PageRenderTime 47ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/xauth_switch_to_sun-des-1

#
Korn Shell | 172 lines | 80 code | 26 blank | 66 comment | 13 complexity | 0ac419111331a7ad6bcf8fb370cb845f MD5 | raw file
    

  1. #!/bin/ksh
    2. 

  2. # X11 MIT-MAGIC-COOKIE to SUN-DES-1 auth.
    3. 

  3. # this script switched the current Xservers authentification
    4. 

  4. # (usually MIT-MAGIC-COOKIE-1) to SUN-DES-1.
    5. 

  5. #
    6. 

  6. #
    7. 

  7. # Copyright 2002-2004 by Roland Mainz <roland.mainz@nrubsig.org>.
    8. 

  8. #
    9. 

  9. #
    10. 

  10. # Requirements:
    11. 

  11. # - Solaris/Linux/AIX running as NIS+ client (YP/LDAP not supported yet)
    12. 

  12. # - user must have proper credentials ("SecureRPC")
    13. 

  13. # - script must be able to "guess" the UID of the Xserver
    14. 

  14. #
    15. 

  15. # Advantages:
    16. 

  16. # - User may allow other users to gain access via
    17. 

  17. #   % xhost +jigsaw@
    18. 

  18. #   instead of moving 128bit cookies
    19. 

  19. #
    20. 

  20. # Known bugs:
    21. 

  21. # - Was not tested on Linux since several months
    22. 

  22. 

  23. 

  24. umask 077
    25. 

  25. # force POSIX binaries
    26. 

  26. export PATH=/usr/xpg4/bin:/usr/bin:/usr/dt/bin:/usr/openwin/bin
    27. 

  27. 

  28. # debug
    29. 

  29. alias xxdebug=true
    30. 

  30. # alias xxdebug=
    31. 

  31. 

  32. # get full qualified domain name
    33. 

  33. getFQDN()
    34. 

  34. {
    35. 

  35.     getent hosts ${1} | awk "{print \$2}" -
    36. 

  36. }
    37. 

  37. 

  38. user2netname()
    39. 

  39. {
    40. 

  40.     UID=$(id -u $1)
    41. 

  41.     DOMAINNAME=$(domainname)
    42. 

  42.     if [ $UID != 0 ] ; then
    43. 

  43.         netname=unix.$UID@$DOMAINNAME
    44. 

  44.     else
    45. 

  45.         netname=unix.$HOSTNAME@$DOMAINNAME
    46. 

  46.     fi
    47. 

  47. 

  48.     # BUG: SecureRPC isn't limited to NIS+
    49. 

  49.     #      (but there is no "getent publickey ...") ...
    50. 

  50.     # ToDo:
    51. 

  51.     # - YP name is "publickey.byname"
    52. 

  52.     # - What name does LDAP use ?
    53. 

  53.     if [ "`nismatch "auth_name=$netname" cred.org_dir`" != "" ] ; then
    54. 

  54.         echo "$netname"
    55. 

  55.     else
    56. 

  56.         echo "user ${UID} has no entry in cred.org_dir" >&2
    57. 

  57.         return 1
    58. 

  58.     fi
    59. 

  59. 

  60.     return 0
    61. 

  61. }
    62. 

  62. 

  63. 

  64. # pid to username
    65. 

  65. getUserOfPID()
    66. 

  66. {
    67. 

  67.     ps -p $1 -o user,pid | awk "NR != 1 {print \$1}" -
    68. 

  68. }
    69. 

  69. 

  70. # test if we can access $DISPLAY via SUN-DES-1 auth. using a temporary
    71. 

  71. # Xauthority file
    72. 

  72. dry_run()
    73. 

  73. {
    74. 

  74. (
    75. 

  75.   principal="$1"
    76. 

  76.   # XAUTHORITY may not be defined
    77. 

  77.   if [ "$XAUTHORITY" = "" ] ; then
    78. 

  78.       export XAUTHORITY=~/.Xauthority
    79. 

  79.   fi
    80. 

  80. 

  81.   ORIGINAL_XAUTHORITY="${XAUTHORITY:-~/.Xauthority}"
    82. 

  82.   TMP_XAUTHORITY=/tmp/mit-cookie2sun-des-1tmpxauth_${LOGNAME}_${RANDOM}.xauth
    83. 

  83.   export XAUTHORITY="$TMP_XAUTHORITY"
    84. 

  84.   touch "$XAUTHORITY"
    85. 

  85. 

  86.   (echo "add $displayhost/unix:$displaynum SUN-DES-1 $principal" ;
    87. 

  87.    echo "add $displayhost:$displaynum SUN-DES-1 $principal"
    88. 

  88.   ) | xauth source -
    89. 

  89. 

  90.   # check if a sample X11 app. (/usr/openwin/bin/xset) can access Xserver...
    91. 

  91.   if ! xset q 2>/dev/null 1>/dev/null ; then
    92. 

  92.     # clean-up
    93. 

  93.     rm -f "$TMP_XAUTHORITY"
    94. 

  94.     return 1
    95. 

  95.   fi
    96. 

  96. 

  97.   rm -f "$TMP_XAUTHORITY"
    98. 

  98. 

  99.   return 0
    100. 

  100. )
    101. 

  101. }
    102. 

  102. 

  103. # main
    104. 

  104. 

  105. HOSTNAME=$(hostname)
    106. 

  106. FQDN=$(getFQDN $HOSTNAME)
    107. 

  107. 

  108. # be sure that DISPLAY contains the host name
    109. 

  109. # BUGs:
    110. 

  110. # - this does _not_ catch non-tcp connections (like DECnet).
    111. 

  111. # - this may not work with IPv6 addresses
    112. 

  112. displayhost=${DISPLAY%:*}
    113. 

  113. displaynum=$(x=${DISPLAY#*:}; echo ${x%.*})
    114. 

  114. if [ "$displayhost" == "" -o "$displayhost" == "localhost" ] ; then
    115. 

  115.     # fix DISPLAY
    116. 

  116.     export DISPLAY="${FQDN}:${DISPLAY#*:}"
    117. 

  117.     displayhost=${DISPLAY%:*}
    118. 

  118. fi
    119. 

  119. 

  120. 

  121. # grant access for current user and for user root
    122. 

  122. # (a bug in /usr/dt/bin/dtaction requires this for user "root", too -
    123. 

  123. # Solaris 7/8 dtaction runns setuid root and opens a display connection
    124. 

  124. # before chaning the EUID to the "destination uid"... ;-( ).
    125. 

  125. xhost +${LOGNAME}@ +$(user2netname root)
    126. 

  126. 

  127. # get X server principal(=user)
    128. 

  128. # this may fail if user isn't local
    129. 

  129. # unfortunately we cannot get the Xserver PID with a simply API - we
    130. 

  130. # have to "guess" in this case. "pgrep" creates a list of PIDs which may
    131. 

  131. # match. Then we create a list of all matching "principals" and test
    132. 

  132. # them - item by item...
    133. 

  133. # ... step 1: Create list of principals
    134. 

  134. principal_list=""          # you can add "most common" principals here...
    135. 

  135. fallback_principal_list="" # you can add "fallback" principals here
    136. 

  136.                            # (for example, principals for Xterminals (where
    137. 

  137.                            # the Xserver always runns under the same UID)
    138. 

  138.                            # which use SUN-DES-1)
    139. 

  139. for i in $(pgrep -f ".*X.* :$displaynum*") ; do
    140. 

  140.     principal_list="$(user2netname `getUserOfPID $i`) ${principal_list}"
    141. 

  141. done
    142. 

  142. 

  143. xxdebug echo "principal_list=${principal_list}"
    144. 

  144. 

  145. # ... step 2: Test the list of principals
    146. 

  146. for PRINCIPAL in ${principal_list} ${fallback_principal_list} ; do
    147. 

  147.     # make a "dry run" and test whether we really can use SUN-DES-1 auth.
    148. 

  148.     # for this display using the given principal
    149. 

  149.     if dry_run "${PRINCIPAL}" ; then
    150. 

  150.         # remove old MIT-MAGIC-COOKIES and insert SUN-DES-1 cookies
    151. 

  151.         # Users ~/.Xauthority _must_ be changed in _one_ step to avoid
    152. 

  152.         # possible race conditions when switching auth. on a "live"
    153. 

  153.         # $DISPLAY...
    154. 

  154.         (echo "remove $displayhost/unix:$displaynum" ;
    155. 

  155.          echo "remove $displayhost:$displaynum" ;
    156. 

  156.          echo "add $displayhost/unix:$displaynum SUN-DES-1 $PRINCIPAL" ;
    157. 

  157.          echo "add $displayhost:$displaynum SUN-DES-1 $PRINCIPAL"
    158. 

  158.         ) | xauth source -
    159. 

  159. 

  160.         # success.
    161. 

  161.         xxdebug echo "success."
    162. 

  162.         exit 0
    163. 

  163.     fi
    164. 

  164. done
    165. 

  165. 

  166. echo "${0}: failure; could not establish SUN-DES-1 auth. on $DISPLAY" >&2
    167. 

  167. xhost -$LOGNAME@ -$(user2netname root)
    168. 

  168. 

  169. # failure.
    170. 

  170. xxdebug echo failure.
    171. 

  171. exit 1
    172. 

  172. # EOF.
    173. 

  173.