From 5475c0a823cf94f817821105b40760d902d9ace5 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 27 Oct 2009 10:40:55 -0400 Subject: [PATCH 1/4] Make screenshot dir a configure argument This provides a little more flexibility to distributors, but more importantly makes it less hard coded in gdm-screenshot.c --- configure.ac | 17 +++++++++++++++++ data/Makefile.am | 8 ++++++++ utils/Makefile.am | 1 + utils/gdm-screenshot.c | 5 +---- 4 files changed, 27 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 4fe4430..0dd2658 100644 --- a/configure.ac +++ b/configure.ac @@ -1237,6 +1237,23 @@ fi AC_SUBST(GDM_XAUTH_DIR) dnl --------------------------------------------------------------------------- +dnl - Directory for greeter screenshot +dnl --------------------------------------------------------------------------- + +AC_ARG_WITH(screenshot-dir, + AS_HELP_STRING([--with-screenshot-dir=], + [directory to store greeter screenshot])) + +if ! test -z "$with_screenshot_dir"; then + GDM_SCREENSHOT_DIR=$with_screenshot_dir +else + GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm +fi + +AC_SUBST(GDM_SCREENSHOT_DIR) + + +dnl --------------------------------------------------------------------------- dnl - Finish dnl --------------------------------------------------------------------------- diff --git a/data/Makefile.am b/data/Makefile.am index 73fa106..608194d 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -13,6 +13,7 @@ predir = $(gdmconfdir)/PreSession postlogindir = $(gdmconfdir)/PostLogin workingdir = $(GDM_WORKING_DIR) xauthdir = $(GDM_XAUTH_DIR) +screenshotdir = $(GDM_SCREENSHOT_DIR) cachedir = $(localstatedir)/cache/gdm Xsession: $(srcdir)/Xsession.in @@ -123,6 +124,7 @@ uninstall-hook: -rf \ $(DESTDIR)$(workingdir)/.gconf.mandatory \ $(DESTDIR)$(xauthdir) + $(DESTDIR)$(screenshotdir) install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.path if test '!' -d $(DESTDIR)$(gdmconfdir); then \ @@ -204,6 +206,12 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa chown root:gdm $(DESTDIR)$(xauthdir) || : ; \ fi + if test '!' -d $(DESTDIR)$(screenshotdir); then \ + $(mkinstalldirs) $(DESTDIR)$(screenshotdir); \ + chmod 0755 $(DESTDIR)$(screenshotdir); \ + chown gdm:gdm $(DESTDIR)$(screenshotdir) || : ; \ + fi + if test '!' -d $(DESTDIR)$(workingdir); then \ $(mkinstalldirs) $(DESTDIR)$(workingdir); \ chmod 1770 $(DESTDIR)$(workingdir); \ diff --git a/utils/Makefile.am b/utils/Makefile.am index 0b6ea04..f1ff331 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -4,6 +4,7 @@ AM_CPPFLAGS = \ -I. \ -I.. \ -DLOCALSTATEDIR=\""$(localstatedir)"\" \ + -DGDM_SCREENSHOT_DIR=\""$(GDM_SCREENSHOT_DIR)"\"\ -DGNOMELOCALEDIR=\""$(datadir)/locale"\" \ $(UTILS_CFLAGS) \ $(CANBERRA_GTK_CFLAGS) \ diff --git a/utils/gdm-screenshot.c b/utils/gdm-screenshot.c index f66de46..12102f2 100644 --- a/utils/gdm-screenshot.c +++ b/utils/gdm-screenshot.c @@ -163,11 +163,8 @@ screenshot_save (GdkPixbuf *pixbuf) char *filename; gboolean res; GError *error; - const char *save_dir; - save_dir = LOCALSTATEDIR "/run/gdm"; - - filename = g_build_filename (save_dir, + filename = g_build_filename (GDM_SCREENSHOT_DIR, "GDM-Screenshot.png", NULL); -- 1.6.5.1 From 1fe51c8f69dc93033d2035c27389377090f21b78 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 27 Oct 2009 11:25:19 -0400 Subject: [PATCH 2/4] Create screenshot dir at runtime if not available We want the screenshot dir to be owned by the GDM user, so the greeter can write screenshots to it. --- daemon/Makefile.am | 1 + daemon/gdm-greeter-session.c | 1 + daemon/gdm-welcome-session.c | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 34 insertions(+), 0 deletions(-) diff --git a/daemon/Makefile.am b/daemon/Makefile.am index a122a15..ab10dc5 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -15,6 +15,7 @@ AM_CPPFLAGS = \ -DSBINDIR=\"$(sbindir)\" \ -DGNOMELOCALEDIR=\""$(datadir)/locale"\" \ -DGDM_XAUTH_DIR=\"$(GDM_XAUTH_DIR)\" \ + -DGDM_SCREENSHOT_DIR=\"$(GDM_SCREENSHOT_DIR)\" \ -DGDM_CACHE_DIR=\""$(localstatedir)/cache/gdm"\" \ -DGDM_SESSION_DEFAULT_PATH=\"$(GDM_SESSION_DEFAULT_PATH)\" \ $(DISABLE_DEPRECATED_CFLAGS) \ diff --git a/daemon/gdm-greeter-session.c b/daemon/gdm-greeter-session.c index aae1928..994acbc 100644 --- a/daemon/gdm-greeter-session.c +++ b/daemon/gdm-greeter-session.c @@ -156,6 +156,7 @@ gdm_greeter_session_new (const char *display_name, "x11-display-device", display_device, "x11-display-hostname", display_hostname, "x11-display-is-local", display_is_local, + "runtime-dir", GDM_SCREENSHOT_DIR, NULL); return GDM_GREETER_SESSION (object); diff --git a/daemon/gdm-welcome-session.c b/daemon/gdm-welcome-session.c index b58e855..f340660 100644 --- a/daemon/gdm-welcome-session.c +++ b/daemon/gdm-welcome-session.c @@ -63,6 +63,7 @@ struct GdmWelcomeSessionPrivate char *user_name; char *group_name; + char *runtime_dir; char *x11_display_name; char *x11_display_device; @@ -91,6 +92,7 @@ enum { PROP_X11_DISPLAY_IS_LOCAL, PROP_USER_NAME, PROP_GROUP_NAME, + PROP_RUNTIME_DIR, PROP_SERVER_ADDRESS, PROP_COMMAND, PROP_SERVER_DBUS_PATH, @@ -408,6 +410,7 @@ rotate_logs (const char *path, typedef struct { const char *user_name; const char *group_name; + const char *runtime_dir; const char *log_file; } SpawnChildData; @@ -435,6 +438,10 @@ spawn_child_setup (SpawnChildData *data) _exit (1); } + g_debug ("GdmWelcomeSession: Setting up run time dir %s", data->runtime_dir); + g_mkdir (data->runtime_dir, 0755); + chown (data->runtime_dir, pwent->pw_uid, pwent->pw_gid); + g_debug ("GdmWelcomeSession: Changing (uid:gid) for child process to (%d:%d)", pwent->pw_uid, grent->gr_gid); @@ -552,6 +559,7 @@ static gboolean spawn_command_line_async_as_user (const char *command_line, const char *user_name, const char *group_name, + const char *runtime_dir, const char *log_file, char **env, GPid *child_pid, @@ -575,6 +583,7 @@ spawn_command_line_async_as_user (const char *command_line, data.user_name = user_name; data.group_name = group_name; + data.runtime_dir = runtime_dir; data.log_file = log_file; local_error = NULL; @@ -756,6 +765,7 @@ gdm_welcome_session_spawn (GdmWelcomeSession *welcome_session) ret = spawn_command_line_async_as_user (welcome_session->priv->command, welcome_session->priv->user_name, welcome_session->priv->group_name, + welcome_session->priv->runtime_dir, log_path, (char **)env->pdata, &welcome_session->priv->pid, @@ -928,6 +938,14 @@ _gdm_welcome_session_set_group_name (GdmWelcomeSession *welcome_session, } static void +_gdm_welcome_session_set_runtime_dir (GdmWelcomeSession *welcome_session, + const char *dir) +{ + g_free (welcome_session->priv->runtime_dir); + welcome_session->priv->runtime_dir = g_strdup (dir); +} + +static void _gdm_welcome_session_set_server_dbus_path (GdmWelcomeSession *welcome_session, const char *name) { @@ -998,6 +1016,9 @@ gdm_welcome_session_set_property (GObject *object, case PROP_GROUP_NAME: _gdm_welcome_session_set_group_name (self, g_value_get_string (value)); break; + case PROP_RUNTIME_DIR: + _gdm_welcome_session_set_runtime_dir (self, g_value_get_string (value)); + break; case PROP_SERVER_ADDRESS: gdm_welcome_session_set_server_address (self, g_value_get_string (value)); break; @@ -1054,6 +1075,9 @@ gdm_welcome_session_get_property (GObject *object, case PROP_GROUP_NAME: g_value_set_string (value, self->priv->group_name); break; + case PROP_RUNTIME_DIR: + g_value_set_string (value, self->priv->runtime_dir); + break; case PROP_SERVER_ADDRESS: g_value_set_string (value, self->priv->server_address); break; @@ -1154,6 +1178,13 @@ gdm_welcome_session_class_init (GdmWelcomeSessionClass *klass) GDM_GROUPNAME, G_PARAM_READWRITE | G_PARAM_CONSTRUCT)); g_object_class_install_property (object_class, + PROP_RUNTIME_DIR, + g_param_spec_string ("runtime-dir", + "runtime dir", + "runtime dir", + NULL, + G_PARAM_READWRITE | G_PARAM_CONSTRUCT)); + g_object_class_install_property (object_class, PROP_SERVER_ADDRESS, g_param_spec_string ("server-address", "server address", @@ -1267,6 +1298,7 @@ gdm_welcome_session_finalize (GObject *object) g_free (welcome_session->priv->command); g_free (welcome_session->priv->user_name); g_free (welcome_session->priv->group_name); + g_free (welcome_session->priv->runtime_dir); g_free (welcome_session->priv->x11_display_name); g_free (welcome_session->priv->x11_display_device); g_free (welcome_session->priv->x11_display_hostname); -- 1.6.5.1 From 81870b019c929694ea392359b0a66b0a500c7d5c Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 27 Oct 2009 11:43:15 -0400 Subject: [PATCH 3/4] Move default screenshot dir to it's own subdirectory --- configure.ac | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/configure.ac b/configure.ac index 0dd2658..93917e2 100644 --- a/configure.ac +++ b/configure.ac @@ -1247,7 +1247,7 @@ AC_ARG_WITH(screenshot-dir, if ! test -z "$with_screenshot_dir"; then GDM_SCREENSHOT_DIR=$with_screenshot_dir else - GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm + GDM_SCREENSHOT_DIR=${localstatedir}/run/gdm/greeter fi AC_SUBST(GDM_SCREENSHOT_DIR) -- 1.6.5.1 From c96697431529ed87dbdbb987ed92ac2286b247b7 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Tue, 27 Oct 2009 10:35:37 -0400 Subject: [PATCH 4/4] Lock down /var/run/gdm We don't need it so open now that screenshots are written to their own directory, and having it open has implications for quota abuse. --- daemon/gdm-display-access-file.c | 14 +++++++------- data/Makefile.am | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/daemon/gdm-display-access-file.c b/daemon/gdm-display-access-file.c index a3d3e2f..1b52f15 100644 --- a/daemon/gdm-display-access-file.c +++ b/daemon/gdm-display-access-file.c @@ -268,10 +268,10 @@ _create_xauth_file_for_user (const char *username, fp = NULL; fd = -1; - /* Create directory if not exist, then set permission 01775 and ownership root:gdm */ + /* Create directory if not exist, then set permission 0711 and ownership root:gdm */ if (g_file_test (GDM_XAUTH_DIR, G_FILE_TEST_IS_DIR) == FALSE) { g_unlink (GDM_XAUTH_DIR); - if (g_mkdir (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH) != 0) { + if (g_mkdir (GDM_XAUTH_DIR, 0711) != 0) { g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), @@ -279,15 +279,15 @@ _create_xauth_file_for_user (const char *username, goto out; } - g_chmod (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); + g_chmod (GDM_XAUTH_DIR, 0711); _get_uid_and_gid_for_user (GDM_USERNAME, &uid, &gid); if (chown (GDM_XAUTH_DIR, 0, gid) != 0) { g_warning ("Unable to change owner of '%s'", GDM_XAUTH_DIR); } } else { - /* if it does exist make sure it has correct mode 01775 */ - g_chmod (GDM_XAUTH_DIR, S_ISVTX | S_IRWXU |S_IRWXG | S_IROTH | S_IXOTH); + /* if it does exist make sure it has correct mode 0711 */ + g_chmod (GDM_XAUTH_DIR, 0711); /* and clean up any stale auth subdirs */ clean_up_stale_auth_subdirs (); @@ -368,8 +368,8 @@ _create_xauth_file_for_user (const char *username, } /* now open up permissions on per-session directory */ - g_debug ("GdmDisplayAccessFile: chmoding %s to 1777", dir_name); - g_chmod (dir_name, S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO); + g_debug ("GdmDisplayAccessFile: chmoding %s to 0711", dir_name); + g_chmod (dir_name, 0711); errno = 0; fp = fdopen (fd, "w"); diff --git a/data/Makefile.am b/data/Makefile.am index 608194d..dfbd096 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -202,7 +202,7 @@ install-data-hook: gdm.conf-custom Xsession Init PostSession PreSession gconf.pa if test '!' -d $(DESTDIR)$(xauthdir); then \ $(mkinstalldirs) $(DESTDIR)$(xauthdir); \ - chmod 1777 $(DESTDIR)$(xauthdir); \ + chmod 0711 $(DESTDIR)$(xauthdir); \ chown root:gdm $(DESTDIR)$(xauthdir) || : ; \ fi -- 1.6.5.1