previously, users could create sessions under wrong uids or delete sessions from other users. This patch implements prevents this by checking the userid of the caller with the session id. --- x2goserver/lib/x2gosqlitewrapper.pl | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/x2goserver/lib/x2gosqlitewrapper.pl b/x2goserver/lib/x2gosqlitewrapper.pl index 70ee4e5..8483f32 100755 --- a/x2goserver/lib/x2gosqlitewrapper.pl +++ b/x2goserver/lib/x2gosqlitewrapper.pl @@ -25,14 +25,14 @@ use strict; use DBI; use POSIX; -# retrieve home dir of x2gouser +# retrieve home dir of x2gouser my $x2gouser='x2gouser'; my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwnam($x2gouser); my $dbfile="$homedir/x2go_sessions"; # retrieve account data of real user my $realuser=$<; -my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwnam($realuser); +my ($uname, $pass, $uid, $pgid, $quota, $comment, $gcos, $homedir, $shell, $expire) = getpwuid($realuser); my $dbh=DBI->connect("dbi:SQLite:dbname=$dbfile","","",{AutoCommit => 1}) or die $_; @@ -81,6 +81,7 @@ elsif($cmd eq "listsessionsroot_all") elsif($cmd eq "getmounts") { my $sid=shift or die "argument \"session_id\" missed"; + check_user($sid); my @strings; my $sth=$dbh->prepare("select client, path from mounts where session_id=?"); $sth->execute($sid)or die; @@ -91,6 +92,7 @@ elsif($cmd eq "deletemount") { my $sid=shift or die "argument \"session_id\" missed"; my $path=shift or die "argument \"path\" missed"; + check_user($sid); my $sth=$dbh->prepare("delete from mounts where session_id=? and path=?"); $sth->execute($sid, $path); $sth->finish(); @@ -101,6 +103,7 @@ elsif($cmd eq "insertmount") my $sid=shift or die "argument \"session_id\" missed"; my $path=shift or die "argument \"path\" missed"; my $client=shift or die "argument \"client\" missed"; + check_user($sid); my $sth=$dbh->prepare("insert into mounts (session_id,path,client) values (?, ?, ?)"); $sth->execute($sid, $path, $client); if(!$sth->err()) @@ -115,6 +118,7 @@ elsif($cmd eq "insertsession") my $display=shift or die "argument \"display\" missed"; my $server=shift or die "argument \"server\" missed"; my $sid=shift or die "argument \"session_id\" missed"; + check_user($sid); my $sth=$dbh->prepare("insert into sessions (display,server,uname,session_id, init_time, last_time) values (?, ?, ?, ?, datetime('now','localtime'), datetime('now','localtime'))"); $sth->execute($display, $server, $realuser, $sid) or die $_; @@ -131,6 +135,7 @@ elsif($cmd eq "createsession") my $snd_port=shift or die"argument \"snd_port\" missed"; my $fs_port=shift or die"argument \"fs_port\" missed"; my $sid=shift or die "argument \"session_id\" missed"; + check_user($sid); my $sth=$dbh->prepare("update sessions set status='R',last_time=datetime('now','localtime'),cookie=?,agent_pid=?, client=?,gr_port=?,sound_port=?,fs_port=? where session_id=? and uname=?"); $sth->execute($cookie, $pid, $client, $gr_port, $snd_port, $fs_port, $sid, $realuser)or die; @@ -144,6 +149,7 @@ elsif($cmd eq "insertport") my $sid=shift or die "argument \"session_id\" missed"; my $sshport=shift or die "argument \"port\" missed"; my $sth=$dbh->prepare("insert into used_ports (server,session_id,port) values (?, ?, ?)"); + check_user($sid); $sth->execute($server, $sid, $sshport) or die; $sth->finish(); } @@ -152,6 +158,7 @@ elsif($cmd eq "resume") { my $client=shift or die "argument \"client\" missed"; my $sid=shift or die "argument \"session_id\" missed"; + check_user($sid); my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'),status='R', client=? where session_id = ? and uname=?"); $sth->execute($client, $sid, $realuser) or die; @@ -162,6 +169,7 @@ elsif($cmd eq "changestatus") { my $status=shift or die "argument \"status\" missed"; my $sid=shift or die "argument \"session_id\" missed"; + check_user($sid); my $sth=$dbh->prepare("update sessions set last_time=datetime('now','localtime'), status=? where session_id = ? and uname=?"); $sth->execute($status, $sid, $realuser)or die; @@ -170,7 +178,6 @@ elsif($cmd eq "changestatus") elsif($cmd eq "getdisplays") { - #ignore $server my @strings; my $sth=$dbh->prepare("select display from sessions"); @@ -222,6 +229,7 @@ elsif($cmd eq "getagent") { my $sid=shift or die "argument \"session_id\" missed"; my $agent; + check_user($sid); my $sth=$dbh->prepare("select agent_pid from sessions where session_id=?"); $sth->execute($sid)or die; @@ -239,6 +247,7 @@ elsif($cmd eq "getdisplay") { my $sid=shift or die "argument \"session_id\" missed"; my $display; + check_user($sid); my $sth=$dbh->prepare("select display from sessions where session_id =?"); $sth->execute($sid)or die; @@ -296,6 +305,14 @@ sub checkroot } } +sub check_user +{ + my $sid=shift or die "argument \"session_id\" missed"; + # session id looks like someuser-51-1304005895_stDgnome-session_dp24 + my ( $user, $rest ) = split('-', $sid, 2); + $user eq $uname or die "$uname is not authorized (should be $user)"; +} + sub fetchrow_printall_array { # print all arrays separated by the pipe symbol -- 1.7.4.1 _______________________________________________ X2go-Dev mailing list X2go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev