From 93621be4ffa504c63a91570f66ba4732837b6e63 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@cvs.openbsd.org>
Date: Sat, 13 Mar 2021 12:11:11 +0000
Subject: Don't add authorizations for TCP connections by default.

Add a new resource 'listenTcp' (false by default) to explicitely
add authorizations for existing IP addresses on startup (and pass
-listen tcp to the X server).

ok kettenis@
---
 include/dm.h      |  1 +
 man/xenodm.man    | 17 ++++++++++++++++-
 xenodm/auth.c     | 22 ++++++++++++++++++----
 xenodm/resource.c |  2 ++
 xenodm/server.c   |  2 ++
 5 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/include/dm.h b/include/dm.h
index a07af64..a7ba732 100644
--- a/include/dm.h
+++ b/include/dm.h
@@ -123,6 +123,7 @@ struct display {
 	unsigned short	*authNameLens;	/* authorization protocol name lens */
 	char		*clientAuthFile;/* client specified auth file */
 	int		authComplain;	/* complain when no auth for XDMCP */
+	int		listenTcp;	/* assume server is listening on TCP */
 
 	/* information potentially derived from resources */
 	int		authNameNum;	/* number of protocol names */
diff --git a/man/xenodm.man b/man/xenodm.man
index 071f600..69f808b 100644
--- a/man/xenodm.man
+++ b/man/xenodm.man
@@ -23,7 +23,7 @@
 .\" from The Open Group.
 .\"
 .\"
-.Dd $Mdocdate: March 8 2021 $
+.Dd $Mdocdate: March 13 2021 $
 .Dt XENODM 1
 .Os __xorgversion__
 .Sh NAME
@@ -582,6 +582,21 @@ to occur, during which time the new authorization information will be read.
 The default is
 .Cm false ,
 which will work for all MIT servers.
+.It Ic DisplayManager. Ns Ar DISPLAY Ns Ic .listenTcp
+If set to
+.Cm true ,
+enable the
+.Ic listen Ic tcp
+option for the given X server.
+When this setting is set to
+.Cm false ,
+.Nm
+will only generate authorizations for the local (ie Unix socket)
+transport mechanism.
+Otherwise full authorization for all possible transport mechanisms
+will be generated.
+The default is
+.Cm false .
 .El
 .Sh CONFIGURATION FILE
 First, the
diff --git a/xenodm/auth.c b/xenodm/auth.c
index 39703c1..b907826 100644
--- a/xenodm/auth.c
+++ b/xenodm/auth.c
@@ -736,13 +736,14 @@ setAuthNumber (Xauth *auth, char *name)
 }
 
 static void
-writeLocalAuth (FILE *file, Xauth *auth, char *name)
+writeLocalAuth (FILE *file, Xauth *auth, char *name, int listenTcp)
 {
 
     Debug ("writeLocalAuth: %s %.*s\n", name, auth->name_length, auth->name);
     setAuthNumber (auth, name);
 #ifdef TCPCONN
-    DefineSelf (file, auth);
+    if (listenTcp)
+        DefineSelf (file, auth);
 #endif
     DefineLocal (file, auth);
 }
@@ -762,8 +763,21 @@ SetUserAuthorization (struct display *d, struct verify_info *verify)
     struct stat	statb;
     int		i;
     int		magicCookie;
+    char	**arg;
+    int		foundListen = 0;
 
     Debug ("SetUserAuthorization\n");
+    for (arg = d->argv; *arg!= NULL; arg++) {
+        if (strcmp(*arg, "tcp") == 0 && foundListen) {
+            Debug("setUserAuthorization: found listenTcp \n");
+            d->listenTcp = 1;
+            break;
+        }
+        if (strcmp(*arg, "-listen") == 0)
+            foundListen = 1;
+        else
+            foundListen = 0;
+    }
     auths = d->authorizations;
     if (auths) {
 	home = getEnv (verify->userEnviron, "HOME");
@@ -813,7 +827,7 @@ SetUserAuthorization (struct display *d, struct verify_info *verify)
 		!strncmp (auths[i]->name, "MIT-MAGIC-COOKIE-1", 18))
 	    {
 		magicCookie = i;
-		writeLocalAuth (new, auths[i], d->name);
+		writeLocalAuth (new, auths[i], d->name, d->listenTcp);
 		break;
 	    }
 	}
@@ -893,7 +907,7 @@ RemoveUserAuthorization (struct display *d, struct verify_info *verify)
 	initAddrs ();
 	doWrite = 0;
 	for (i = 0; i < d->authNum; i++)
-	    writeLocalAuth (new, auths[i], d->name);
+            writeLocalAuth (new, auths[i], d->name, d->listenTcp);
 	doWrite = 1;
 	if (old) {
 	    if (fstat (fileno (old), &statb) != -1)
diff --git a/xenodm/resource.c b/xenodm/resource.c
index 3166f38..f1b220b 100644
--- a/xenodm/resource.c
+++ b/xenodm/resource.c
@@ -169,6 +169,8 @@ struct displayResource serverResources[] = {
 				"" },
 { "autoLogin",	"AutoLogin",	DM_STRING,	boffset(autoLogin),
 				"" },
+{ "listenTcp",	"ListenTcp",   DM_BOOL,	       boffset(listenTcp),
+			       "false" }, 
 };
 
 #define NUM_SERVER_RESOURCES	(sizeof serverResources/\
diff --git a/xenodm/server.c b/xenodm/server.c
index f247a1d..e4f3f69 100644
--- a/xenodm/server.c
+++ b/xenodm/server.c
@@ -86,6 +86,8 @@ StartServerOnce (struct display *d)
 	    snprintf (arg, sizeof(arg), "-auth %s", d->authFile);
 	    argv = parseArgs (argv, arg);
 	}
+	if (d->listenTcp)
+	    argv = parseArgs(argv, "-listen tcp");
 	if (!argv) {
 	    LogError ("StartServer: no arguments\n");
 	    sleep ((unsigned) d->openDelay);
-- 
cgit v1.2.3