles/Makefile.am +++ b/instfiles/Makefile.am @@ -78,6 +78,10 @@ SUBDIRS += \ pulse endif +if MACOS +SUBDIRS += pam.d +endif + # # install-data-hook for each platform # TODO: subst these directories as well as service files diff --git a/instfiles/pam.d/Makefile.am b/instfiles/pam.d/Makefile.am index 6cc6bddf..72031575 100644 --- a/instfiles/pam.d/Makefile.am +++ b/instfiles/pam.d/Makefile.am @@ -3,6 +3,7 @@ PAM_FILES = \ xrdp-sesman.redhat \ xrdp-sesman.suse \ xrdp-sesman.freebsd \ + xrdp-sesman.macos \ xrdp-sesman.unix EXTRA_DIST = $(PAM_FILES) mkpamrules diff --git a/instfiles/pam.d/mkpamrules b/instfiles/pam.d/mkpamrules index 88444205..2d268281 100755 --- a/instfiles/pam.d/mkpamrules +++ b/instfiles/pam.d/mkpamrules @@ -30,6 +30,11 @@ guess_rules () return fi + if test -s "$pamdir/authorization"; then + rules="macos" + return + fi + rules="unix" return } diff --git a/instfiles/pam.d/xrdp-sesman.macos b/instfiles/pam.d/xrdp-sesman.macos new file mode 100644 index 00000000..9eb7920e --- /dev/null +++ b/instfiles/pam.d/xrdp-sesman.macos @@ -0,0 +1,12 @@ +# xrdp-sesman: auth account password session +# based on Apple's sshd PAM configuration +auth optional pam_krb5.so use_kcminit +auth optional pam_ntlm.so try_first_pass +auth optional pam_mount.so try_first_pass +auth required pam_opendirectory.so try_first_pass +account required pam_nologin.so +account required pam_sacl.so sacl_service=ssh +account required pam_opendirectory.so +password required pam_opendirectory.so +session required pam_launchd.so +session optional pam_mount.so From 551bb185c55ab084b85677d0f23a8ed258328575 Mon Sep 17 00:00:00 2001 From: daixj Date: Mon, 29 Jan 2018 15:04:53 +0800 Subject: [PATCH 14/36] log: remove unused code and fix potential memory leak --- common/log.c | 11 ----------- 1 file changed, 11 deletions(-) mode change 100644 => 100755 common/log.c diff --git a/common/log.c b/common/log.c old mode 100644 new mode 100755 index ea2af316..0bf013e3 --- a/common/log.c +++ b/common/log.c @@ -270,7 +270,6 @@ internalReadConfiguration(const char *inFilename, const char *applicationName) { int fd; enum logReturns ret = LOG_GENERAL_ERROR; - struct list *sec; struct list *param_n; struct list *param_v; @@ -299,9 +298,6 @@ internalReadConfiguration(const char *inFilename, const char *applicationName) return ret; } - sec = list_create(); - sec->auto_free = 1; - file_read_sections(fd, sec); param_n = list_create(); param_n->auto_free = 1; param_v = list_create(); @@ -311,14 +307,7 @@ internalReadConfiguration(const char *inFilename, const char *applicationName) ret = internal_config_read_logging(fd, g_staticLogConfig, param_n, param_v, applicationName); - if (ret != LOG_STARTUP_OK) - { - g_file_close(fd); - return ret; - } - /* cleanup */ - list_delete(sec); list_delete(param_v); list_delete(param_n); g_file_close(fd); From ea6bb62410aef141f67225c3eac3b03cae285030 Mon Sep 17 00:00:00 2001 From: daixj Date: Mon, 29 Jan 2018 15:21:40 +0800 Subject: [PATCH 15/36] log: fix fd checking --- common/log.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/log.c b/common/log.c index 0bf013e3..50a44e9e 100755 --- a/common/log.c +++ b/common/log.c @@ -331,7 +331,7 @@ internal_config_read_logging(int file, struct log_config *lc, /* setting defaults */ lc->program_name = applicationName; lc->log_file = 0; - lc->fd = 0; + lc->fd = -1; lc->log_level = LOG_LEVEL_DEBUG; lc->enable_syslog = 0; lc->syslog_level = LOG_LEVEL_DEBUG; @@ -604,7 +604,7 @@ log_message(const enum logLevels lvl, const char *msg, ...) pthread_mutex_lock(&(g_staticLogConfig->log_lock)); #endif - if (g_staticLogConfig->fd > 0) + if (g_staticLogConfig->fd >= 0) { writereply = g_file_write(g_staticLogConfig->fd, buff, g_strlen(buff)); From 828079b442383395e7ce0d34632b70e81fa8a9dc Mon Sep 17 00:00:00 2001 From: daixj Date: Mon, 29 Jan 2018 15:27:24 +0800 Subject: [PATCH 16/36] libxrdp: fix memory leak --- libxrdp/libxrdp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libxrdp/libxrdp.c b/libxrdp/libxrdp.c index 41ff1472..99da37f8 100644 --- a/libxrdp/libxrdp.c +++ b/libxrdp/libxrdp.c @@ -847,6 +847,7 @@ libxrdp_set_pointer(struct xrdp_session *session, int cache_idx) LLOGLN(10, ("libxrdp_send_pointer: fastpath")); if (xrdp_rdp_init_fastpath((struct xrdp_rdp *)session->rdp, s) != 0) { + free_stream(s); return 1; } } From 31ef2552c4bfdff6d50864997cd59e999bf0d21b Mon Sep 17 00:00:00 2001 From: daixj Date: Mon, 29 Jan 2018 16:28:47 +0800 Subject: [PATCH 17/36] log: revert permission --- common/log.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 common/log.c diff --git a/common/log.c b/common/log.c old mode 100755 new mode 100644 From 9ed5243de9c8cb511a38b2ee09c3f8be76c40065 Mon Sep 17 00:00:00 2001 From: Vraiment Date: Thu, 8 Feb 2018 02:28:16 -0800 Subject: [PATCH 18/36] Make xrdp.ini to be dynamic for each operating system --- .gitignore | 1 + xrdp/Makefile.am | 17 +++++++++++++++++ xrdp/{xrdp.ini => xrdp.ini.in} | 14 +++++++------- 3 files changed, 25 insertions(+), 7 deletions(-) rename xrdp/{xrdp.ini => xrdp.ini.in} (95%) diff --git a/.gitignore b/.gitignore index a6c180ee..2ddb7ce1 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ sesman/xrdp-sesman *.so stamp-h1 xrdp/xrdp +xrdp/xrdp.ini diff --git a/xrdp/Makefile.am b/xrdp/Makefile.am index a259ef32..fe14d88d 100644 --- a/xrdp/Makefile.am +++ b/xrdp/Makefile.am @@ -67,6 +67,23 @@ xrdp_LDADD = \ xrdpsysconfdir=$(sysconfdir)/xrdp +if MACOS +lib_extension = dylib +else +lib_extension = so +endif + +SUBST_VARS = sed \ + -e 's|@lib_extension[@]|$(lib_extension)|g' + +subst_verbose = $(subst_verbose_@AM_V@) +subst_verbose_ = $(subst_verbose_@AM_DEFAULT_V@) +subst_verbose_0 = @echo " SUBST $@"; + +SUFFIXES = .in +.in: + $(subst_verbose)$(SUBST_VARS) $< > $@ + dist_xrdpsysconf_DATA = \ xrdp.ini \ xrdp_keyboard.ini diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini.in similarity index 95% rename from xrdp/xrdp.ini rename to xrdp/xrdp.ini.in index e3ae2841..fb09bbd9 100644 --- a/xrdp/xrdp.ini +++ b/xrdp/xrdp.ini.in @@ -155,7 +155,7 @@ tcutils=true ; in sesman.ini. See and configure also sesman.ini. [Xorg] name=Xorg -lib=libxup.so +lib=libxup.@lib_extension@ username=ask password=ask ip=127.0.0.1 @@ -164,7 +164,7 @@ code=20 [X11rdp] name=X11rdp -lib=libxup.so +lib=libxup.@lib_extension@ username=ask password=ask ip=127.0.0.1 @@ -174,7 +174,7 @@ code=10 [Xvnc] name=Xvnc -lib=libvnc.so +lib=libvnc.@lib_extension@ username=ask password=ask ip=127.0.0.1 @@ -184,7 +184,7 @@ port=-1 [console] name=console -lib=libvnc.so +lib=libvnc.@lib_extension@ ip=127.0.0.1 port=5900 username=na @@ -193,7 +193,7 @@ password=ask [vnc-any] name=vnc-any -lib=libvnc.so +lib=libvnc.@lib_extension@ ip=ask port=ask5900 username=na @@ -205,7 +205,7 @@ password=ask [sesman-any] name=sesman-any -lib=libvnc.so +lib=libvnc.@lib_extension@ ip=ask port=-1 username=ask @@ -214,7 +214,7 @@ password=ask [neutrinordp-any] name=neutrinordp-any -lib=libxrdpneutrinordp.so +lib=libxrdpneutrinordp.@lib_extension@ ip=ask port=ask3389 username=ask From fd37805ac073170b88557aeec138e694a781d661 Mon Sep 17 00:00:00 2001 From: Vraiment Date: Thu, 8 Feb 2018 10:30:00 -0800 Subject: [PATCH 19/36] Make sesman.ini dynamic for the location of the configuration file --- .gitignore | 1 + sesman/Makefile.am | 11 +++++++++++ sesman/{sesman.ini => sesman.ini.in} | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) rename sesman/{sesman.ini => sesman.ini.in} (98%) diff --git a/.gitignore b/.gitignore index 2ddb7ce1..c3946d68 100644 --- a/.gitignore +++ b/.gitignore @@ -38,6 +38,7 @@ sesman/tools/xrdp-sesrun sesman/tools/xrdp-sestest sesman/tools/xrdp-xcon sesman/xrdp-sesman +sesman/sesman.ini *.so stamp-h1 xrdp/xrdp diff --git a/sesman/Makefile.am b/sesman/Makefile.am index 193a7cce..50425e63 100644 --- a/sesman/Makefile.am +++ b/sesman/Makefile.am @@ -75,6 +75,17 @@ xrdp_sesman_LDADD = \ sesmansysconfdir=$(sysconfdir)/xrdp +SUBST_VARS = sed \ + -e 's|@sesmansysconfdir[@]|$(sesmansysconfdir)|g' + +subst_verbose = $(subst_verbose_@AM_V@) +subst_verbose_ = $(subst_verbose_@AM_DEFAULT_V@) +subst_verbose_0 = @echo " SUBST $@"; + +SUFFIXES = .in +.in: + $(subst_verbose)$(SUBST_VARS) $< > $@ + dist_sesmansysconf_DATA = \ sesman.ini diff --git a/sesman/sesman.ini b/sesman/sesman.ini.in similarity index 98% rename from sesman/sesman.ini rename to sesman/sesman.ini.in index 01bc8fa3..fff7b888 100644 --- a/sesman/sesman.ini +++ b/sesman/sesman.ini.in @@ -99,4 +99,4 @@ param=96 FuseMountName=thinclient_drives [SessionVariables] -PULSE_SCRIPT=/etc/xrdp/pulse/default.pa +PULSE_SCRIPT=@sesmansysconfdir@/pulse/default.pa From 3da4d72323f3c0a598d3552c31fc3299324114ef Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 13 Feb 2018 13:34:57 +0900 Subject: [PATCH 20/36] common: quit using `!` as comment out symbol in config files It is not used anywhere in default config. Some config like `tls_ciphers` might contain `!` like this: tls_ciphers=FIPS:!aNULL:!eNULL Fixes #1033. --- common/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/file.c b/common/file.c index 811e71fa..b796f5b0 100644 --- a/common/file.c +++ b/common/file.c @@ -138,7 +138,7 @@ file_read_ini_line(struct stream *s, char *text, int text_bytes) while (c != 10 && c != 13) { /* these mean skip the rest of the line */ - if (c == '#' || c == '!' || c == ';') + if (c == '#' || c == ';') { skip_to_end = 1; } From 793a418cfbaba13bdd08c7008c1a53b436e45f9e Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 13 Feb 2018 15:22:19 +0900 Subject: [PATCH 21/36] common: log what value is set to tls_ciphers Related to #1033. --- common/ssl_calls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 8eec7123..b5b9237a 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -595,6 +595,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, if (g_strlen(tls_ciphers) > 1) { + log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", tls_ciphers); if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0) { g_writeln("ssl_tls_accept: invalid cipher options"); From 6cdc0f31b0be94b60fc35e8cfb6acc8d727f855b Mon Sep 17 00:00:00 2001 From: Enrico Tagliavini Date: Fri, 2 Feb 2018 17:40:13 +0100 Subject: [PATCH 22/36] enable automatic ECDH when possible (openssl 1.0.2) Openssl 1.1.0 and later are enabling ECDH automatically, but for older version it must be enabled explicitly or all Perfect Forward Secrecy ciphers will be silently ignored. See also [1]. This commit applies the same fix as found in CnetOS 7 httpd package to enable automatic ECDH as found in [2]. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch --- common/ssl_calls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index b5b9237a..bd2181c0 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -592,6 +592,9 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); +#if defined(SSL_CTX_set_ecdh_auto) + SSL_CTX_set_ecdh_auto(self->ctx, 1); +#endif if (g_strlen(tls_ciphers) > 1) { From 70b5adb3960a96db100a5a7812ea7404e1561d29 Mon Sep 17 00:00:00 2001 From: Enrico Tagliavini Date: Wed, 7 Feb 2018 13:44:06 +0100 Subject: [PATCH 23/36] add support for DHE ciphers via compiled in dhparam make it possible to use regular (non EC) EDH ciphers. To make this possible a Diffie-Hellman parameter must be passed to the openssl library. There are a few options possible as described in the manuals at [1] and [2]. Simplest approach is to generate a DH parameter using openssl dhparam -C and include the code into the application. The lenght used for this commit is 2236 bits long, which is the longest possible without risking backward incompatibilities with old systems as stated in [1]. Newer systems should use ECDH anyway, so it makes sense to keep this method as compatible with older system as possible. Paramters longer than 2048 should still be secure enough at the time of writing. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3) --- common/ssl_calls.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index bd2181c0..de447e46 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -32,6 +32,7 @@ #include #include #include +# include #include "os_calls.h" #include "arch.h" @@ -485,6 +486,60 @@ ssl_gen_key_xrdp1(int key_size_in_bits, const char *exp, int exp_len, return error; } +/*****************************************************************************/ +/** static DH parameter, can be used if no custom parameter is specified +see also + * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters + * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3) +*/ +DH *get_dh2236() +{ + static unsigned char dhp_2236[] = { + 0x0A, 0x32, 0x29, 0xCA, 0x5A, 0x84, 0x4C, 0xD2, 0x66, 0x61, + 0x29, 0xAD, 0x46, 0xD7, 0xFB, 0x3A, 0x1E, 0x92, 0x8D, 0x3F, + 0xC8, 0x16, 0x41, 0x83, 0x0C, 0xA1, 0x96, 0x29, 0xD9, 0x0B, + 0x28, 0x3F, 0x9A, 0x1F, 0xDA, 0x81, 0x9F, 0xD2, 0x3E, 0xE4, + 0xFA, 0x94, 0xDF, 0x35, 0x7F, 0x7F, 0xBB, 0x23, 0xA4, 0xB2, + 0x66, 0x50, 0x64, 0x3E, 0xCD, 0x50, 0xAE, 0xEC, 0x51, 0xE1, + 0x12, 0x41, 0xB7, 0xC4, 0xF9, 0x79, 0xC7, 0x3D, 0x80, 0x16, + 0xE2, 0xA8, 0x4B, 0xCA, 0x0B, 0x2A, 0xA3, 0xC1, 0x93, 0xCD, + 0x15, 0x2C, 0xE3, 0x81, 0x92, 0x0A, 0x4C, 0x59, 0x88, 0x07, + 0xC3, 0x18, 0xCC, 0x9B, 0xCE, 0x74, 0x7A, 0x80, 0x3A, 0x85, + 0x6E, 0xF3, 0x81, 0x2B, 0xD3, 0x84, 0x6C, 0xBC, 0xB6, 0xE2, + 0x51, 0xCD, 0x20, 0x4B, 0x3C, 0x45, 0x03, 0xDB, 0xA9, 0xB4, + 0xFB, 0x95, 0x54, 0x16, 0x46, 0xA7, 0x7F, 0x03, 0xFC, 0xBB, + 0xA1, 0xF7, 0x71, 0x10, 0xCB, 0x58, 0x21, 0x5C, 0xF4, 0x89, + 0x52, 0x91, 0xAC, 0x69, 0x84, 0xA0, 0x6D, 0x88, 0xC8, 0x05, + 0x2B, 0x23, 0x0B, 0x88, 0xB2, 0xE7, 0xE8, 0x28, 0x7E, 0x0D, + 0x01, 0xBF, 0xBF, 0xCD, 0xC8, 0xD7, 0xE8, 0x2C, 0x6C, 0xE3, + 0x58, 0xFD, 0x37, 0x9D, 0x31, 0x98, 0xAC, 0xC3, 0x49, 0x8E, + 0x0B, 0x66, 0x86, 0xE7, 0xD2, 0xE5, 0xD6, 0x1D, 0x95, 0x1F, + 0xD2, 0x84, 0xE5, 0x68, 0x76, 0x5C, 0x40, 0xB9, 0xF1, 0x58, + 0xD2, 0x33, 0x2D, 0x92, 0x1F, 0xA1, 0x8A, 0xD1, 0xE6, 0x35, + 0xC2, 0xBF, 0xBF, 0xD8, 0x63, 0xB5, 0x8E, 0x3D, 0x50, 0xD2, + 0x80, 0x67, 0x5B, 0x04, 0x4F, 0x33, 0x20, 0xAF, 0xA1, 0xE9, + 0xB5, 0xA6, 0x7A, 0x17, 0x8E, 0xC2, 0x3D, 0xFF, 0xB6, 0x81, + 0x2A, 0xA8, 0x13, 0x32, 0x78, 0x8B, 0x38, 0x09, 0x8F, 0x54, + 0x5D, 0x6F, 0x3E, 0x84, 0x93, 0x49, 0x96, 0x26, 0x4E, 0x68, + 0x82, 0x42, 0x40, 0xD9, 0x30, 0xA3, 0x90, 0x6B, 0x99, 0x1B, + 0x11, 0x3A, 0x36, 0xE9, 0xD8, 0x52, 0x8A, 0x85, 0xDD, 0xB3 + }; + static unsigned char dhg_2236[] = { + 0x02 + }; + DH *dh = DH_new(); + + if (dh == NULL) + return NULL; + dh->p=BN_bin2bn(dhp_2236,sizeof(dhp_2236),NULL); + dh->g=BN_bin2bn(dhg_2236,sizeof(dhg_2236),NULL); + if (dh->p == NULL || dh->g == NULL) { + DH_free(dh); + return NULL; + } + return dh; +} + /*****************************************************************************/ struct ssl_tls * ssl_tls_create(struct trans *trans, const char *key, const char *cert) @@ -592,6 +647,12 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); + DH *dh = get_dh2236 (); + if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) { + g_writeln("SSL_CTX_set_tmp_dh failed"); + return 1; + } + DH_free (dh); #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #endif From 578d23477cfcd6e617fbb578af1a7d80f25f37fa Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 1 Mar 2018 10:45:01 +0900 Subject: [PATCH 24/36] common: obey coding style, remove trailing space --- common/ssl_calls.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index de447e46..afee96d3 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -32,7 +32,7 @@ #include #include #include -# include +#include #include "os_calls.h" #include "arch.h" @@ -488,13 +488,13 @@ ssl_gen_key_xrdp1(int key_size_in_bits, const char *exp, int exp_len, /*****************************************************************************/ /** static DH parameter, can be used if no custom parameter is specified -see also +see also * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3) */ DH *get_dh2236() { - static unsigned char dhp_2236[] = { + static unsigned char dh2236_p[] = { 0x0A, 0x32, 0x29, 0xCA, 0x5A, 0x84, 0x4C, 0xD2, 0x66, 0x61, 0x29, 0xAD, 0x46, 0xD7, 0xFB, 0x3A, 0x1E, 0x92, 0x8D, 0x3F, 0xC8, 0x16, 0x41, 0x83, 0x0C, 0xA1, 0x96, 0x29, 0xD9, 0x0B, @@ -524,16 +524,19 @@ DH *get_dh2236() 0x82, 0x42, 0x40, 0xD9, 0x30, 0xA3, 0x90, 0x6B, 0x99, 0x1B, 0x11, 0x3A, 0x36, 0xE9, 0xD8, 0x52, 0x8A, 0x85, 0xDD, 0xB3 }; - static unsigned char dhg_2236[] = { - 0x02 + static unsigned char dh2236_g[] = { + 0x02, }; DH *dh = DH_new(); if (dh == NULL) + { return NULL; - dh->p=BN_bin2bn(dhp_2236,sizeof(dhp_2236),NULL); - dh->g=BN_bin2bn(dhg_2236,sizeof(dhg_2236),NULL); - if (dh->p == NULL || dh->g == NULL) { + } + dh->p = BN_bin2bn(dh2236_p, sizeof(dh2236_p), NULL); + dh->g = BN_bin2bn(dh2236_g, sizeof(dh2236_g), NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + { DH_free(dh); return NULL; } @@ -647,12 +650,13 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); - DH *dh = get_dh2236 (); - if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) { + DH *dh = get_dh2236(); + if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) + { g_writeln("SSL_CTX_set_tmp_dh failed"); return 1; } - DH_free (dh); + DH_free(dh); #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #endif From 1690950cc89220366a4dea0495a6948b2f248c33 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 1 Mar 2018 13:48:22 +0900 Subject: [PATCH 25/36] common: regenerate dhparam Generated by: openssl dhparam -C 2236 --- common/ssl_calls.c | 52 +++++++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index afee96d3..ccc0e70c 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -495,34 +495,30 @@ see also DH *get_dh2236() { static unsigned char dh2236_p[] = { - 0x0A, 0x32, 0x29, 0xCA, 0x5A, 0x84, 0x4C, 0xD2, 0x66, 0x61, - 0x29, 0xAD, 0x46, 0xD7, 0xFB, 0x3A, 0x1E, 0x92, 0x8D, 0x3F, - 0xC8, 0x16, 0x41, 0x83, 0x0C, 0xA1, 0x96, 0x29, 0xD9, 0x0B, - 0x28, 0x3F, 0x9A, 0x1F, 0xDA, 0x81, 0x9F, 0xD2, 0x3E, 0xE4, - 0xFA, 0x94, 0xDF, 0x35, 0x7F, 0x7F, 0xBB, 0x23, 0xA4, 0xB2, - 0x66, 0x50, 0x64, 0x3E, 0xCD, 0x50, 0xAE, 0xEC, 0x51, 0xE1, - 0x12, 0x41, 0xB7, 0xC4, 0xF9, 0x79, 0xC7, 0x3D, 0x80, 0x16, - 0xE2, 0xA8, 0x4B, 0xCA, 0x0B, 0x2A, 0xA3, 0xC1, 0x93, 0xCD, - 0x15, 0x2C, 0xE3, 0x81, 0x92, 0x0A, 0x4C, 0x59, 0x88, 0x07, - 0xC3, 0x18, 0xCC, 0x9B, 0xCE, 0x74, 0x7A, 0x80, 0x3A, 0x85, - 0x6E, 0xF3, 0x81, 0x2B, 0xD3, 0x84, 0x6C, 0xBC, 0xB6, 0xE2, - 0x51, 0xCD, 0x20, 0x4B, 0x3C, 0x45, 0x03, 0xDB, 0xA9, 0xB4, - 0xFB, 0x95, 0x54, 0x16, 0x46, 0xA7, 0x7F, 0x03, 0xFC, 0xBB, - 0xA1, 0xF7, 0x71, 0x10, 0xCB, 0x58, 0x21, 0x5C, 0xF4, 0x89, - 0x52, 0x91, 0xAC, 0x69, 0x84, 0xA0, 0x6D, 0x88, 0xC8, 0x05, - 0x2B, 0x23, 0x0B, 0x88, 0xB2, 0xE7, 0xE8, 0x28, 0x7E, 0x0D, - 0x01, 0xBF, 0xBF, 0xCD, 0xC8, 0xD7, 0xE8, 0x2C, 0x6C, 0xE3, - 0x58, 0xFD, 0x37, 0x9D, 0x31, 0x98, 0xAC, 0xC3, 0x49, 0x8E, - 0x0B, 0x66, 0x86, 0xE7, 0xD2, 0xE5, 0xD6, 0x1D, 0x95, 0x1F, - 0xD2, 0x84, 0xE5, 0x68, 0x76, 0x5C, 0x40, 0xB9, 0xF1, 0x58, - 0xD2, 0x33, 0x2D, 0x92, 0x1F, 0xA1, 0x8A, 0xD1, 0xE6, 0x35, - 0xC2, 0xBF, 0xBF, 0xD8, 0x63, 0xB5, 0x8E, 0x3D, 0x50, 0xD2, - 0x80, 0x67, 0x5B, 0x04, 0x4F, 0x33, 0x20, 0xAF, 0xA1, 0xE9, - 0xB5, 0xA6, 0x7A, 0x17, 0x8E, 0xC2, 0x3D, 0xFF, 0xB6, 0x81, - 0x2A, 0xA8, 0x13, 0x32, 0x78, 0x8B, 0x38, 0x09, 0x8F, 0x54, - 0x5D, 0x6F, 0x3E, 0x84, 0x93, 0x49, 0x96, 0x26, 0x4E, 0x68, - 0x82, 0x42, 0x40, 0xD9, 0x30, 0xA3, 0x90, 0x6B, 0x99, 0x1B, - 0x11, 0x3A, 0x36, 0xE9, 0xD8, 0x52, 0x8A, 0x85, 0xDD, 0xB3 + 0x0E, 0xF8, 0x69, 0x0B, 0x35, 0x2F, 0x62, 0x59, 0xF7, 0xAF, 0x4E, 0x19, + 0xB5, 0x9B, 0xD2, 0xEB, 0x33, 0x78, 0x1D, 0x43, 0x1D, 0xB6, 0xE4, 0xA3, + 0x63, 0x47, 0x6A, 0xD4, 0xA8, 0x28, 0x11, 0x8C, 0x3F, 0xC8, 0xF1, 0x32, + 0x2B, 0x5D, 0x9F, 0xF8, 0xA6, 0xCA, 0x21, 0x71, 0xDE, 0x30, 0xD7, 0xB5, + 0xD6, 0xA4, 0xC2, 0xEE, 0xC0, 0x49, 0x30, 0xE7, 0x8C, 0x9B, 0x1A, 0x5A, + 0x08, 0x2A, 0x11, 0x84, 0xE2, 0xC8, 0x36, 0x6C, 0xDC, 0x06, 0x79, 0x59, + 0x51, 0xA4, 0xA0, 0x8F, 0xE1, 0x20, 0x94, 0x80, 0xAC, 0x6D, 0xFD, 0x3B, + 0xA6, 0xA6, 0x70, 0x51, 0x93, 0x59, 0x28, 0x51, 0x54, 0xA3, 0xC5, 0x15, + 0x44, 0x2C, 0x12, 0xE7, 0x95, 0x62, 0x0E, 0x65, 0x2F, 0x8C, 0x0D, 0xF8, + 0x63, 0x52, 0x00, 0x2A, 0xA5, 0xD7, 0x59, 0xEF, 0x13, 0x18, 0x33, 0x25, + 0xBC, 0xAD, 0xC8, 0x0A, 0x72, 0x8D, 0x26, 0x63, 0xD5, 0xB3, 0xBC, 0x43, + 0x35, 0x0B, 0x5D, 0xC7, 0xCA, 0x45, 0x17, 0x06, 0x24, 0x71, 0xCA, 0x20, + 0x73, 0xE8, 0x18, 0xD3, 0x8E, 0xE9, 0xE9, 0x8F, 0x67, 0xC0, 0x2C, 0x14, + 0x7E, 0x41, 0x18, 0x6C, 0x74, 0x72, 0x56, 0x34, 0xC0, 0xDB, 0xDD, 0x85, + 0x8B, 0xE0, 0x99, 0xE8, 0x5E, 0xC8, 0xF7, 0xD1, 0x0C, 0xF8, 0x83, 0x34, + 0x37, 0x9E, 0x01, 0xDF, 0x1C, 0xD9, 0xE9, 0x95, 0xC1, 0x4C, 0x64, 0x37, + 0x9B, 0xF5, 0x8F, 0x99, 0x97, 0x55, 0x68, 0x2E, 0x23, 0xB0, 0x35, 0xF3, + 0xA5, 0x97, 0x92, 0xA0, 0x6D, 0xB4, 0xF8, 0xD8, 0x47, 0xCE, 0x3F, 0x0B, + 0x36, 0x0E, 0xEB, 0x13, 0x15, 0xFD, 0x4F, 0x98, 0x4F, 0x14, 0x26, 0xE2, + 0xAC, 0xD9, 0x42, 0xC6, 0x43, 0x8A, 0x95, 0x6B, 0x2B, 0x44, 0x38, 0x7F, + 0x60, 0x97, 0x77, 0xD8, 0x7C, 0x6F, 0x5D, 0x62, 0x7C, 0xE1, 0xC8, 0x83, + 0x12, 0x8B, 0x5E, 0x5E, 0xC7, 0x5E, 0xD5, 0x60, 0xF3, 0x2F, 0xFC, 0xFE, + 0x70, 0xAC, 0x58, 0x3A, 0x3C, 0x18, 0x15, 0x54, 0x84, 0xA8, 0xAA, 0x41, + 0x26, 0x7B, 0xE0, 0xA3, }; static unsigned char dh2236_g[] = { 0x02, From 3d9e7db849fa2cc30053e896316e5f61e85d87e5 Mon Sep 17 00:00:00 2001 From: fbourqui Date: Mon, 5 Mar 2018 12:11:31 +0100 Subject: [PATCH 26/36] Update xrdp_keyboard.ini Add the missing Swiss French rdp_layout_ definitions, ch(fr) in X11 --- xrdp/xrdp_keyboard.ini | 3 +++ 1 file changed, 3 insertions(+) diff --git a/xrdp/xrdp_keyboard.ini b/xrdp/xrdp_keyboard.ini index 07f0a1b0..dcc57b7a 100644 --- a/xrdp/xrdp_keyboard.ini +++ b/xrdp/xrdp_keyboard.ini @@ -74,6 +74,7 @@ rdp_layout_br=0x00000416 rdp_layout_ru=0x00000419 rdp_layout_se=0x0000041D rdp_layout_ch=0x00000807 +rdp_layout_ch_fr=0x0000100c rdp_layout_gb=0x00000809 rdp_layout_be=0x00000813 rdp_layout_pt=0x00000816 @@ -94,6 +95,7 @@ rdp_layout_br=br(abnt2) rdp_layout_ru=ru rdp_layout_se=se rdp_layout_ch=ch +rdp_layout_ch_fr=ch(fr) rdp_layout_gb=gb rdp_layout_be=be rdp_layout_pt=pt @@ -128,6 +130,7 @@ rdp_layout_br=br(abnt2) rdp_layout_ru=ru rdp_layout_se=se rdp_layout_ch=ch +rdp_layout_ch_fr=ch(fr) rdp_layout_gb=gb rdp_layout_be=be rdp_layout_pt=pt From 97c21bc97274096cd7cf50cf3f253f946a404259 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 1 Mar 2018 17:40:48 +0900 Subject: [PATCH 27/36] sesman: default startwm.sh should use bash as it sources bash_profile. And add comments. Closes #1009. --- sesman/startwm.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sesman/startwm.sh b/sesman/startwm.sh index 452917a4..ad060106 100755 --- a/sesman/startwm.sh +++ b/sesman/startwm.sh @@ -1,4 +1,11 @@ -#!/bin/sh +#!/usr/bin/env bash +# +# This script is an example. You might need to edit this script +# depending on your distro if it doesn't work for you. +# +# Uncomment the following line for debug: +# exec xterm + # Execution sequence for interactive login shell - pseudocode # From e3d0fd6d468fbbdd0265e09bec118d450d553512 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Sat, 3 Mar 2018 12:17:27 +0900 Subject: [PATCH 28/36] common: temporarily disable DHE until make it possible to use generated DH parameters per installation. --- common/ssl_calls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index ccc0e70c..9347e411 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -492,6 +492,7 @@ see also * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3) */ +#if 0 /* temprarily disable DHE until make DH parameters not static */ DH *get_dh2236() { static unsigned char dh2236_p[] = { @@ -538,6 +539,7 @@ DH *get_dh2236() } return dh; } +#endif /*****************************************************************************/ struct ssl_tls * @@ -646,6 +648,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); +#if 0 /* temprarily disable DHE until make DH parameters not static */ DH *dh = get_dh2236(); if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) { @@ -653,6 +656,7 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, return 1; } DH_free(dh); +#endif #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #endif From 8effc09ab75bf3c353cbc44746d29bdc916b863f Mon Sep 17 00:00:00 2001 From: speidy Date: Sat, 17 Mar 2018 09:38:32 +0200 Subject: [PATCH 29/36] common: ssl_calls: check if SSL object created right after its creation. --- common/ssl_calls.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 9347e411..5ea15c74 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -643,6 +643,12 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; self->ctx = SSL_CTX_new(SSLv23_server_method()); + if (self->ctx == NULL) + { + log_message(LOG_LEVEL_ERROR, "ssl_tls_accept: SSL_CTX_new failed"); + return 1; + } + /* set context options */ SSL_CTX_set_mode(self->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | @@ -663,7 +669,8 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, if (g_strlen(tls_ciphers) > 1) { - log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", tls_ciphers); + log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", \ + tls_ciphers); if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0) { g_writeln("ssl_tls_accept: invalid cipher options"); @@ -673,12 +680,6 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_CTX_set_read_ahead(self->ctx, 1); - if (self->ctx == NULL) - { - g_writeln("ssl_tls_accept: SSL_CTX_new failed"); - return 1; - } - if (SSL_CTX_use_RSAPrivateKey_file(self->ctx, self->key, SSL_FILETYPE_PEM) <= 0) { From a432969746d6c651cc1f9758419a2c35477551f0 Mon Sep 17 00:00:00 2001 From: speidy Date: Sat, 17 Mar 2018 09:34:48 +0200 Subject: [PATCH 30/36] common: ssl_calls: add support for OpenSSL>=1.1.0 API for DH keys also fixes some memory leak introduced in PR#1024. and adds a check that DH params generated successfully. write a proper log message if not. --- common/ssl_calls.c | 83 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 69 insertions(+), 14 deletions(-) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index 5ea15c74..f659a196 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -65,6 +65,42 @@ RSA_get0_key(const RSA *key, const BIGNUM **n, const BIGNUM **e, *n = key->n; *d = key->d; } + +static inline int +DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* If the fields p and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. q may remain NULL. + */ + if ((dh->p == NULL && p == NULL) + || (dh->g == NULL && g == NULL)) + { + return 0; + } + + if (p != NULL) + { + BN_free(dh->p); + dh->p = p; + } + if (q != NULL) + { + BN_free(dh->q); + dh->q = q; + } + if (g != NULL) + { + BN_free(dh->g); + dh->g = g; + } + + if (q != NULL) + { + dh->length = BN_num_bits(q); + } + + return 1; +} #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ @@ -492,8 +528,7 @@ see also * https://wiki.openssl.org/index.php/Diffie-Hellman_parameters * https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3) */ -#if 0 /* temprarily disable DHE until make DH parameters not static */ -DH *get_dh2236() +static DH *ssl_get_dh2236() { static unsigned char dh2236_p[] = { 0x0E, 0xF8, 0x69, 0x0B, 0x35, 0x2F, 0x62, 0x59, 0xF7, 0xAF, 0x4E, 0x19, @@ -524,22 +559,34 @@ DH *get_dh2236() static unsigned char dh2236_g[] = { 0x02, }; - DH *dh = DH_new(); + DH *dh = DH_new(); if (dh == NULL) { return NULL; } - dh->p = BN_bin2bn(dh2236_p, sizeof(dh2236_p), NULL); - dh->g = BN_bin2bn(dh2236_g, sizeof(dh2236_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + + BIGNUM *p = BN_bin2bn(dh2236_p, sizeof(dh2236_p), NULL); + BIGNUM *g = BN_bin2bn(dh2236_g, sizeof(dh2236_g), NULL); + if (p == NULL || g == NULL) { + BN_free(p); + BN_free(g); DH_free(dh); return NULL; } + + // p, g are freed later by DH_free() + if (0 == DH_set0_pqg(dh, p, NULL, g)) + { + BN_free(p); + BN_free(g); + DH_free(dh); + return NULL; + } + return dh; } -#endif /*****************************************************************************/ struct ssl_tls * @@ -654,22 +701,30 @@ ssl_tls_accept(struct ssl_tls *self, long ssl_protocols, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_options(self->ctx, options); -#if 0 /* temprarily disable DHE until make DH parameters not static */ - DH *dh = get_dh2236(); - if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) + + /* set DH parameters */ + DH *dh = ssl_get_dh2236(); + if (dh == NULL) { - g_writeln("SSL_CTX_set_tmp_dh failed"); + log_message(LOG_LEVEL_ERROR, "ssl_tls_accept: ssl_get_dh2236 failed"); return 1; } - DH_free(dh); -#endif + + if (SSL_CTX_set_tmp_dh(self->ctx, dh) != 1) + { + log_message(LOG_LEVEL_ERROR, + "ssl_tls_accept: SSL_CTX_set_tmp_dh failed"); + return 1; + } + DH_free(dh); // ok to free, copied into ctx by SSL_CTX_set_tmp_dh() + #if defined(SSL_CTX_set_ecdh_auto) SSL_CTX_set_ecdh_auto(self->ctx, 1); #endif if (g_strlen(tls_ciphers) > 1) { - log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", \ + log_message(LOG_LEVEL_TRACE, "ssl_tls_accept: tls_ciphers=%s", tls_ciphers); if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0) { From 780ba744f6fd46dbfe01aec3f096f14f7346d609 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 22 Mar 2018 12:37:42 +0900 Subject: [PATCH 31/36] Revert "devredir: fix xinode leak" This reverts commit 5daa09171e1e6e65a1a3ab969775fdf8affffc37. Causes "double free". Fix #990 was not correct. ``` [1271363627]: DEV_REDIR dev_redir_proc_device_iocompletion: 738 : entered: IoStatus=0x0 CompletionId=1 [1271363627]: DEV_REDIR dev_redir_proc_device_iocompletion: 839 : got CID_DIRECTORY_CONTROL [1271363627]: DEV_REDIR dev_redir_proc_query_dir_response: 933 : processing FILE_DIRECTORY_INFORMATION structs [1271363627]: DEV_REDIR dev_redir_proc_query_dir_response: 968 : FileName: . [1271363627]: DEV_REDIR devredir_fuse_data_peek: 1335 : returning 0x7f2a9c013410 *** Error in `/usr/sbin/xrdp-chansrv': double free or corruption (out): 0x00007f2a9c13a330 *** ``` Closes: #1025 --- sesman/chansrv/devredir.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sesman/chansrv/devredir.c b/sesman/chansrv/devredir.c index 4c6f67e3..629b3cc9 100644 --- a/sesman/chansrv/devredir.c +++ b/sesman/chansrv/devredir.c @@ -986,8 +986,6 @@ dev_redir_proc_query_dir_response(IRP *irp, /* add this entry to xrdp file system */ fuse_data = devredir_fuse_data_peek(irp); xfuse_devredir_cb_enum_dir(fuse_data->data_ptr, xinode); - - g_free(xinode); } dev_redir_send_drive_dir_request(irp, DeviceId, 0, NULL); From e40f0dc7e25c5290ad8f609b9aeb7194fa7e06ae Mon Sep 17 00:00:00 2001 From: Jay Sorg Date: Mon, 22 Jan 2018 15:42:29 -0800 Subject: [PATCH 32/36] sesman: add hostname to vnc password file --- sesman/env.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/sesman/env.c b/sesman/env.c index 29bd281d..142c9bd2 100644 --- a/sesman/env.c +++ b/sesman/env.c @@ -102,6 +102,7 @@ env_set_user(const char *username, char **passwd_file, int display, char *pw_shell; char *pw_dir; char text[256]; + char hostname[256]; pw_shell = 0; pw_dir = 0; @@ -152,13 +153,14 @@ env_set_user(const char *username, char **passwd_file, int display, g_setenv(name, value, 1); } } - + g_gethostname(hostname, 255); + hostname[255] = 0; if (passwd_file != 0) { if (0 == g_cfg->auth_file_path) { /* if no auth_file_path is set, then we go for - $HOME/.vnc/sesman_username_passwd:DISPLAY */ + $HOME/.vnc/sesman_USERNAME_passwd:DISPLAY:HOSTNAME */ if (!g_directory_exist(".vnc")) { if (g_mkdir(".vnc") < 0) @@ -169,13 +171,21 @@ env_set_user(const char *username, char **passwd_file, int display, } } - len = g_snprintf(NULL, 0, "%s/.vnc/sesman_%s_passwd:%d", - pw_dir, username, display); + len = g_snprintf(NULL, 0, "%s/.vnc/sesman_%s_passwd:%d:%s", + pw_dir, username, display, hostname); *passwd_file = (char *) g_malloc(len + 1, 1); if (*passwd_file != NULL) { - /* Try legacy name first, remove if found */ + /* Try legacy names first, remove if found */ + g_sprintf(*passwd_file, "%s/.vnc/sesman_%s_passwd:%d", + pw_dir, username, display); + if (g_file_exist(*passwd_file)) + { + log_message(LOG_LEVEL_WARNING, "Removing old " + "password file %s", *passwd_file); + g_file_delete(*passwd_file); + } g_sprintf(*passwd_file, "%s/.vnc/sesman_%s_passwd", pw_dir, username); if (g_file_exist(*passwd_file)) @@ -184,9 +194,8 @@ env_set_user(const char *username, char **passwd_file, int display, "password file %s", *passwd_file); g_file_delete(*passwd_file); } - - g_sprintf(*passwd_file, "%s/.vnc/sesman_%s_passwd:%d", - pw_dir, username, display); + g_sprintf(*passwd_file, "%s/.vnc/sesman_%s_passwd:%d:%s", + pw_dir, username, display, hostname); } } else From a63c4117721cbee28fd179c306092b042ec96333 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Fri, 23 Mar 2018 15:58:35 +0900 Subject: [PATCH 33/36] sesman: rename vnc password file, just a cosmetic change --- sesman/env.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sesman/env.c b/sesman/env.c index 142c9bd2..c897f1b3 100644 --- a/sesman/env.c +++ b/sesman/env.c @@ -160,7 +160,7 @@ env_set_user(const char *username, char **passwd_file, int display, if (0 == g_cfg->auth_file_path) { /* if no auth_file_path is set, then we go for - $HOME/.vnc/sesman_USERNAME_passwd:DISPLAY:HOSTNAME */ + $HOME/.vnc/sesman_passwd-USERNAME@HOSTNAME:DISPLAY */ if (!g_directory_exist(".vnc")) { if (g_mkdir(".vnc") < 0) @@ -171,8 +171,8 @@ env_set_user(const char *username, char **passwd_file, int display, } } - len = g_snprintf(NULL, 0, "%s/.vnc/sesman_%s_passwd:%d:%s", - pw_dir, username, display, hostname); + len = g_snprintf(NULL, 0, "%s/.vnc/sesman_passwd-%s@%s:%d", + pw_dir, username, hostname, display); *passwd_file = (char *) g_malloc(len + 1, 1); if (*passwd_file != NULL) @@ -194,8 +194,8 @@ env_set_user(const char *username, char **passwd_file, int display, "password file %s", *passwd_file); g_file_delete(*passwd_file); } - g_sprintf(*passwd_file, "%s/.vnc/sesman_%s_passwd:%d:%s", - pw_dir, username, display, hostname); + g_sprintf(*passwd_file, "%s/.vnc/sesman_passwd-%s@%s:%d", + pw_dir, username, hostname, display); } } else From 5f4130805f2ca8174f72e74eb17f44b9aae1ca50 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 13 Feb 2018 16:37:22 +0900 Subject: [PATCH 34/36] Update NEWS for v0.9.6 --- NEWS.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/NEWS.md b/NEWS.md index 898f4ba2..167d8477 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,3 +1,40 @@ +# Release notes for xrdp v0.9.6 (2018/03/26) + +## Compatibility notice +Exclamation mark (`!`) has been removed from comment out symbol of config files. +Use number sign (`#`) or semicolon (`;`) instead. As a result of this change, now +you can use exclamation mark as config value such as in `tls_ciphers`. + +``` +tls_ciphers=HIGH:!aNULL:!eNULL:!EXPORT:!RC4 +``` + +See also: #1033 + +## macOS supports +Please note that xrdp still doesn't support macOS officially so far. +However, a volunteer is working on macOS compatibility. + +* Generate dylibs for macOS #1015 +* Add PAM support for macOS #1021 + +## Bug fixes +* Make listen check before daemon fork #988 +* Fix xrdp sometimes become zombie processes #1000 +* Include hostname in sesman password file name #1006 #1007 #1076 +* Fix default startwm.sh to use bash explicitly #1009 #1049 +* Fix the issue FreeBSD doesn't acknowledge terminated sessions #1016 #1030 + +## Other changes +* Add Swiss French keyboard #1053 +* Improve perfect forward secrecy, explicitly enable ECDHE/DHE #1024 #1052 #1063 +* Lots of leak fixes, cleanups and refactoring + +## Known issues +* Audio redirection by MP3 codec doesn't sound with some client, use AAC instead #965 + +----------------------- + # Release notes for xrdp v0.9.5 (2017/12/27) ## Security fixes From af57e191df5506a37cc23ec8df13867dfa52558a Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Mon, 26 Mar 2018 10:31:19 +0900 Subject: [PATCH 35/36] Bump version to v0.9.6 --- README.md | 2 +- configure.ac | 2 +- xorg/X11R7.6/rdp/rdp.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f8fe462f..8795ad49 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/neutrinolabs/xrdp) ![Apache-License](https://img.shields.io/badge/License-Apache%202.0-blue.svg) -*Current Version:* 0.9.5 +*Current Version:* 0.9.6 # xrdp - an open source RDP server diff --git a/configure.ac b/configure.ac index 160fc651..4a41128a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Process this file with autoconf to produce a configure script AC_PREREQ(2.65) -AC_INIT([xrdp], [0.9.5], [xrdp-devel@googlegroups.com]) +AC_INIT([xrdp], [0.9.6], [xrdp-devel@googlegroups.com]) AC_CONFIG_HEADERS(config_ac.h:config_ac-h.in) AM_INIT_AUTOMAKE([1.7.2 foreign]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/xorg/X11R7.6/rdp/rdp.h b/xorg/X11R7.6/rdp/rdp.h index ceed13a9..56ee5ba8 100644 --- a/xorg/X11R7.6/rdp/rdp.h +++ b/xorg/X11R7.6/rdp/rdp.h @@ -76,7 +76,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. //#include "colormapst.h" -#define X11RDPVER "0.9.5" +#define X11RDPVER "0.9.6" #define PixelDPI 100 #define PixelToMM(_size) (((_size) * 254 + (PixelDPI) * 5) / ((PixelDPI) * 10)) From 37d5430123b677b94f0bdaaa6ec1aee3cf50788b Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Mon, 26 Mar 2018 10:59:02 +0900 Subject: [PATCH 36/36] Update README a little bit --- README.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 8795ad49..ff61e069 100644 --- a/README.md +++ b/README.md @@ -40,9 +40,12 @@ experience. It is recommended that xrdp depends on xorgxrdp, so it should be sufficient to install xrdp. If xorgxrdp is not provided, use Xvnc server. +xrdp listens on 3389/tcp. Make sure your firewall accepts connection to +3389/tcp from where you want to access. + ### Ubuntu / Debian ```bash -apt-get install xrdp +apt install xrdp ``` ### RedHat / CentOS / Fedora @@ -62,13 +65,6 @@ yum install xrdp `yum` is being replaced with `dnf`, so you may need to use `dnf` instead of `yum` in the above commands. -To allow outside access to the service, open port 3389 on the firewall. - -``` -firewall-cmd --permanent --zone=public --add-port=3389/tcp -firewall-cmd --reload -``` - ## Environment **xrdp** primarily targets to GNU/Linux. Tested on x86, x86_64, SPARC and @@ -80,7 +76,7 @@ SIMD instructions. FreeBSD is not a primary target of xrdp. It is working on FreeBSD except for the drive redirection feature. -Other operating systems such as Mac OS are not supported so far, but we +Other operating systems such as macOS are not supported so far, but we welcome your contributions. ## Compiling