summaryrefslogtreecommitdiffstats
path: root/xrdp/xrdp_listen.c
diff options
context:
space:
mode:
authorBen Cohen <ben-cohen@users.noreply.github.com>2017-06-23 18:07:32 +0100
committermetalefty <meta@vmeta.jp>2017-07-20 09:13:06 +0900
commit8b4d057af26319d314706b6e46bf8e785b6da4d7 (patch)
tree9e641a4493935a427d850af4cfc6706f313577a9 /xrdp/xrdp_listen.c
parent324a33431552d27d10f20d592d037078dc903538 (diff)
downloadxrdp-proprietary-8b4d057af26319d314706b6e46bf8e785b6da4d7.tar.gz
xrdp-proprietary-8b4d057af26319d314706b6e46bf8e785b6da4d7.zip
Allow UDS connection from non-root users
If you run xrdp with a Unix Domain Socket (UDS) for the port specified in /etc/xrdp/xrdp.ini then only root can connect to it. Test case: 1. Edit /etc/xrdp/xrdp.ini to set "port=/var/run/xrdp-local.socket". 2. Restart xrdp. 3. Run the following, as a non-root user. socat TCP-LISTEN:12345 UNIX-CONNECT:/var/run/xrdp-local.socket & rdesktop localhost:12345 Expected behaviour: rdesktop starts up and displays the logon dialog. Observed behaviour: rdesktop exits with "ERROR: Connection closed" and socat exits with "Permission denied". (But it suceeds if root runs socat.) UDS files are created by trans_listen_address() and given permissions 0660, so only root can connect to it. In this case, for the RDP client connection, it it fine for any user to connect so it should be given permissions 0666. Note that this is only relevant when the port in /etc/xrdp/xrdp.ini has been set to create a UDS instead of a TCP socket. When a TCP port is created any user (including remote users, unless the loopback interface is used) can connect so this is not less secure.
Diffstat (limited to 'xrdp/xrdp_listen.c')
-rw-r--r--xrdp/xrdp_listen.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/xrdp/xrdp_listen.c b/xrdp/xrdp_listen.c
index e6443bc9..0ab56148 100644
--- a/xrdp/xrdp_listen.c
+++ b/xrdp/xrdp_listen.c
@@ -372,6 +372,10 @@ xrdp_listen_main_loop(struct xrdp_listen *self)
/* Create socket */
error = trans_listen_address(self->listen_trans, port, address);
+ if (port[0] == '/')
+ {
+ g_chmod_hex(port, 0x0666);
+ }
if (error == 0)
{