[PATCH] tcp-wrappers support extended to x11 forwards

Kevin Steves stevesk at pobox.com
Thu Nov 29 08:10:45 EST 2001 

On Wed, 28 Nov 2001, Dan Astoorian wrote:
:> > I haven verified the need for this, I've been listening comments
:> > on this list related to the forwarded X11 ports.  I've understood
:> > that if you use localhost:x.y as your display some (missbehaving)
:> > applications will break.
:
:FWIW, the problem is with Xlib, not the applications themselves.  Not
:that it matters.

well, it does matter, if you're pouring thru X11 code trying to figure out
how to deal with this.

:> Have you actually verified this? and checked whether the
:> IPADDR_IN_DISPLAY workaround that we already have in place
:> (see channels.c) avoids it?
:
:The code which optimizes loopback connections to unix-domain sockets is
:(typically) keyed off of the IP address, not the name "localhost"; I
:doubt that IPADDR_IN_DISPLAY could make any difference.

IPADDR_IN_DISPLAY is i think, only used/needed on hp-ux and reliant unix.
if there are others i'd like to know.

:The Solaris 2.5.1 source (which is merely the closest reference I have
:at hand) has several source files (e.g., MakeTCPConnection() in
:XConnDis.c) which contain the comment:
:
:    /*
:     * We are special casing the BSD hack localhost address
:     * 127.0.0.1, since this address shouldn't be copied to
:     * other machines.  So, we simply omit generating the auth info
:     * since we set it to the local machine before calling this routine!
:     */
:
:followed immediately by the following code or something very similar
:thereto:
:
:    if (!((len == 4) && (cp[0] == 127) && (cp[1] == 0) &&
:          (cp[2] == 0) && (cp[3] == 1))) {
:	    /*...*/

i don't have solaris code, but that is using a sockaddr i'd think, which
is what "localhost" turns in to.

:I'd need to look deeper, but I don't think there's that much of a
:difference between X over unix domain sockets vs. TCP, once the file
:descriptor has been established; the same routines that handle an X
:connection to TCP port 6000+dpy would probably work with little
:modification with a unix socket.
:
:If the OpenSSH maintainers agree that supporting Unix sockets--assuming
:that doing so doesn't complicate the code significantly--may be the best
:solution to this problem, I'd be willing to explore this further.

i don't think we need to support unix domain sockets.  the goal is that
platforms/systems with modern and non-broken Xlib will use a loopback
server, others will use the current method.

here's a X11 diff that is pertinent.  this appeared in R6.5.1.

--- R6.4/xc/lib/X11/ConnDis.c	Fri Feb  6 14:12:07 1998
+++ R6.5.1/xc/lib/X11/ConnDis.c	Mon Aug 21 08:46:25 2000
@@ -1,4 +1,4 @@
-/* $TOG: ConnDis.c /main/115 1998/02/06 17:12:13 kaleb $ */
+/* $Xorg: ConnDis.c,v 1.7 2000/08/17 19:44:31 cpqbld Exp $ */
 /*

 Copyright 1989, 1998  The Open Group
@@ -117,6 +117,9 @@
     int connect_stat;
 #ifdef LOCALCONN
     struct utsname sys;
+#ifdef TCPCONN
+    char *tcphostname = NULL;		/* A place to save hostname pointer */
+#endif
 #endif

     p = display_name;
@@ -178,10 +181,20 @@
     p = lastc;

 #ifdef LOCALCONN
-    /* check if phostname == localnodename */
-    if (phostname && uname(&sys) >= 0 &&
-	!strncmp(phostname, sys.nodename, strlen(sys.nodename)))
+    /* check if phostname == localnodename AND protocol not specified */
+    if (!pprotocol && phostname && uname(&sys) >= 0 &&
+	!strncmp(phostname, sys.nodename,
+	(strlen(sys.nodename) < strlen(phostname) ?
+	strlen(phostname) : strlen(sys.nodename))))
     {
+#ifdef TCPCONN
+	/*
+	 * We'll first attempt to connect using the local transport.  If
+	 * this fails (which is the case if sshd X protocol forwarding is
+	 * being used), retry using tcp and this hostname.
+	 */
+	tcphostname = copystring(phostname, strlen(phostname));
+#endif
 	Xfree (phostname);
 	phostname = copystring ("unix", 4);
     }
@@ -271,6 +284,7 @@
     }
 #endif

+  connect:
     /*
      * This seems kind of backwards, but we need to put the protocol,
      * host, and port back together to pass to _X11TransOpenCOTSClient().
@@ -385,6 +399,16 @@
     if (saddr) free ((char *) saddr);
     if (pprotocol) Xfree (pprotocol);
     if (phostname) Xfree (phostname);
+
+#if defined(LOCALCONN) && defined(TCPCONN)
+    if (tcphostname) {
+	pprotocol = copystring("tcp", 3);
+	phostname = tcphostname;
+	tcphostname = NULL;
+	goto connect;
+    }
+#endif
+
     if (pdpynum) Xfree (pdpynum);
     if (pscrnum) Xfree (pscrnum);
     return NULL;
@@ -1107,18 +1131,18 @@
     }
 #endif
     if (saddr) free ((char *) saddr);
-    if (*auth_namelenp = auth_namelen)
+    if ((*auth_namelenp = auth_namelen))
     {
-	if (*auth_namep = Xmalloc(auth_namelen))
+	if ((*auth_namep = Xmalloc(auth_namelen)))
 	    memcpy(*auth_namep, auth_name, auth_namelen);
 	else
 	    *auth_namelenp = 0;
     }
     else
 	*auth_namep = NULL;
-    if (*auth_datalenp = auth_datalen)
+    if ((*auth_datalenp = auth_datalen))
     {
-	if (*auth_datap = Xmalloc(auth_datalen))
+	if ((*auth_datap = Xmalloc(auth_datalen)))
 	    memcpy(*auth_datap, auth_data, auth_datalen);
 	else
 	    *auth_datalenp = 0;

More information about the openssh-unix-dev mailing list