From f61a59166eaa7d1f4763909c5cc971f3774f3466 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Thu, 12 Dec 2024 23:28:06 +0900 Subject: [PATCH 1/2] tools: fix for make dist - Do not include substitutedd xrdp-chkpriv into tarball - Dot not install xrdp-chkpriv.in While here, drop exec permission from *.c source file. --- tools/chkpriv/Makefile.am | 8 +++++--- tools/chkpriv/xrdp-droppriv.c | 0 2 files changed, 5 insertions(+), 3 deletions(-) mode change 100755 => 100644 tools/chkpriv/xrdp-droppriv.c diff --git a/tools/chkpriv/Makefile.am b/tools/chkpriv/Makefile.am index 88485f57ed..adecdb73a7 100644 --- a/tools/chkpriv/Makefile.am +++ b/tools/chkpriv/Makefile.am @@ -3,7 +3,7 @@ xrdppkgdatadir=$(datadir)/xrdp pkglibexec_PROGRAMS = \ xrdp-droppriv -dist_xrdppkgdata_SCRIPTS = \ +nodist_xrdppkgdata_SCRIPTS = \ xrdp-chkpriv AM_LDFLAGS = @@ -11,7 +11,9 @@ AM_LDFLAGS = AM_CPPFLAGS = \ -I$(top_srcdir)/common -xrdp_droppriv_SOURCES = xrdp-droppriv.c +xrdp_droppriv_SOURCES = \ + xrdp-chkpriv.in \ + xrdp-droppriv.c xrdp_droppriv_LDADD = \ $(top_builddir)/common/libcommon.la \ @@ -29,5 +31,5 @@ SUFFIXES = .in .in: $(subst_verbose)$(SUBST_VARS) $< > $@ -CLEANFILES = xrdp-chkpriv +CLEANFILES = $(nodist_xrdppkgdata_SCRIPTS) diff --git a/tools/chkpriv/xrdp-droppriv.c b/tools/chkpriv/xrdp-droppriv.c old mode 100755 new mode 100644 From a857f0b7ea3b594b3436f44b006c60f9ad9c0c86 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Thu, 12 Dec 2024 23:31:05 +0900 Subject: [PATCH 2/2] tools: make the output of xrdp-chkpriv fancy While here, drop exec permission from xrdp-chkpriv.in. The exec permission will be granted to substituted xrdp-chkpriv script during `make install` process. --- tools/chkpriv/xrdp-chkpriv.in | 83 ++++++++++++++++++++++++++++------- 1 file changed, 66 insertions(+), 17 deletions(-) mode change 100755 => 100644 tools/chkpriv/xrdp-chkpriv.in diff --git a/tools/chkpriv/xrdp-chkpriv.in b/tools/chkpriv/xrdp-chkpriv.in old mode 100755 new mode 100644 index 2f9acd8de9..512e90efe2 --- a/tools/chkpriv/xrdp-chkpriv.in +++ b/tools/chkpriv/xrdp-chkpriv.in @@ -26,6 +26,35 @@ SESMAN_INI="$CONF_DIR"/sesman.ini RSAKEYS_INI="$CONF_DIR"/rsakeys.ini DROPPRIV=@pkglibexecdir@/xrdp-droppriv +# Helper functions to print colored tag like "[ OK ]" + +print_ok() +{ + if [ -t 1 ]; then + printf "\033[1m[ \033[1;32mOK\033[0m ]\033[0m " + else + printf "[ OK ] " + fi +} + +print_warn() +{ + if [ -t 1 ]; then + printf "\033[1m[ \033[1;33mWARN\033[0m ]\033[0m " + else + printf "[ WARN ] " + fi +} + +print_ng() +{ + if [ -t 1 ]; then + printf "\033[1m[ \033[1;31mNG\033[0m ]\033[0m " + else + printf "[ NG ] " + fi +} + # ----------------------------------------------------------------------------- # G E T I N I V A L U E # @@ -51,6 +80,7 @@ GetIniValue() # ----------------------------------------------------------------------------- if [ "$(id -u)" != 0 ]; then + print_ng echo "** Must run this script as root" >&2 exit 1 fi @@ -92,37 +122,45 @@ echo # Basic checks on runtime user/group if [ -z "$runtime_user" ] && [ -z "$runtime_group" ]; then - echo "-Info- This system is not configured to run xrdp without privilege" + print_warn + echo "This system is not configured to run xrdp without privilege" exit 0 fi if [ -z "$runtime_user" ] || [ -z "$runtime_group" ]; then - echo "-Error- Both 'runtime_user' and 'runtime_group' must be set" + print_ng + echo "Both 'runtime_user' and 'runtime_group' must be set" errors=$(( errors + 1 )) exit 1 fi if getent passwd "$runtime_user" >/dev/null ; then - echo "-Info- runtime_user '$runtime_user' appears to exist" + print_ok + echo "runtime_user '$runtime_user' appears to exist" else - echo "-Error- runtime_user '$runtime_user' does not exist" + print_ng + echo "runtime_user '$runtime_user' does not exist" errors=$(( errors + 1 )) fi GID= if getent group "$runtime_group" >/dev/null ; then - echo "-Info- runtime_group '$runtime_group' appears to exist" + print_ok + echo "runtime_group '$runtime_group' appears to exist" GID=$(getent group xrdp | cut -d: -f3) else - echo "-Error- runtime_group '$runtime_group' does not exist" + print_ng + echo "runtime_group '$runtime_group' does not exist" errors=$(( errors + 1 )) fi # Groups agree between sesman and xrdp? if [ "$runtime_user" = "$SessionSockdirGroup" ]; then - echo "-Info- xrdp.ini and sesman.ini agree on group ownership" + print_ok + echo "xrdp.ini and sesman.ini agree on group ownership" else - echo "-Error- xrdp.ini and sesman.ini do not agree on group ownership" + print_ng + echo "xrdp.ini and sesman.ini do not agree on group ownership" errors=$(( errors + 1 )) fi @@ -144,24 +182,29 @@ if [ -e $RSAKEYS_INI ]; then set -- $(stat -c "%a %u %g" $RSAKEYS_INI) esac if [ "$1/$2/$3" = "640/0/$GID" ]; then - echo "-Info- $RSAKEYS_INI has correct permissions" + print_ok + echo "$RSAKEYS_INI has correct permissions" else if [ "$1" != 640 ]; then - echo "-Error- $RSAKEYS_INI should have permissions -rw-r-----" + print_ng + echo "$RSAKEYS_INI should have permissions -rw-r-----" errors=$(( errors + 1 )) fi if [ "$2" != 0 ]; then - echo "-Error- $RSAKEYS_INI should be owned by root" + print_ng + echo "$RSAKEYS_INI should be owned by root" errors=$(( errors + 1 )) fi if [ "$3" != "$GID" ]; then - echo "-Error- $RSAKEYS_INI should be in the $runtime_group group" + print_ng + echo "$RSAKEYS_INI should be in the $runtime_group group" errors=$(( errors + 1 )) fi fi fi else - echo "-Error- $RSAKEYS_INI does not exist" + print_ng + echo "$RSAKEYS_INI does not exist" errors=$(( errors + 1 )) fi @@ -172,26 +215,32 @@ fi # group to obtain access to /etc/ssl/private/ssl-cert-snakeoil.key for file in "$certificate" "$key_file"; do if ! [ -e $file ]; then - echo "-Error- $file does not exist" + print_ng + echo "$file does not exist" errors=$(( errors + 1 )) elif ! $DROPPRIV "$runtime_user" "$runtime_group" sh -c '[ -r '"$file"' ]' then - echo "-Error- $file is not readable by $runtime_user:$runtime_group" + print_ng + echo "$file is not readable by $runtime_user:$runtime_group" errors=$(( errors + 1 )) elif $DROPPRIV "$runtime_user" "$runtime_group" sh -c '[ -w '"$file"' ]' then - echo "-Error- $file is writeable by $runtime_user:$runtime_group" + print_ng + echo "$file is writeable by $runtime_user:$runtime_group" errors=$(( errors + 1 )) else - echo "-Info- $file is read-only for $runtime_user:$runtime_group" + print_ok + echo "$file is read-only for $runtime_user:$runtime_group" fi done echo if [ $errors -eq 0 ]; then + print_ok echo "-Summary- Permissions appear to be correct to run xrdp unprivileged" status=0 else + print_ng echo "-Summary- $errors error(s) found. Please correct these and try again" status=1 fi