--- gdm-2.30.1/common/gdm-common.h-orig 2009-03-30 14:58:43.821340000 -0500 +++ gdm-2.30.1/common/gdm-common.h 2009-03-30 14:58:03.958286000 -0500 @@ -52,6 +52,8 @@ gboolean gdm_string_hex_decode int insert_at); char *gdm_generate_random_bytes (gsize size, GError **error); +char *gdm_read_default (gchar *key); + G_END_DECLS --- gdm-2.30.1/common/gdm-common.c-orig 2009-03-30 14:59:24.837987000 -0500 +++ gdm-2.30.1/common/gdm-common.c 2009-03-30 15:00:41.625204000 -0500 @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -470,3 +471,27 @@ gdm_generate_random_bytes (gsize size close (fd); return bytes; } + +/* + * gdm_read_default + * + * This function is used to support systems that have the /etc/default/login + * interface to control programs that affect security. This is a Solaris + * thing, though some users on other systems may find it useful. + */ +gchar * +gdm_read_default (gchar *key) +{ + gchar *retval = NULL; + + if (defopen ("/etc/default/login") == 0) { + int flags = defcntl (DC_GETFLAGS, 0); + + TURNOFF (flags, DC_CASE); + (void) defcntl (DC_SETFLAGS, flags); /* ignore case */ + retval = g_strdup (defread (key)); + (void) defopen ((char *)NULL); + } + return retval; +} + --- gdm-2.30.1/daemon/gdm-session-direct.c-orig 2010-04-26 14:52:23.950164465 -0500 +++ gdm-2.30.1/daemon/gdm-session-direct.c 2010-04-26 14:52:49.618142348 -0500 @@ -2118,6 +2118,8 @@ gdm_session_direct_set_environment_varia static void setup_session_environment (GdmSessionDirect *session) { + struct passwd *passwd_entry; + char *path_str = NULL; char *windowpath; gdm_session_direct_set_environment_variable (session, @@ -2158,15 +2160,20 @@ setup_session_environment (GdmSessionDir windowpath); } + passwd_entry = getpwnam (session->priv->selected_user); + if (passwd_entry != NULL && passwd_entry->pw_uid == 0) + path_str = gdm_read_default ("SUPATH="); + + if (path_str == NULL) + path_str = gdm_read_default ("PATH="); + + if (path_str == NULL) + path_str = GDM_SESSION_DEFAULT_PATH; + /* FIXME: We do this here and in the session worker. We should consolidate * somehow. */ - gdm_session_direct_set_environment_variable (session, - "PATH", - strcmp (BINDIR, "/usr/bin") == 0? - GDM_SESSION_DEFAULT_PATH : - BINDIR ":" GDM_SESSION_DEFAULT_PATH); - + gdm_session_direct_set_environment_variable (session, "PATH", path_str); } static void --- gdm-2.30.1/daemon/gdm-session-worker.c-orig 2010-04-26 14:52:34.008619408 -0500 +++ gdm-2.30.1/daemon/gdm-session-worker.c 2010-04-26 14:52:49.616650736 -0500 @@ -1443,9 +1443,28 @@ gdm_session_worker_authorize_user (GdmSe { int error_code; int authentication_flags; + char *consoleonly; g_debug ("GdmSessionWorker: determining if authenticated user is authorized to session"); + consoleonly = gdm_read_default ("CONSOLE="); + + if ((consoleonly != NULL) && + (strcmp (consoleonly, "/dev/console") == 0)) { + + if (worker->priv->hostname != NULL && worker->priv->hostname[0] != '\0') { + struct passwd *passwd_entry; + + passwd_entry = getpwnam (worker->priv->username); + if (passwd_entry->pw_uid == 0) { + error_code = PAM_PERM_DENIED; + + g_debug ("The system administrator is not allowed to log in remotely"); + goto out; + } + } + } + authentication_flags = 0; if (password_is_required) { @@ -1648,6 +1667,7 @@ gdm_session_worker_accredit_user (GdmSes gid_t gid; char *shell; char *home; + char *path_str; int error_code; ret = FALSE; @@ -1687,17 +1707,17 @@ gdm_session_worker_accredit_user (GdmSes home, shell); - /* Let's give the user a default PATH if he doesn't already have one - */ - if (!gdm_session_worker_environment_variable_is_set (worker, "PATH")) { - if (strcmp (BINDIR, "/usr/bin") == 0) { - gdm_session_worker_set_environment_variable (worker, "PATH", - GDM_SESSION_DEFAULT_PATH); - } else { - gdm_session_worker_set_environment_variable (worker, "PATH", - BINDIR ":" GDM_SESSION_DEFAULT_PATH); - } - } + path_str = NULL; + if (uid == 0) + path_str = gdm_read_default ("SUPATH="); + + if (path_str == NULL) + path_str = gdm_read_default ("PATH="); + + if (path_str == NULL) + path_str = GDM_SESSION_DEFAULT_PATH; + + gdm_session_worker_set_environment_variable (worker, "PATH", path_str); if (! _change_user (worker, uid, gid)) { g_debug ("GdmSessionWorker: Unable to change to user"); @@ -2315,6 +2335,14 @@ do_setup (GdmSessionWorker *worker) { GError *error; gboolean res; + char *passreq; + + passreq = gdm_read_default ("PASSREQ="); + + if ((passreq != NULL) && g_ascii_strcasecmp (passreq, "YES") == 0) + worker->priv->password_is_required = TRUE; + else + worker->priv->password_is_required = FALSE; worker->priv->user_settings = gdm_session_settings_new ();