Cherry picks to v0 10

.github/workflows/build.yml

@@ -213,6 +213,6 @@ jobs:
       - run: sudo scripts/install_astyle_dependencies_with_apt.sh
       - run: scripts/install_astyle.sh $ASTYLE_REPO $ASTYLE_VER
       - name: Format code with astyle
-        run: scripts/run_astyle.sh
+        run: scripts/run_astyle.sh -v $ASTYLE_VER
       - name: Check code formatting
         run: git diff --exit-code

common/Makefile.am

@@ -71,6 +71,6 @@ libcommon_la_SOURCES = \
   $(PIXMAN_SOURCES)
 
 libcommon_la_LIBADD = \
-  -lpthread -lrt \
+  -lpthread \
   $(OPENSSL_LIBS) \
   $(DLOPEN_LIBS)

common/os_calls.c

@@ -434,23 +434,6 @@ g_tcp_socket(void)
         }
     }
 
-    option_len = sizeof(option_value);
-
-    if (getsockopt(rv, SOL_SOCKET, SO_SNDBUF, (char *)&option_value,
-                   &option_len) == 0)
-    {
-        if (option_value < (1024 * 32))
-        {
-            option_value = 1024 * 32;
-            option_len = sizeof(option_value);
-            if (setsockopt(rv, SOL_SOCKET, SO_SNDBUF, (char *)&option_value,
-                           option_len) < 0)
-            {
-                LOG(LOG_LEVEL_ERROR, "g_tcp_socket: setsockopt() failed");
-            }
-        }
-    }
-
     return rv;
 }
 

docs/man/xrdp.ini.5.in

@@ -177,7 +177,9 @@ If set to \fB1\fP, \fBtrue\fP or \fByes\fP, no buffering will be performed in th
 \fBtcp_send_buffer_bytes\fP=\fIbuffer_size\fP
 .TP
 \fBtcp_recv_buffer_bytes\fP=\fIbuffer_size\fP
-Specify send/recv buffer sizes in bytes.  The default value depends on operating system.
+Specify send/recv buffer sizes in bytes.  The default value depends on
+the operating system. It is recommended not to set these on systems with
+dynamic TCP buffer sizing
 
 .TP
 \fBtls_ciphers\fP=\fIcipher_suite\fP

instfiles/xrdp.service.in

@@ -10,9 +10,7 @@ EnvironmentFile=-@sysconfdir@/sysconfig/xrdp
 EnvironmentFile=-@sysconfdir@/default/xrdp
 ExecStart=@sbindir@/xrdp $XRDP_OPTIONS --nodaemon
 SystemCallArchitectures=native
-SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process
-SystemCallFilter=@signal @system-service ioctl madvise sysinfo uname
-SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target

scripts/run_astyle.sh

@@ -2,66 +2,82 @@
 
 # Script to run astyle on the code
 #
-# Usage: /path/to/run_astyle.sh
+# Usage: /path/to/run_astyle.sh [ -v ASTYLE_VER]
 #
+# - If -v ASTYLE_VER is specified, that version of astyle is run from
+#   ~/astyle.local (whether or not it's there!). Use install_astyle.sh
+#   to install a new version.
+
 # Note: the script must be run from the root directory of the xrdp repository
 
 INSTALL_ROOT=~/astyle.local
-ASTYLE_FROM_XRDP=$INSTALL_ROOT/3.4.12/usr/bin/astyle
 MIN_ASTYLE_VER="3.1"
 
 # ----------------------------------------------------------------------------
 # U S A G E
 # ----------------------------------------------------------------------------
 usage()
 {
-    echo "** Usage: $0"
-    echo "   e.g. $0"
+    echo "** Usage: $0 [ -v version]"
+    echo "   e.g. $0 -v 3.4.12"
 } >&2
 
 # ----------------------------------------------------------------------------
 # M A I N
 # ----------------------------------------------------------------------------
+# Figure out ASTYLE setting, if any. Currently '-v' must be the first
+# argument on the command line.
+case "$1" in
+    -v) # Version is separate parameter
+        if [ $# -ge 2 ]; then
+            ASTYLE="$INSTALL_ROOT/$2/usr/bin/astyle"
+            shift 2
+        else
+            echo "** ignoring '-v' with no arg" >&2
+            shift 1
+        fi
+        ;;
+    -v*) # Version is in same parameter
+        # ${parameter#word} is not supported by classic Bourne shell,
+        # but it is on bash, dash, etc. If it doesn't work on your shell,
+        # don't use this form!
+        ASTYLE="$INSTALL_ROOT/${1#-v}/usr/bin/astyle"
+        shift 1
+esac
+
+if [ -z "$ASTYLE" ]; then
+    ASTYLE=astyle
+fi
+
 if [ $# -ne 0 ]; then
     usage
     exit 1
 fi
 
-# check if the built-in astyle meets the minimum requrements
-ASTYLE_FROM_OS_VER_OUTPUT=`astyle --version | grep "Artistic Style Version" | cut -d' ' -f4`
 
-ASTYLE=""
-ERROR_MESSAGE=""
-if [ ! -z "$ASTYLE_FROM_OS_VER_OUTPUT" ]; then
-    # astyle is installed, so check if it's version meets the minimum requirements
-    LOWEST_VERSION=`echo -e "$MIN_ASTYLE_VER\n$ASTYLE_FROM_OS_VER_OUTPUT" | sort -V | head -n1`
-    if [ "$MIN_ASTYLE_VER" = "$LOWEST_VERSION" ]; then
-        ASTYLE=astyle
-    else
+# check if the selected astyle meets the minimum requrements
+ASTYLE_VER_OUTPUT=`$ASTYLE --version 2>/dev/null | grep "Artistic Style Version" | cut -d' ' -f4`
+
+if [ ! -z "$ASTYLE_VER_OUTPUT" ]; then
+    # Check the version meets the minimum requirements
+    LOWEST_VERSION=`{ echo "$MIN_ASTYLE_VER" ; echo "$ASTYLE_VER_OUTPUT"; } | sort -V | head -n1`
+    if [ "$MIN_ASTYLE_VER" != "$LOWEST_VERSION" ]; then
         ERROR_MESSAGE="The version of astyle installed does not meet the minimum version requirement: >= $MIN_ASTYLE_VER "
     fi
-else
+elif [ "$ASTYLE" = astyle ]; then
     ERROR_MESSAGE="astyle is not installed on the system path"
-fi
-
-if [ -z "$ASTYLE" ]; then
-    # astyle from the os is invlid, fallback to the xrdp version if it is installed
-    if [ -x "$ASTYLE_FROM_XRDP" ]; then
-        ASTYLE="$ASTYLE_FROM_XRDP"
-        ERROR_MESSAGE=""
-    else
-        ERROR_MESSAGE="${ERROR_MESSAGE}\nastyle $MIN_ASTYLE_VER is not installed at the expected path: $ASTYLE_FROM_XRDP"
-    fi
+else
+    ERROR_MESSAGE="Can't find $ASTYLE"
 fi
 
 if [ ! -z "$ERROR_MESSAGE" ]; then
-    echo "$ERROR_MESSAGE"
+    echo "$ERROR_MESSAGE" >&2
     exit 1
 fi
 
 if [ ! -f "astyle_config.as" ]; then
-    echo "$0 must be run from the root xrdp repository directory which "
-    echo "contains the 'astyle_config.as' file."
+    echo "$0 must be run from the root xrdp repository directory which " >&2
+    echo "contains the 'astyle_config.as' file." >&2
     exit 2
 fi
 
@@ -72,3 +88,5 @@ ASTYLE_FLAGS="--options=astyle_config.as --exclude=third_party ./\*.c ./\*.h"
     echo "Command: $ASTYLE $ASTYLE_FLAGS"
     "$ASTYLE" $ASTYLE_FLAGS
 }
+
+exit $?

sesman/scp_process.c

@@ -323,21 +323,31 @@ process_logout_request(struct pre_session_item *psi)
 static int
 create_xrdp_socket_path(uid_t uid)
 {
+    // Owner all permissions, group read+execute
+#define RWX_PERMS 0x750
+
     int rv = 1;
     const char *sockdir_group = g_cfg->sec.session_sockdir_group;
     int gid = 0; // Default if no group specified
 
     char sockdir[XRDP_SOCKETS_MAXPATH];
     g_snprintf(sockdir, sizeof(sockdir), XRDP_SOCKET_PATH, (int)uid);
 
-    // Create directory permissions 0x750, if it doesn't exist already.
-    int old_umask = g_umask_hex(0x750 ^ 0x777);
+    // Create directory permissions RWX_PERMS, if it doesn't exist already
+    // (our os_calls layer doesn't allow us to set the SGID bit here)
+    int old_umask = g_umask_hex(RWX_PERMS ^ 0x777);
     if (!g_directory_exist(sockdir) && !g_create_dir(sockdir))
     {
         LOG(LOG_LEVEL_ERROR,
             "create_xrdp_socket_path: Can't create %s [%s]",
             sockdir, g_get_strerror());
     }
+    else if (g_chmod_hex(sockdir, RWX_PERMS | 0x2000) != 0)
+    {
+        LOG(LOG_LEVEL_ERROR,
+            "create_xrdp_socket_path: Can't set SGID bit on %s [%s]",
+            sockdir, g_get_strerror());
+    }
     else if (sockdir_group != NULL && sockdir_group[0] != '\0' &&
              g_getgroup_info(sockdir_group, &gid) != 0)
     {
@@ -358,6 +368,7 @@ create_xrdp_socket_path(uid_t uid)
     (void)g_umask_hex(old_umask);
 
     return rv;
+#undef RWX_PERMS
 }
 
 /******************************************************************************/

xrdp/xrdp.ini.in

@@ -35,7 +35,10 @@ tcp_nodelay=true
 ; if the network connection disappear without close messages the connection will be closed
 tcp_keepalive=true
 
-; set tcp send/recv buffer (for experts)
+; set tcp send/recv buffer
+; These parameters are largely historic. On systems with dynamic TCP
+; buffer sizes, setting them manually will either impact performance or
+; waste memory
 #tcp_send_buffer_bytes=32768
 #tcp_recv_buffer_bytes=32768