[Pkg-ltsp-devel] #469462: X access wide open on LTSP clients

vagrant at freegeek.org vagrant at freegeek.org
Mon Mar 17 19:21:48 UTC 2008 

On Mon, Mar 17, 2008 at 06:05:13PM +0100, Nico Golde wrote:
> * vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-17 17:50]:

> > does testing-security accept debian-maintainer uploads, or will i have
> > to find a sponsor?
> 
> You can directly upload. A member of the security team needs 
> to approve the upload then which I will do.

ok.

> > and just the minimal patch to actually fix the bug, correct? not the
> > patch to get it working with ltsp?
 
> How much lines of code would the difference be? I'm in favour of only the bugfix
> but if the changes are not that big I'll approve the second option as well.

it's 76 lines of fairly simple shell scripting (attached) that has been
in unstable's ldm since february 24th, 2008 without reports of problems,
and was previously in ltsp since 2005, with a few significant changes to
the code in 2007.

in short, it's been in debian for a couple years, but relocated from one
source package to another. the recent unstable to testing migration
issues (buildd's and other package dependencies) have caused issues so
that ltsp has transitioned transitioning before ldm.

without it, the most common use of ldm, installed in an ltsp
environment, doesn't work without manual configuration.

with all that said, it is possible to an admin to manually install the
script, and when ldm finally does migrate to testing the new version
should kick in.

actually, now that i look at it, it will also require not installing
some scripts to avoid a conflict with ltspfs, as there was a similar
issue with scripts formerly in ldm being moved to the ltspfs package...
no code changes, needed, just a change to debian/ldm.install:

--- debian/ldm.install.orig     2008-03-17 14:57:46.000000000 -0400
+++ debian/ldm.install  2008-03-17 14:57:56.000000000 -0400
@@ -1,6 +1,4 @@
 src/ldm usr/sbin
 share/ldm-script usr/share/ldm
-scripts/S05-set-ltspfs_token usr/share/ldm/rc.d
-scripts/S10-delayed-mounter usr/share/ldm/rc.d
 gtkgreet/ldmgtkgreet usr/bin
 themes/ltsp/ usr/share/ldm/themes/

so that's 3 proposed patches:

* the security bugfix
* patching to not conflict with ltspfs
* adding the attached script as /usr/lib/ltsp/screen.d/ldm

the security patch will actually need changes to the upstream source;
i'm most familiar with using dpatch.

let me know which to include, and i can prepare and test an upload.

thanks for your work on this!

live well,
  vagrant
-------------- next part --------------
#!/bin/sh
# Depend on the ldm package
#
# Copyright 2005, Canonical Ltd.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License with your
# Debian GNU system, in /usr/share/common-licenses/GPL.  If not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.


#
# Load ltsp config defaults
#

if [ -f /usr/share/ltsp/ltsp_config ]; then
    . /usr/share/ltsp/ltsp_config
else
    # backwards compatibility with older ltsp versions
    . /usr/lib/ltsp/ltsp_config
fi

#
# Compute tty and displaynum
#

TTY=$(tty)
TTYNUM=${TTY#/dev/tty}
DISPLAYNUM=$((${TTYNUM} - 1))

#
# limit ram percentage.  By default, behaviour is no limit.
# Use this to stop firefox crashing sites with pathalogically large images,
# etc.
#

X_RAMPERC=${X_RAMPERC:-100}

if [ ${X_RAMPERC} -lt 100 ]; then
    XMEM=0
    while read TYPE VALUE UNITS; do
        case ${TYPE} in
            MemFree:|SwapFree:)
                XMEM=$((${XMEM} + ${VALUE}))
                ;;
        esac
    done < /proc/meminfo
    XMEM=$((${XMEM} * ${X_RAMPERC} / 100))

    ulimit -m ${XMEM}
fi

while :; do
    #
    # Server scalability.  If there exists a /usr/share/ltsp/get_hosts file, then
    # use it to populate the LDM_SERVER environment variable.
    #

    if [ -z "${LDM_SERVER}" ]; then
        if [ -x /usr/share/ltsp/get_hosts ]; then
            LDM_SERVER=$(/usr/share/ltsp/get_hosts)
        else
            LDM_SERVER=${SERVER}
        fi
    fi
    export LDM_SERVER

    #
    # Loop though each of the hosts, and get their ldminfo
    #

    if [ -n "${LDM_SERVER}" ]; then
        test ! -d /var/run/ldm && mkdir -p /var/run/ldm
        for SRV in $LDM_SERVER ; do
            nc -w 5 $SRV 9571 > /var/run/ldm/$SRV
            # Write server to /etc/hosts so reverse DNS lookup is not necessary
            if ! grep -q "$SRV" /etc/hosts ; then
                echo "$SRV server-$SRV" >> /etc/hosts
            fi
        done
    fi

    ldm vt${TTYNUM} :${DISPLAYNUM}

    # Clean up from some buggy video drivers that need two kills
    XPROC=$(pgrep -f ":${DISPLAYNUM}")
    while [ -n "${XPROC}" ]; do
	kill $XPROC
        sleep 1
	XPROC=$(pgrep -f ":${DISPLAYNUM}")
    done

    rm -f /root/.Xauthority
    rm -f /tmp/.X11-unix/X${DISPLAYNUM}
    rm -f /tmp/.X${DISPLAYNUM}-lock
done

More information about the Pkg-ltsp-devel mailing list