From: stevesk <stevesk>
Date: Wed, 19 Dec 2001 17:58:01 +0000 (+0000)
Subject:  - (stevesk) OpenBSD CVS sync X11 localhost display
X-Git-Tag: V_3_1_P1~234
X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/commitdiff_plain/c9d0ad9bcc6ae98c544f29d84972c11745179078?ds=sidebyside

 - (stevesk) OpenBSD CVS sync X11 localhost display
   - stevesk@cvs.openbsd.org 2001/11/29 14:10:51
     [channels.h channels.c session.c]
     sshd X11 fake server will now listen on localhost by default:
     $ echo $DISPLAY
     localhost:12.0
     $ netstat -an|grep 6012
     tcp        0      0  127.0.0.1.6012         *.*                    LISTEN
     tcp6       0      0  ::1.6012               *.*                    LISTEN
     sshd_config gatewayports=yes can be used to revert back to the old
     behavior.  will control this with another option later.  ok markus@
   - stevesk@cvs.openbsd.org 2001/12/19 08:43:11
     [includes.h session.c]
     handle utsname.nodename case for FamilyLocal X authorization; ok markus@
---

diff --git a/ChangeLog b/ChangeLog
index 2f15e5ad..495cb943 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+20011219
+ - (stevesk) OpenBSD CVS sync X11 localhost display
+   - stevesk@cvs.openbsd.org 2001/11/29 14:10:51
+     [channels.h channels.c session.c]
+     sshd X11 fake server will now listen on localhost by default:
+     $ echo $DISPLAY
+     localhost:12.0
+     $ netstat -an|grep 6012
+     tcp        0      0  127.0.0.1.6012         *.*                    LISTEN
+     tcp6       0      0  ::1.6012               *.*                    LISTEN
+     sshd_config gatewayports=yes can be used to revert back to the old
+     behavior.  will control this with another option later.  ok markus@
+   - stevesk@cvs.openbsd.org 2001/12/19 08:43:11
+     [includes.h session.c]
+     handle utsname.nodename case for FamilyLocal X authorization; ok markus@
+	
 20011207
  - (bal) PCRE no longer required.  Banished from the source along with
    fake-regex.h
diff --git a/channels.c b/channels.c
index 694b7cc7..40a86dcc 100644
--- a/channels.c
+++ b/channels.c
@@ -2400,19 +2400,17 @@ channel_connect_to(const char *host, u_short port)
 
 /*
  * Creates an internet domain socket for listening for X11 connections.
- * Returns a suitable value for the DISPLAY variable, or NULL if an error
- * occurs.
+ * Returns a suitable display number for the DISPLAY variable, or -1 if
+ * an error occurs.
  */
-char *
-x11_create_display_inet(int screen_number, int x11_display_offset)
+int
+x11_create_display_inet(int x11_display_offset, int gateway_ports)
 {
 	int display_number, sock;
 	u_short port;
 	struct addrinfo hints, *ai, *aitop;
 	char strport[NI_MAXSERV];
 	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
-	char display[512];
-	char hostname[MAXHOSTNAMELEN];
 
 	for (display_number = x11_display_offset;
 	     display_number < MAX_DISPLAYS;
@@ -2420,12 +2418,12 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 		port = 6000 + display_number;
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
-		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
 			error("getaddrinfo: %.100s", gai_strerror(gaierr));
-			return NULL;
+			return -1;
 		}
 		for (ai = aitop; ai; ai = ai->ai_next) {
 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -2434,7 +2432,7 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 			if (sock < 0) {
 				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
 					error("socket: %.100s", strerror(errno));
-					return NULL;
+					return -1;
 				} else {
 					debug("x11_create_display_inet: Socket family %d not supported",
 						 ai->ai_family);
@@ -2468,7 +2466,7 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 	}
 	if (display_number >= MAX_DISPLAYS) {
 		error("Failed to allocate internet-domain X11 display socket.");
-		return NULL;
+		return -1;
 	}
 	/* Start listening for connections on the socket. */
 	for (n = 0; n < num_socks; n++) {
@@ -2476,52 +2474,9 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 		if (listen(sock, 5) < 0) {
 			error("listen: %.100s", strerror(errno));
 			close(sock);
-			return NULL;
-		}
-	}
-
-	/* Set up a suitable value for the DISPLAY variable. */
-	if (gethostname(hostname, sizeof(hostname)) < 0)
-		fatal("gethostname: %.100s", strerror(errno));
-
-#ifdef IPADDR_IN_DISPLAY
-	/*
-	 * HPUX detects the local hostname in the DISPLAY variable and tries
-	 * to set up a shared memory connection to the server, which it
-	 * incorrectly supposes to be local.
-	 *
-	 * The workaround - as used in later $$H and other programs - is
-	 * is to set display to the host's IP address.
-	 */
-	{
-		struct hostent *he;
-		struct in_addr my_addr;
-
-		he = gethostbyname(hostname);
-		if (he == NULL) {
-			error("[X11-broken-fwd-hostname-workaround] Could not get "
-				"IP address for hostname %s.", hostname);
-
-			packet_send_debug("[X11-broken-fwd-hostname-workaround]"
-				"Could not get IP address for hostname %s.", hostname);
-
-			shutdown(sock, SHUT_RDWR);
-			close(sock);
-
-			return NULL;
+			return -1;
 		}
-
-		memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
-
-		/* Set DISPLAY to <ip address>:screen.display */
-		snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr),
-			 display_number, screen_number);
 	}
-#else /* IPADDR_IN_DISPLAY */
-	/* Just set DISPLAY to hostname:screen.display */
-	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
-		 display_number, screen_number);
-#endif /* IPADDR_IN_DISPLAY */
 
 	/* Allocate a channel for each socket. */
 	for (n = 0; n < num_socks; n++) {
@@ -2532,8 +2487,8 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 		    0, xstrdup("X11 inet listener"), 1);
 	}
 
-	/* Return a suitable value for the DISPLAY environment variable. */
-	return xstrdup(display);
+	/* Return the display number for the DISPLAY environment variable. */
+	return display_number;
 }
 
 #ifndef X_UNIX_PATH
diff --git a/channels.h b/channels.h
index f58c7283..840268fc 100644
--- a/channels.h
+++ b/channels.h
@@ -32,7 +32,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: channels.h,v 1.52 2001/11/29 19:06:39 stevesk Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.53 2001/11/29 21:10:51 stevesk Exp $"); */
 
 #ifndef CHANNEL_H
 #define CHANNEL_H
@@ -197,7 +197,7 @@ channel_request_forwarding(const char *, u_short, const char *, u_short, int,
 /* x11 forwarding */
 
 int	 x11_connect_display(void);
-char	*x11_create_display_inet(int, int);
+int	 x11_create_display_inet(int, int);
 void     x11_input_open(int, int, void *);
 void     x11_request_forwarding(void);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *);
diff --git a/includes.h b/includes.h
index f9cf9c73..96366cb5 100644
--- a/includes.h
+++ b/includes.h
@@ -28,6 +28,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 #include <sys/ioctl.h>
 #include <sys/wait.h>
 #include <sys/resource.h>
+#include <sys/utsname.h>
 
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
diff --git a/session.c b/session.c
index 1d7291e6..cc3fb044 100644
--- a/session.c
+++ b/session.c
@@ -108,8 +108,10 @@ struct Session {
 	int	row, col, xpixel, ypixel;
 	char	tty[TTYSZ];
 	/* X11 */
+	int	display_number;
 	char	*display;
 	int	screen;
+	char	*auth_display[2];
 	char	*auth_proto;
 	char	*auth_data;
 	int	single_connection;
@@ -1418,32 +1420,28 @@ do_child(Session *s, const char *command)
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
-
 			if (debug_flag) {
 				fprintf(stderr,
 				    "Running %.100s add "
 				    "%.100s %.100s %.100s\n",
-				    options.xauth_location, s->display,
+				    options.xauth_location, s->auth_display[0],
 				    s->auth_proto, s->auth_data);
-				if (screen != NULL)
+				if (s->auth_display[1])
 					fprintf(stderr,
-					    "Adding %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
+					    "add %.100s %.100s %.100s\n",
+					    s->auth_display[1],
 					    s->auth_proto, s->auth_data);
 			}
 			snprintf(cmd, sizeof cmd, "%s -q -",
 			    options.xauth_location);
 			f = popen(cmd, "w");
 			if (f) {
-				fprintf(f, "add %s %s %s\n", s->display,
-				    s->auth_proto, s->auth_data);
-				if (screen != NULL)
-					fprintf(f, "add %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
-					    s->auth_proto,
+				fprintf(f, "add %s %s %s\n",
+				    s->auth_display[0], s->auth_proto,
+				    s->auth_data);
+				if (s->auth_display[1])
+					fprintf(f, "add %s %s %s\n",
+					    s->auth_display[1], s->auth_proto,
 					    s->auth_data);
 				pclose(f);
 			} else {
@@ -1943,6 +1941,10 @@ session_close(Session *s)
 		xfree(s->term);
 	if (s->display)
 		xfree(s->display);
+	if (s->auth_display[0])
+		xfree(s->auth_display[0]);
+	if (s->auth_display[1])
+		xfree(s->auth_display[1]);
 	if (s->auth_data)
 		xfree(s->auth_data);
 	if (s->auth_proto)
@@ -2038,6 +2040,8 @@ int
 session_setup_x11fwd(Session *s)
 {
 	struct stat st;
+	char display[512], auth_display[512];
+	char hostname[MAXHOSTNAMELEN];
 
 	if (no_x11_forwarding_flag) {
 		packet_send_debug("X11 forwarding disabled in user configuration file.");
@@ -2061,11 +2065,68 @@ session_setup_x11fwd(Session *s)
 		debug("X11 display already set.");
 		return 0;
 	}
-	s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
-	if (s->display == NULL) {
+	s->display_number = x11_create_display_inet(options.x11_display_offset,
+	    options.gateway_ports);
+	if (s->display_number == -1) {
 		debug("x11_create_display_inet failed.");
 		return 0;
 	}
+
+	/* Set up a suitable value for the DISPLAY variable. */
+	if (gethostname(hostname, sizeof(hostname)) < 0)
+		fatal("gethostname: %.100s", strerror(errno));
+	/*
+	 * auth_display must be used as the displayname when the
+	 * authorization entry is added with xauth(1).  This will be
+	 * different than the DISPLAY string for localhost displays.
+	 */
+	s->auth_display[1] = NULL;
+	if (!options.gateway_ports) {
+		struct utsname uts;
+
+		snprintf(display, sizeof display, "localhost:%d.%d",
+		    s->display_number, s->screen);
+		snprintf(auth_display, sizeof auth_display, "%.400s/unix:%d.%d",
+		    hostname, s->display_number, s->screen);
+		s->display = xstrdup(display);
+		s->auth_display[0] = xstrdup(auth_display);
+		/*
+		 * Xlib may use gethostbyname() or uname() hostname to
+		 * look up authorization data for FamilyLocal; see:
+		 * xc/lib/xtrans/Xtrans.c:TRANS(GetHostname)
+		 * We just add authorization entries with both
+		 * hostname and nodename if they are different.
+		 */
+		if (uname(&uts) == -1)
+			fatal("uname: %.100s", strerror(errno));
+		if (strcmp(hostname, uts.nodename) != 0) {
+			snprintf(auth_display, sizeof auth_display,
+			    "%.400s/unix:%d.%d", uts.nodename,
+			    s->display_number, s->screen);
+			s->auth_display[1] = xstrdup(auth_display);
+		}
+	} else {
+#ifdef IPADDR_IN_DISPLAY
+		struct hostent *he;
+		struct in_addr my_addr;
+
+		he = gethostbyname(hostname);
+		if (he == NULL) {
+			error("Can't get IP address for X11 DISPLAY.");
+			packet_send_debug("Can't get IP address for X11 DISPLAY.");
+			return 0;
+		}
+		memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
+		snprintf(display, sizeof display, "%.50s:%d.%d", inet_ntoa(my_addr),
+		    s->display_number, s->screen);
+#else
+		snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
+		    s->display_number, s->screen);
+#endif
+		s->display = xstrdup(display);
+		s->auth_display[0] = xstrdup(display);
+	}
+
 	return 1;
 }