|
1 Bug 15284497 SUNBT6317441 Allow admins to remove user-configurability from |
|
2 screensaver |
|
3 |
|
4 - Upstream rejected as "I will never implement that, because it's stupid and |
|
5 unenforcible." Unfortunately, we're stuck with Common Criteria requirements, |
|
6 which do not allow for common sense. |
|
7 |
|
8 Bug 15779180 SUNBT7154101 Not able to unlock screen after xlock after su to a |
|
9 role |
|
10 |
|
11 - specific to Solaris RBAC |
|
12 |
|
13 --- |
|
14 driver/Makefile.in | 2 +- |
|
15 driver/demo-Gtk.c | 95 +++++++++++++++++++++++++++++++++++---- |
|
16 driver/lock-Gtk.c | 5 ++- |
|
17 driver/prefs.c | 37 +++++++++++++++ |
|
18 driver/subprocs.c | 24 ++++++++++ |
|
19 driver/types.h | 3 ++ |
|
20 driver/xscreensaver-demo.glade2 | 2 +- |
|
21 driver/xscreensaver.c | 36 +++++++++++++-- |
|
22 driver/xscreensaver.h | 2 + |
|
23 9 files changed, 192 insertions(+), 14 deletions(-) |
|
24 |
|
25 diff --git a/driver/Makefile.in b/driver/Makefile.in |
|
26 --- a/driver/Makefile.in |
|
27 +++ b/driver/Makefile.in |
|
28 @@ -802,7 +802,7 @@ XScreenSaver_Xm_ad.h: XScreenSaver-Xm.ad |
|
29 # |
|
30 xscreensaver: $(SAVER_OBJS) |
|
31 $(CC) $(LDFLAGS) -o $@ $(SAVER_OBJS) $(SAVER_LIBS) \ |
|
32 - -lgconf-2 -lgobject-2.0 |
|
33 + -lgconf-2 -lgobject-2.0 -lglib-2.0 |
|
34 |
|
35 xscreensaver-command: $(CMD_OBJS) |
|
36 $(CC) $(LDFLAGS) -o $@ $(CMD_OBJS) $(CMD_LIBS) |
|
37 diff --git a/driver/demo-Gtk.c b/driver/demo-Gtk.c |
|
38 --- a/driver/demo-Gtk.c |
|
39 +++ b/driver/demo-Gtk.c |
|
40 @@ -136,6 +136,7 @@ |
|
41 #include <stdio.h> |
|
42 #include <string.h> |
|
43 #include <ctype.h> |
|
44 +#include <user_attr.h> |
|
45 |
|
46 #ifdef HAVE_GTK2 |
|
47 enum { |
|
48 @@ -687,6 +688,7 @@ run_cmd (state *s, Atom command, int arg) |
|
49 char *err = 0; |
|
50 int status; |
|
51 |
|
52 + #if 0 |
|
53 if (getuid () == 0) |
|
54 { |
|
55 char buf [255]; |
|
56 @@ -694,6 +696,7 @@ run_cmd (state *s, Atom command, int arg) |
|
57 warning_dialog (s->toplevel_widget, buf, False, 100); |
|
58 return; |
|
59 } |
|
60 + #endif |
|
61 |
|
62 flush_dialog_changes_and_save (s); |
|
63 status = xscreensaver_command (GDK_DISPLAY(), command, arg, False, &err); |
|
64 @@ -1691,9 +1694,10 @@ flush_dialog_changes_and_save (state *s) |
|
65 # undef COPY |
|
66 |
|
67 # define COPYSTR(FIELD,NAME) \ |
|
68 - if (!p->FIELD || \ |
|
69 + if ((p->FIELD != p2->FIELD) && \ |
|
70 + (!p->FIELD || \ |
|
71 !p2->FIELD || \ |
|
72 - strcmp(p->FIELD, p2->FIELD)) \ |
|
73 + strcmp(p->FIELD, p2->FIELD))) \ |
|
74 { \ |
|
75 changed = True; \ |
|
76 if (s->debug_p) \ |
|
77 @@ -2754,6 +2758,79 @@ update_list_sensitivity (state *s) |
|
78 #endif /* !HAVE_GTK2 */ |
|
79 } |
|
80 |
|
81 +# define SENSITIZE(NAME,SENSITIVEP) \ |
|
82 + gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP)) |
|
83 + |
|
84 +#define HIDEWIDGET(NAME) \ |
|
85 + gtk_widget_hide (name_to_widget (s, (NAME))) |
|
86 + |
|
87 +static void |
|
88 +customized_lock(state *s) |
|
89 +{ |
|
90 + char *idletime = NULL; |
|
91 + int timeout = 0; |
|
92 + char *idlecmd = NULL; |
|
93 + |
|
94 + if (getenv("TRUSTED_SESSION")) /* trusted_lock */ |
|
95 + { |
|
96 + HIDEWIDGET("doc_menu"); |
|
97 + SENSITIZE("restart", 0); |
|
98 + SENSITIZE("kill_menu", 0); |
|
99 + timeout = 15 ; /* if IDLECMD is missing in security policy file default timeout is 15 min*/ |
|
100 + } |
|
101 + |
|
102 + if (((idletime = getuserattruid(getuid(), |
|
103 + USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) && |
|
104 + ((timeout = atoi(idletime)) != 0) || timeout) |
|
105 + { |
|
106 + |
|
107 + GtkWidget *timeout_spinbutton = name_to_widget(s, "timeout_spinbutton"); |
|
108 + GtkAdjustment *adj = gtk_spin_button_get_adjustment((GtkSpinButton *) timeout_spinbutton); |
|
109 + SET_ADJ_UPPER(adj, (gdouble) timeout); |
|
110 + if (GET_ADJ_VALUE(adj) > (gdouble) timeout) |
|
111 + SET_ADJ_VALUE(adj, (gdouble) timeout); |
|
112 + gtk_spin_button_set_adjustment((GtkSpinButton *) timeout_spinbutton, adj); |
|
113 + |
|
114 + /* enforce timeout with idlecmd */ |
|
115 + if ((idlecmd = getuserattruid(getuid(), |
|
116 + USERATTR_IDLECMD_KW, NULL, NULL)) == NULL) |
|
117 + idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW); |
|
118 + |
|
119 + if (!idletime && getenv("TRUSTED_SESSION")) |
|
120 + { |
|
121 + idlecmd = strdup(USERATTR_IDLECMD_LOGOUT_KW); |
|
122 + } |
|
123 + |
|
124 + if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0) |
|
125 + { |
|
126 + gtk_label_set_text_with_mnemonic(name_to_widget(s, "timeout_label"), "_Logout After"); |
|
127 + |
|
128 + HIDEWIDGET("cycle_label"); |
|
129 + HIDEWIDGET("cycle_spinbutton"); |
|
130 + HIDEWIDGET("cycle_mlabel"); |
|
131 + |
|
132 + HIDEWIDGET("pwd_spinbutton"); |
|
133 + HIDEWIDGET("pwd_button"); |
|
134 + HIDEWIDGET("pwd_mlabel"); |
|
135 + HIDEWIDGET("pwd_button_eventbox"); |
|
136 + |
|
137 + } |
|
138 + else |
|
139 + { |
|
140 + gtk_label_set_text_with_mnemonic(name_to_widget(s, "timeout_label"), "_Lock Screen After"); |
|
141 + } |
|
142 + SENSITIZE("lock_spinbutton", 0); |
|
143 + SENSITIZE("lock_mlabel", 0); |
|
144 + SENSITIZE("lock_button", 0); |
|
145 + |
|
146 + HIDEWIDGET("lock_spinbutton"); |
|
147 + HIDEWIDGET("lock_mlabel"); |
|
148 + HIDEWIDGET("lock_button"); |
|
149 + HIDEWIDGET("lock_button_eventbox"); |
|
150 + } |
|
151 + free(idletime); /* free works on a NULL value */ |
|
152 + free(idlecmd); /* when you're all with idlecmd */ |
|
153 +} |
|
154 |
|
155 static void |
|
156 populate_prefs_page (state *s) |
|
157 @@ -2910,10 +2987,6 @@ populate_prefs_page (state *s) |
|
158 } |
|
159 #endif /* HAVE_DPMS_EXTENSION */ |
|
160 |
|
161 - |
|
162 -# define SENSITIZE(NAME,SENSITIVEP) \ |
|
163 - gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP)) |
|
164 - |
|
165 /* Blanking and Locking |
|
166 */ |
|
167 /* bugid 5077081 */ |
|
168 @@ -2953,10 +3026,13 @@ dpms_supported=1; |
|
169 SENSITIZE ("fade_spinbutton", (fading_possible && |
|
170 (p->fade_p || p->unfade_p))); |
|
171 |
|
172 -# undef SENSITIZE |
|
173 + customized_lock(s); |
|
174 + |
|
175 } |
|
176 } |
|
177 |
|
178 +# undef SENSITIZE |
|
179 +# undef HIDEWIDGET |
|
180 |
|
181 static void |
|
182 populate_popup_window (state *s) |
|
183 @@ -3040,6 +3116,9 @@ sensitize_menu_items (state *s, Bool force_p) |
|
184 |
|
185 for (i = 0; i < countof(names); i++) |
|
186 { |
|
187 + if (getenv ("TRUSTED_SESSION") && 2==i) |
|
188 + continue; |
|
189 + |
|
190 GtkWidget *w = name_to_widget (s, names[i]); |
|
191 gtk_widget_set_sensitive (GTK_WIDGET(w), running_p); |
|
192 } |
|
193 diff --git a/driver/lock-Gtk.c b/driver/lock-Gtk.c |
|
194 --- a/driver/lock-Gtk.c |
|
195 +++ b/driver/lock-Gtk.c |
|
196 @@ -151,7 +151,10 @@ load_unlock_logo_image (void) |
|
197 const char *logofile; |
|
198 struct stat statbuf; |
|
199 |
|
200 - logofile = DEFAULT_ICONDIR "/unlock-logo.png"; |
|
201 + if (getenv("TRUSTED_SESSION")) |
|
202 + logofile = DEFAULT_ICONDIR "/trusted-logo.png"; |
|
203 + else |
|
204 + logofile = DEFAULT_ICONDIR "/unlock-logo.png"; |
|
205 |
|
206 if (stat (logofile, &statbuf) != 0) |
|
207 { |
|
208 diff --git a/driver/prefs.c b/driver/prefs.c |
|
209 --- a/driver/prefs.c |
|
210 +++ b/driver/prefs.c |
|
211 @@ -37,6 +37,7 @@ |
|
212 # include "vms-pwd.h" |
|
213 #endif /* VMS */ |
|
214 |
|
215 +#include <user_attr.h> |
|
216 |
|
217 /* This file doesn't need the Xt headers, so stub these types out... */ |
|
218 #undef XtPointer |
|
219 @@ -1181,6 +1182,42 @@ load_init_file (Display *dpy, saver_preferences *p) |
|
220 if (s) free (s); |
|
221 } |
|
222 |
|
223 + char *idletime = NULL; |
|
224 + int timeout = 0; |
|
225 + char *idlecmd = NULL; |
|
226 + |
|
227 + if (((idletime = getuserattruid(getuid(), |
|
228 + USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) && |
|
229 + ((timeout = atoi(idletime) * 60 * 1000) != 0)) |
|
230 + { |
|
231 + |
|
232 + p->lock_timeout = 0; |
|
233 + if (p->timeout > timeout) |
|
234 + p->timeout = timeout; |
|
235 + |
|
236 + /* always lock or logout and do not show blank screen */ |
|
237 + if (p->mode == DONT_BLANK) |
|
238 + p->mode = BLANK_ONLY; |
|
239 + |
|
240 + p->forcedlock_p = p->lock_p = True; |
|
241 + |
|
242 + /* enforce timeout with idlecmd */ |
|
243 + if ((idlecmd = getuserattruid(getuid(), |
|
244 + USERATTR_IDLECMD_KW, NULL, NULL)) == NULL) |
|
245 + idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW); |
|
246 + |
|
247 + if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0) |
|
248 + p->forcedlogout_p = True; |
|
249 + } |
|
250 + else if (getenv("TRUSTED_SESSION")) |
|
251 + { |
|
252 + p->forcedlogout_p = p->forcedlock_p = p->lock_p = True; |
|
253 + p->timeout = 15 * 60 * 1000; /* if security policy not defined, forced logout in 15 mins */ |
|
254 + } |
|
255 + |
|
256 + free(idletime); /* free works on a NULL value */ |
|
257 + free(idlecmd); /* when you're all with idlecmd */ |
|
258 + |
|
259 if (system_default_screenhack_count) /* note: first_time is also true */ |
|
260 { |
|
261 merge_system_screenhacks (dpy, p, system_default_screenhacks, |
|
262 diff --git a/driver/subprocs.c b/driver/subprocs.c |
|
263 --- a/driver/subprocs.c |
|
264 +++ b/driver/subprocs.c |
|
265 @@ -932,6 +932,30 @@ check_if_hacks_dir_exists(Bool verbose_p) |
|
266 } |
|
267 } |
|
268 |
|
269 +/* Added separate function for logout as we need to find better way to log user |
|
270 + out. See CR6422890. For s10 we will use /usr/bin/gnome-session-save --kill |
|
271 +*/ |
|
272 +void |
|
273 +logout(saver_screen_info *ssi) |
|
274 +{ |
|
275 + saver_info *si = ssi->global; |
|
276 + saver_preferences *p = &si->prefs; |
|
277 + if (!(si->emergency_lock_p || si->locked_p)) |
|
278 + { |
|
279 + struct stat st; |
|
280 + if (!stat ("/usr/bin/gnome-session-save", &st)) |
|
281 + { |
|
282 + pid_t forked = fork_and_exec (ssi, "/usr/bin/gnome-session-save\t--force-logout"); |
|
283 + if (forked < 1) |
|
284 + { |
|
285 + char buf [255]; |
|
286 + snprintf (buf, sizeof(buf), "%s: couldn't fork", blurb()); |
|
287 + perror (buf); |
|
288 + } |
|
289 + } |
|
290 + } |
|
291 +} |
|
292 + |
|
293 void |
|
294 spawn_screenhack (saver_screen_info *ssi) |
|
295 { |
|
296 diff --git a/driver/types.h b/driver/types.h |
|
297 --- a/driver/types.h |
|
298 +++ b/driver/types.h |
|
299 @@ -77,6 +77,9 @@ struct saver_preferences { |
|
300 Bool xsync_p; /* whether XSynchronize has been called */ |
|
301 |
|
302 Bool lock_p; /* whether to lock as well as save */ |
|
303 + Bool forcedlock_p; /* whether to forced lock */ |
|
304 + Bool forcedlogout_p; /* whether to forced logout */ |
|
305 + |
|
306 Bool unlock_timeout_p; /* whether to timeout unlock dialog */ |
|
307 /* bugid 5077981 */ |
|
308 |
|
309 diff --git a/driver/xscreensaver-demo.glade2 b/driver/xscreensaver-demo.glade2 |
|
310 --- a/driver/xscreensaver-demo.glade2 |
|
311 +++ b/driver/xscreensaver-demo.glade2 |
|
312 @@ -478,7 +478,7 @@ |
|
313 <property name="update_policy">GTK_UPDATE_ALWAYS</property> |
|
314 <property name="snap_to_ticks">True</property> |
|
315 <property name="wrap">False</property> |
|
316 - <property name="adjustment">0 0 720 1 15 15</property> |
|
317 + <property name="adjustment">0 0 720 1 15 0</property> |
|
318 <accessibility> |
|
319 <atkrelation target="pwd_button" type="controlled-by"/> |
|
320 <atkrelation target="pwd_button" type="labelled-by"/> |
|
321 diff --git a/driver/xscreensaver.c b/driver/xscreensaver.c |
|
322 --- a/driver/xscreensaver.c |
|
323 +++ b/driver/xscreensaver.c |
|
324 @@ -142,6 +142,8 @@ |
|
325 |
|
326 #include <stdio.h> |
|
327 #include <ctype.h> |
|
328 +#include <zone.h> |
|
329 +#include <user_attr.h> |
|
330 #include <X11/Xlib.h> |
|
331 |
|
332 #ifdef ENABLE_NLS |
|
333 @@ -1183,6 +1185,9 @@ main_loop (saver_info *si) |
|
334 |
|
335 maybe_reload_init_file (si); |
|
336 |
|
337 + if (p->forcedlogout_p) |
|
338 + logout(&si->screens[0]); |
|
339 + |
|
340 if (p->mode == DONT_BLANK) |
|
341 { |
|
342 if (p->verbose_p) |
|
343 @@ -1466,6 +1471,20 @@ DONE: |
|
344 static void analyze_display (saver_info *si); |
|
345 static void fix_fds (void); |
|
346 |
|
347 +/* |
|
348 + * Is Role attached to userid |
|
349 + */ |
|
350 +Bool |
|
351 +isRoleAttached(uid_t uid) |
|
352 +{ |
|
353 + char *type; |
|
354 + if (((type = getuserattruid(uid, USERATTR_TYPE_KW, NULL, NULL)) != NULL) && |
|
355 + (strcmp(type, USERATTR_TYPE_NONADMIN_KW) == 0)) |
|
356 + return (B_TRUE); |
|
357 + else |
|
358 + return (B_FALSE); |
|
359 +} |
|
360 + |
|
361 int |
|
362 main (int argc, char **argv) |
|
363 { |
|
364 @@ -1476,6 +1495,17 @@ main (int argc, char **argv) |
|
365 struct passwd *spasswd; |
|
366 int i; |
|
367 |
|
368 + if (getenv ("TRUSTED_SESSION") && (getzoneid () != 0)) |
|
369 + exit (1); |
|
370 + |
|
371 + uid_t uid = getuid(); |
|
372 + if (uid == 0 && isRoleAttached(uid)) |
|
373 + { |
|
374 + fprintf(stderr, "Roles Can not login directly.\n"); |
|
375 + return 1; |
|
376 + } |
|
377 + |
|
378 + |
|
379 /* It turns out that if we do setlocale (LC_ALL, "") here, people |
|
380 running in Japanese locales get font craziness on the password |
|
381 dialog, presumably because it is displaying Japanese characters |
|
382 @@ -1973,7 +2003,7 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p) |
|
383 else if (type == XA_EXIT) |
|
384 { |
|
385 /* Ignore EXIT message if the screen is locked. */ |
|
386 - if (until_idle_p || !si->locked_p) |
|
387 + if (!(p->forcedlogout_p || p->forcedlock_p) && (until_idle_p || !si->locked_p)) |
|
388 { |
|
389 clientmessage_response (si, window, False, |
|
390 "EXIT ClientMessage received.", |
|
391 @@ -1990,8 +2020,8 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p) |
|
392 } |
|
393 else |
|
394 clientmessage_response (si, window, True, |
|
395 - "EXIT ClientMessage received while locked.", |
|
396 - "screen is locked."); |
|
397 + "EXIT ClientMessage received.", |
|
398 + "screen is locked or does not have privilege to exit."); |
|
399 } |
|
400 else if (type == XA_RESTART) |
|
401 { |
|
402 diff --git a/driver/xscreensaver.h b/driver/xscreensaver.h |
|
403 --- a/driver/xscreensaver.h |
|
404 +++ b/driver/xscreensaver.h |
|
405 @@ -170,6 +170,8 @@ extern struct screenhack_job *make_job (pid_t pid, int screen, |
|
406 const char *cmd); |
|
407 #endif |
|
408 |
|
409 +extern void logout(saver_screen_info *ssi); |
|
410 + |
|
411 /* ======================================================================= |
|
412 subprocs diagnostics |
|
413 ======================================================================= */ |
|
414 1.7.9.2 |
|
415 |