Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sockdir security #2731

Merged
merged 4 commits into from
Oct 24, 2023
Merged

Update sockdir security #2731

merged 4 commits into from
Oct 24, 2023

Conversation

matt335672
Copy link
Member

This is one of two updates which (in total) will support running xrdp as a non-privileged user without needing to patch it, as Debian/Ubuntu does at present.

The main purpose of this update is to remove the need to use the sticky bit on the socketdir and simplify the security in this area.

#2472 changed sesman to identify sessions by UID rather than username. This fixed #1823. As a result, sesman is now UID aware.

This lets us insert a UID-specific directory into the socketdir. Now users can't see each others xrdp sockets, resulting in a small security improvement.

Once we've done this, we can get rid of the sesmanruntimedir introduced by #2472, as the socketdir is no longer world-writeable. This moves all the sockets back into a single directory.

As an example, if I log on to my development box using display 11, I now get this under /run/xrdp:-

$ sudo find /run/xrdp -ls
     1514      0 drwxr-xr-x   3 root     root          100 Jun 14 19:20 /run/xrdp
     1551      0 srw-rw-rw-   1 root     root            0 Jun 14 19:20 /run/xrdp/sesman.socket
     1530      0 drwxr-x---   2 testuser root          140 Jun 14 19:37 /run/xrdp/1001
     1790      0 srw-rw----   1 testuser testuser        0 Jun 14 19:37 /run/xrdp/1001/xrdp_chansrv_audio_in_socket_11
     1789      0 srw-rw----   1 testuser testuser        0 Jun 14 19:37 /run/xrdp/1001/xrdp_chansrv_audio_out_socket_11
     1780      0 srw-rw----   1 testuser testuser        0 Jun 14 19:37 /run/xrdp/1001/xrdpapi_11
     1770      0 srw-rw----   1 testuser testuser        0 Jun 14 19:37 /run/xrdp/1001/xrdp_disconnect_display_11
     1769      0 srw-rw----   1 testuser testuser        0 Jun 14 19:37 /run/xrdp/1001/xrdp_display_11
     1515      0 -rw-------   1 root     root            0 Jun 14 19:03 /run/xrdp/.sesman.socket.lock

At the moment the xrdp process is running as root, and can access sockets for user 1001 (testuser) by using group permissions.

There are also some tidy-ups in here, like introducing XRDP_SOCKETS_MAXPATH for the maximum length of a socket path name, and simplifying the parsing of the sesman.ini [security] section.

Currently draft as more testing is required. Comments welcome.

@matt335672 matt335672 mentioned this pull request Oct 23, 2023
Open
@matt335672
Move g_mk_socket_path() to sesman
547c619 
The sockdir is only used when sesman is active. The
call g_mk_socket_path() is removed from os_calls and moved to
sesman.

We also change the permissions on this directory to
0755 rather than 01777 (01000 is the 'sticky bit', S_ISVTX).

The behaviour of g_create_dir() has been modified to not
set S_ISVTX on Linux directories. This is implementation-defined
behaviour according to 1003.1, and is no longer required for the
sockdir.
@matt335672
Fix typo in error message
63235ea
@matt335672 matt335672 force-pushed the update_sockdir_security branch 2 times, most recently from 4736271 to 0971b3e Compare October 23, 2023 15:24
@matt335672 matt335672 marked this pull request as ready for review October 23, 2023 15:32
@matt335672
Copy link
Member Author

I'm bumping this up priority-wise as it's necessary to get the security of the PCSC socket sorted for #1825

If nobody's got time to look at it I'll merge in a week or so. I think the idea of what it's trying to do is fairly clear.

@matt335672 matt335672 force-pushed the update_sockdir_security branch 2 times, most recently from fc59fd4 to 398ba41 Compare October 23, 2023 16:14
@matt335672
Parameterise the sockdir with the UID of the user
675dd77 
The top level socket directory is now called XRDP_SOCKET_ROOT_PATH.
Below that are user-specific directories referred to with the
XRDP_SOCKET_PATH macro - this name is hard-coded into xorgxrdp and
the audio modules as an environment variable.

XRDP_SOCKET_PATH now looks like $XRDP_SOCKET_ROOT_PATH/<uid>

XRDP_SOCKET_PATH is only writeable by the user, and readable by the user
and the xrdp process.
@matt335672
Remove sesmanruntimedir
c51ec2e 
Now we've made the XRDP_SOCKET_PATH only writeable by root, it's
safe to move the sesman socket back into this directory. We no longer
need a separate sesmanruntimedir
@metalefty
Copy link
Member

I will look into it.

metalefty
metalefty approved these changes Oct 24, 2023
View reviewed changes
Copy link
Member

@metalefty metalefty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@matt335672
Copy link
Member Author

Thanks.

I'll merge later today if I get the time.

@matt335672 matt335672 merged commit 736da24 into neutrinolabs:devel Oct 24, 2023
13 checks passed
@matt335672 matt335672 deleted the update_sockdir_security branch October 24, 2023 18:31
@metalefty metalefty mentioned this pull request Feb 23, 2024
Closed
@matt335672 matt335672 mentioned this pull request Mar 1, 2024
Merged
@matt335672 matt335672 mentioned this pull request Mar 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metalefty metalefty metalefty approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Session for winbind users is not always reconnect
2 participants
@matt335672 @metalefty