IABSD.fr/xenocara/app/scripts/xauth_switch_to_sun-des-1.cpp

Branch : - branch - master - tag -

• Show log

  Commit

• Author : matthieu
  Date : 2006-11-25 20:07:29
  Hash : 616b6f15
  Message : Importing from X.Org 7.2RC2

• app/scripts/xauth_switch_to_sun-des-1.cpp

• XCOMM!/bin/ksh
  XCOMM X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth. 
  XCOMM this script switched the current Xservers authentification 
  XCOMM (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1.
  XCOMM
  XCOMM
  XCOMM Copyright 2002-2004 by Roland Mainz <roland.mainz@nrubsig.org>.
  XCOMM
  XCOMM
  XCOMM Requirements:
  XCOMM - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet)
  XCOMM - user must have proper credentials ("SecureRPC")
  XCOMM - script must be able to "guess" the UID of the Xserver
  XCOMM
  XCOMM Advantages:
  XCOMM - User may allow other users to gain access via
  XCOMM   % xhost +jigsaw@
  XCOMM   instead of moving 128bit cookies
  XCOMM
  XCOMM Known bugs:
  XCOMM - Was not tested on Linux since several months
  
  /* Avoid problems with CPP processing */
  #undef unix
  
  umask 077
  XCOMM force POSIX binaries
  export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin
  
  XCOMM debug
  alias xxdebug=true
  XCOMM alias xxdebug=
  
  XCOMM get full qualified domain name
  getFQDN()
  {
      getent hosts ${1} | awk "{print \$2}" - 
  }
  
  user2netname()
  {
      UID=$(id -u $1)
      DOMAINNAME=$(domainname)
      if [ $UID != 0 ] ; then
          netname=unix.$UID@$DOMAINNAME
      else
          netname=unix.$HOSTNAME@$DOMAINNAME
      fi
  
      # BUG: SecureRPC isn't limited to NIS+ 
      #      (but there is no "getent publickey ...") ...
      # ToDo:
      # - YP name is "publickey.byname"
      # - What name does LDAP use ?
      if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then
          echo "$netname"
      else
          echo "user ${UID} has no entry in cred.org_dir" >&2
          return 1
      fi
      
      return 0
  }    
  
  
  XCOMM pid to username
  getUserOfPID()
  {
      ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" -
  }
  
  XCOMM test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary
  XCOMM Xauthority file
  dry_run()
  {
  (
    principal="$1"
    # XAUTHORITY may not be defined
    if [ "$XAUTHORITY" = "" ] ; then
        export XAUTHORITY=~/.Xauthority
    fi
    
    ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}"
    TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth
    export XAUTHORITY="$TMP_XAUTHORITY"
    touch "$XAUTHORITY"
  
    (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ;
     echo "add $displayhost:$displaynum SUN-DES-1 $principal"
    ) | xauth source -
    
    # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver...
    if ! xset q 2>/dev/null 1>/dev/null ; then   
      # clean-up
      rm -f "$TMP_XAUTHORITY"
      return 1
    fi
  
    rm -f "$TMP_XAUTHORITY"
    
    return 0
  )
  }
  
  XCOMM main
  
  HOSTNAME=$(hostname)
  FQDN=$(getFQDN $HOSTNAME)
  
  XCOMM be sure that DISPLAY contains the host name
  XCOMM BUGs: 
  XCOMM - this does _not_ catch non-tcp connections (like DECnet).
  XCOMM - this may not work with IPv6 addresses
  displayhost=${DISPLAY%:*}
  displaynum=$(x=${DISPLAY#*:}; echo ${x%.*})
  if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then
      # fix DISPLAY
      export DISPLAY="${FQDN}:${DISPLAY#*:}"
      displayhost=${DISPLAY%:*}
  fi
  
  
  XCOMM grant access for current user and for user root
  XCOMM (a bug in /usr/dt/bin/dtaction requires this for user "root", too -
  XCOMM Solaris 7/8 dtaction runns setuid root and opens a display connection
  XCOMM before chaning the EUID to the "destination uid"... ;-( ).
  xhost +${LOGNAME}@ +$(user2netname root)
  
  XCOMM get X server principal(=user)
  XCOMM this may fail if user isn't local
  XCOMM unfortunately we cannot get the Xserver PID with a simply API - we 
  XCOMM have to "guess" in this case. "pgrep" creates a list of PIDs which may
  XCOMM match. Then we create a list of all matching "principals" and test
  XCOMM them - item by item...
  XCOMM ... step 1: Create list of principals
  principal_list=""          # you can add "most common" principals here...
  fallback_principal_list="" # you can add "fallback" principals here
                             # (for example, principals for Xterminals (where
                             # the Xserver always runns under the same UID) 
                             # which use SUN-DES-1)
  for i in $(pgrep -f ".*X.* :$displaynum*") ; do    
      principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}"
  done
  
  xxdebug echo "principal_list=${principal_list}"
  
  XCOMM ... step 2: Test the list of principals
  for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do    
      # make a "dry run" and test whether we really can use SUN-DES-1 auth.
      # for this display using the given principal
      if dry_run "${PRINCIPAL}" ; then
          # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies
          # Users ~/.Xauthority _must_ be changed in _one_ step to avoid
          # possible race conditions when switching auth. on a "live" 
          # $DISPLAY...
          (echo "remove $displayhost/unix:$displaynum" ;
           echo "remove $displayhost:$displaynum" ;
           echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ;
           echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL"
          ) | xauth source -
      
          # success.
          xxdebug echo "success."
          exit 0
      fi
  done
  
  echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2
  xhost -$LOGNAME@ -$(user2netname root) 
  
  XCOMM failure.
  xxdebug echo failure.
  exit 1
  XCOMM EOF.