--- head/cvs-rw/xc/programs/Xserver/os/access.c	Fri Apr 23 12:54:28 2004
+++ head/sx86/xc/programs/Xserver/os/access.c	Sat Apr 24 19:50:12 2004
@@ -227,6 +227,9 @@
 		    int /*len*/,
 		    int /* addingLocalHosts */);
 
+int LocalClientCredAndGroups(ClientPtr client, int *pUid, int *pGid, 
+  int **pSuppGids, int *nSuppGids);
+
 /* XFree86 bug #156: To keep track of which hosts were explicitly requested in
    /etc/X<display>.hosts, we've added a requested field to the HOST struct,
    and a LocalHostRequested variable.  These default to FALSE, but are set
@@ -1361,7 +1364,7 @@
 
 /*
  * Return the uid and gid of a connected local client
- * or the uid/gid for nobody those ids cannot be determinded
+ * or the uid/gid for nobody those ids cannot be determined
  * 
  * Used by XShm to test access rights to shared memory segments
  */
@@ -1368,6 +1371,23 @@
 int
 LocalClientCred(ClientPtr client, int *pUid, int *pGid)
 {
+    return LocalClientCredAndGroups(client, pUid, pGid, NULL, NULL);
+}
+
+/*
+ * Return the uid and all gids of a connected local client
+ * or the uid/gid for nobody those ids cannot be determined
+ * 
+ * If the caller passes non-NULL values for pSuppGids & nSuppGids,
+ * they are responsible for calling XFree(*pSuppGids) to release the
+ * memory allocated for the supplemental group ids list.
+ *
+ * Used by localuser & localgroup ServerInterpreted access control forms below
+ */
+int
+LocalClientCredAndGroups(ClientPtr client, int *pUid, int *pGid, 
+			 int **pSuppGids, int *nSuppGids)
+{
 #if defined(HAS_GETPEEREID) || defined(HAS_GETPEERUCRED) || defined(SO_PEERCRED)
     int fd;
     XtransConnInfo ci;
@@ -1381,6 +1401,11 @@
     socklen_t so_len = sizeof(peercred);
 #endif
 
+    if (pSuppGids != NULL)
+	*pSuppGids = NULL;
+    if (nSuppGids != NULL)
+	*nSuppGids = 0;
+
     if (client == NULL)
 	return -1;
     ci = ((OsCommPtr)client->osPrivate)->trans_conn;
@@ -1409,6 +1434,21 @@
 	*pUid = ucred_geteuid(peercred);
     if (pGid != NULL)
 	*pGid = ucred_getegid(peercred);
+    if (pSuppGids != NULL && nSuppGids != NULL) {
+	const gid_t *gids;
+	*nSuppGids = ucred_getgroups(peercred, &gids);
+	if (*nSuppGids > 0) {
+	    *pSuppGids = xalloc(sizeof(int) * (*nSuppGids));
+	    if (*pSuppGids == NULL) {
+		*nSuppGids = 0;
+	    } else {
+		int i;
+		for (i = 0 ; i < *nSuppGids; i++) {
+		    (*pSuppGids)[i] = (int) gids[i];
+		}
+	    }
+	}
+    }
     ucred_free(peercred);
     return 0;
 #elif defined(SO_PEERCRED)
@@ -1422,6 +1462,7 @@
 #endif
 #else
     /* No system call available to get the credentials of the peer */
+#define NO_LOCAL_CLIENT_CRED
     return -1;
 #endif
 }
@@ -2190,6 +2231,123 @@
 }
 #endif /* IPv6 */
 
+#if !defined(NO_LOCAL_CLIENT_CRED)
+/***
+ * "localuser" & "localgroup" server interpreted types
+ *
+ * Allows local connections from a given local user or group
+ */
+
+#include <pwd.h>
+#include <grp.h>
+
+#define LOCAL_USER 1
+#define LOCAL_GROUP 2
+
+typedef struct {
+    int credType;
+} siLocalCredPrivRec, *siLocalCredPrivPtr;
+
+static siLocalCredPrivRec siLocalUserPriv = { LOCAL_USER };
+static siLocalCredPrivRec siLocalGroupPriv = { LOCAL_GROUP };
+
+/* Maximum length of a user/group name/id string, including trailing NUL */
+#define SI_LOCALCRED_MAXLEN 33
+
+static Bool
+siLocalCredGetId(const char *addr, int len, siLocalCredPrivPtr lcPriv, int *id)
+{
+    char addrbuf[SI_LOCALCRED_MAXLEN];
+
+    if (len >= SI_LOCALCRED_MAXLEN) {
+	return FALSE;
+    }
+
+    memcpy(addrbuf, addr, len);
+    addrbuf[len] = '\0';
+
+    if (addr[0] == '#') { /* numeric id */
+	char *cp;
+	errno = 0;
+	*id = strtol(addrbuf + 1, &cp, 0);
+	if ((errno != 0) || (cp == (addrbuf+1))) {
+	    return FALSE;
+	}
+    } else { /* non-numeric name */
+	if (lcPriv->credType == LOCAL_USER) {
+	    struct passwd *pw = getpwnam(addrbuf);
+
+	    if (pw == NULL) {
+		return FALSE;
+	    } else {
+		*id = (int) pw->pw_uid;
+	    }
+	} else { /* group */
+	    struct group *gr = getgrnam(addrbuf);
+
+	    if (gr == NULL) {
+		return FALSE;
+	    } else {
+		*id = (int) gr->gr_gid;
+	    }
+	}
+    }
+    return TRUE;
+}
+
+static Bool 
+siLocalCredAddrMatch(int family, pointer addr, int len,
+  const char *siAddr, int siAddrlen, ClientPtr client, void *typePriv)
+{
+    int connUid, connGid, *connSuppGids, connNumSuppGids, siAddrId;
+    siLocalCredPrivPtr lcPriv = (siLocalCredPrivPtr) typePriv;
+
+    if (LocalClientCredAndGroups(client, &connUid, &connGid,
+      &connSuppGids, &connNumSuppGids) == -1) {
+	return FALSE;
+    }
+
+    if (siLocalCredGetId(siAddr, siAddrlen, lcPriv, &siAddrId) == FALSE) {
+	return FALSE;
+    }
+
+    if (lcPriv->credType == LOCAL_USER) {
+	if (connUid == siAddrId) {
+	    return TRUE;
+	}
+    } else {
+	if (connGid == siAddrId) {
+	    return TRUE;
+	}
+	if (connSuppGids != NULL) {
+	    int i;
+
+	    for (i = 0 ; i < connNumSuppGids; i++) {
+		if (connSuppGids[i] == siAddrId) {
+		    xfree(connSuppGids);
+		    return TRUE;
+		}
+	    }
+	    xfree(connSuppGids);
+	}
+    }
+    return FALSE;
+}
+
+static int
+siLocalCredCheckAddr(const char *addrString, int length, void *typePriv)
+{
+    int len = length;
+    int id;
+
+    if (siLocalCredGetId(addrString, length, 
+	(siLocalCredPrivPtr)typePriv, &id) == FALSE) {
+	len = -1;
+    }
+    return len;
+}
+#endif /* localuser */
+
 static void
 siTypesInitialize(void)
 {
@@ -2197,4 +2355,10 @@
 #if defined(IPv6) && defined(AF_INET6)
     siTypeAdd("ipv6", siIPv6AddrMatch, siIPv6CheckAddr, NULL);
 #endif
+#if !defined(NO_LOCAL_CLIENT_CRED)
+    siTypeAdd("localuser", siLocalCredAddrMatch, siLocalCredCheckAddr, 
+      &siLocalUserPriv);
+    siTypeAdd("localgroup", siLocalCredAddrMatch, siLocalCredCheckAddr, 
+      &siLocalGroupPriv);
+#endif
 }