Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Deny local check if XRDP_SESSION is set #230

Merged
merged 4 commits into from
Jul 5, 2024
Merged

Enhancement: Deny local check if XRDP_SESSION is set #230

merged 4 commits into from
Jul 5, 2024

Conversation

mcdope
Copy link
Owner

@mcdope mcdope commented Jul 4, 2024
edited
Loading

This adds a check for XRDP_SESSION being set, if yes and deny_local is active: deny

See #202

@mcdope mcdope added the enhancement New feature or request label Jul 4, 2024
@mcdope mcdope added this to the 0.9.0 milestone Jul 4, 2024
@mcdope mcdope self-assigned this Jul 4, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 4, 2024
View reviewed changes
src/local.c Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 4, 2024
View reviewed changes
src/local.c Fixed Show fixed Hide fixed
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 4, 2024
View reviewed changes
src/local.c Dismissed Show dismissed Hide dismissed
@mcdope
Copy link
Owner Author

mcdope commented Jul 5, 2024
edited
Loading

Funfact: XRDP properly setup utmp to tell about the session being remote :D So this is basically just a short-circuit / extra check to be sure.

Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011#011loginctl considers this session to be remote: yes
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011Trying to get tty by loginctl
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011#011Got tty: pts/0
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011Retrying with tty pts/0, obtained by loginctl, for utmp search
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011#011utmp entry for tty "pts/0" found
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011#011#011utmp->ut_pid: 95835
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: #011#011#011utmp->ut_user: mcdope
Jul  5 19:25:35 pc-tobi-desktop pam_usb[105065]: Remote authentication request, host: 192.168.1.103, ip: 192.168.1.103
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: Authentication request for user "mcdope" (polkit-1)
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: Checking whether the caller (polkit-1) is local or not...
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Checking pid 105097 (/usr/libexec/polkit-agent-helper-1)...
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Checking pid  96479 (/usr/bin/gnome-shell)...
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Checking pid  95838 (/lib/systemd/systemd)...
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Checking pid      1 (/sbin/init)...
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Trying to check for remote access by loginctl
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011#011loginctl considers this session to be remote: yes
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Trying to get tty by loginctl
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011#011Got tty: pts/0
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011Retrying with tty pts/0, obtained by loginctl, for utmp search
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011#011utmp entry for tty "pts/0" found
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011#011#011utmp->ut_pid: 95835
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: #011#011#011utmp->ut_user: mcdope
Jul  5 19:25:36 pc-tobi-desktop pam_usb[105097]: Remote authentication request, host: 192.168.1.103, ip: 192.168.1.103```

@mcdope mcdope merged commit 8e09692 into master Jul 5, 2024
9 checks passed
@mcdope mcdope deleted the issue-202-deny-if-xrdp-session branch July 5, 2024 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mcdope mcdope

Labels
enhancement New feature or request
Projects
None yet
Milestone
0.9.0
Development

Successfully merging this pull request may close these issues.
1 participant
@mcdope