Use /var/dt/sdtlogin pipe, created by xorg server, to send user ids,
so that server could drop privileges.
--- lightdm-1.19.3/src/session-child.c.~8~ 2017-10-25 09:04:02.187093081 +0000
+++ lightdm-1.19.3/src/session-child.c 2017-10-25 09:09:14.198153389 +0000
@@ -216,6 +216,116 @@
g_free(save_dir);
}
+static void
+solaris_xserver_cred (const char *username, uid_t uid, gid_t gid, const char *home_dir,
+ const char *xdisplay)
+{
+ static FILE *fp;
+ struct stat statbuf;
+ gid_t groups[NGROUPS_UMAX];
+ char *tmp, *p, pipe[MAXPATHLEN], info[MAXPATHLEN];
+ int display_number = 0;
+ int fd, i;
+ int ngroups;
+
+ if (fp == NULL) { /* Open & setup fp on first access */
+ /*
+ * Handshake with server. Make sure it created a pipe.
+ * Open and write.
+ */
+ if ((tmp = strstr (xdisplay, ":")) != NULL) {
+ tmp++;
+ display_number = g_ascii_strtod (tmp, &p);
+
+ if (errno != 0) {
+ g_warning ("solaris_xserver_cred: problem"
+ " getting display number\n");
+ return;
+ }
+ }
+
+ if (stat (SDTLOGIN_DIR, &statbuf) == 0) {
+ if (! S_ISDIR(statbuf.st_mode)) {
+ g_warning ("solaris_xserver_cred: %s is not"
+ " a directory\n", SDTLOGIN_DIR);
+ return;
+ }
+ } else {
+ g_warning ("solaris_xserver_cred: %s: %s\n",
+ SDTLOGIN_DIR, g_strerror(errno));
+ return;
+ }
+
+ snprintf (pipe, sizeof(pipe), "%s/%d",
+ SDTLOGIN_DIR, display_number);
+ fd = open (pipe, O_RDWR | O_CLOEXEC | O_NOFOLLOW);
+
+ if (fd < 0) {
+ g_warning ("solaris_xserver_cred: could not open"
+ " %s: %s\n", pipe, g_strerror(errno));
+ return;
+ }
+ if (fstat (fd, &statbuf) == 0 ) {
+ if (! S_ISFIFO(statbuf.st_mode)) {
+ close (fd);
+ g_warning ("solaris_xserver_cred: %s is not"
+ " a pipe\n", pipe);
+ return;
+ }
+ } else {
+ close (fd);
+ g_warning ("solaris_xserver_cred: %s: %s\n",
+ pipe, g_strerror(errno));
+ return;
+ }
+ fp = fdopen (fd, "w");
+ if (fp == NULL) {
+ close (fd);
+ g_warning ("solaris_xserver_cred: could not fdopen"
+ " %s: %s\n", pipe, g_strerror(errno));
+ return;
+ }
+ }
+
+ snprintf (info, sizeof(info), "GID=\"%d\"; ", gid);
+ fputs (info, fp);
+ g_debug ("solaris_xserver_cred: %s\n", info);
+
+ if (initgroups (username, gid) == -1) {
+ ngroups = 0;
+ } else {
+ ngroups = getgroups (NGROUPS_UMAX, groups);
+ }
+
+ for (i=0; i < ngroups; i++) {
+ snprintf (info, sizeof(info), "G_LIST_ID=\"%u\" ", groups[i]);
+ fputs (info, fp);
+ g_debug ("solaris_xserver_cred: %s\n", info);
+ }
+
+ if (ngroups > 0) {
+ fputc (';', fp);
+ }
+
+ snprintf (info, sizeof(info), " HOME=\"%s\" ", home_dir);
+ fputs (info, fp);
+ g_debug ("solaris_xserver_cred: %s\n", info);
+
+ snprintf (info, sizeof(info), " UID=\"%d\" EOF=\"\";",
+ uid);
+ fputs (info, fp);
+ g_debug ("solaris_xserver_cred: %s\n", info);
+
+ /*
+ * Handshake with server. Make sure it read the pipe.
+ *
+ * Do not close file descriptor, but leave it open for further use.
+ */
+ fflush (fp);
+
+ return;
+}
+
static gchar *
read_string (void)
{
@@ -813,6 +813,13 @@ session_child_run (int argc, char **argv
uid_t uid = user_get_uid (user);
gid_t gid = user_get_gid (user);
const gchar *home_directory = user_get_home_directory (user);
+
+#ifdef __sun
+ if (xdisplay) { /* Should always be true */
+ solaris_xserver_cred (username, uid, gid, home_directory, xdisplay);
+ }
+#endif
+
child_pid = fork ();
if (child_pid == 0)
{
--- lightdm-1.19.3/common/configuration.h.1 2017-10-25 08:43:04.689998057 +0000
+++ lightdm-1.19.3/common/configuration.h 2017-10-25 08:44:56.582620720 +0000
@@ -12,6 +12,15 @@
#ifndef CONFIGURATION_H_
#define CONFIGURATION_H_
+/*
+ * Perhaps, it's not the best place for it, but it's the only common header
+ * of lightdm.c and sesion-child.c
+ */
+#ifdef __sun
+#define DT_DIR "/var/dt"
+#define SDTLOGIN_DIR "/var/dt/sdtlogin"
+#endif
+
#include <glib-object.h>
G_BEGIN_DECLS
--- lightdm-1.19.3/src/lightdm.c.~4~ 2017-10-25 09:12:24.672787804 +0000
+++ lightdm-1.19.3/src/lightdm.c 2017-10-25 11:05:49.884502470 +0000
@@ -16,6 +16,7 @@
#include <sys/stat.h>
#include <glib.h>
#include <glib/gi18n.h>
+#include <glib/gstdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
@@ -884,6 +884,23 @@
g_warning ("Failed to make cache directory %s: %s", dir, strerror (errno));
g_free (dir);
+#ifdef __sun
+ {
+ struct stat statbuf;
+ int r;
+
+ r = stat (DT_DIR, &statbuf);
+ if (r < 0) {
+ g_mkdir (DT_DIR, 0755);
+ }
+
+ r = stat (SDTLOGIN_DIR, &statbuf);
+ if (r < 0) {
+ g_mkdir (SDTLOGIN_DIR, 0700);
+ }
+ }
+#endif
+
log_init ();
/* Show queued messages once logging is complete */