[PATCH V2 xauth] Make matching algorithm mimic XauGet*AuthByAddr

Egbert Eich eich at freedesktop.org
Thu Sep 19 05:08:07 PDT 2013


Meanwhile I came across 

https://bugs.freedesktop.org/show_bug.cgi?id=43425

where Tilmann proposes a fix for exactly the same problem.

The solutions differ to some extent so let me try to explain
what the differences are and why I chose to solve it the way
shown below.

On Wed, Aug 14, 2013 at 10:11:06PM +0200, Egbert Eich wrote:
>
> Xlib (xcb) uses XauGetBestAuthByAddr() when looking for an
> authorization. 'xauth [n]list $DISPLAY' used a slightly
> stricter algorithm which doesn't find a possible authorization
> for cases where either the family is set to FamilyWild or
> address the address length is 0.
> 
> Signed-off-by: Egbert Eich <eich at freedesktop.org>
> ---
> v2: Tried to make condition more readable as suggested 
>     by walter harms <wharms at bfs.de>.
> 
>  process.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/process.c b/process.c
> index a9466a7..7ae5f21 100644
> --- a/process.c
> +++ b/process.c
> @@ -1064,11 +1064,15 @@ eq_auth(Xauth *a, Xauth *b)
>  static int
>  match_auth_dpy(register Xauth *a, register Xauth *b)
>  {
> -    return ((a->family == b->family &&
> -	     a->address_length == b->address_length &&
> -	     a->number_length == b->number_length &&
> -	     memcmp(a->address, b->address, a->address_length) == 0 &&
> -	     memcmp(a->number, b->number, a->number_length) == 0) ? 1 : 0);
> +    if (a->family != FamilyWild && b->family != FamilyWild &&
> +        (a->family != b->family || a->address_length != b->address_length ||
> +         memcmp(a->address, b->address, a->address_length) != 0))
> +        return 0;
> +    if (a->number_length != 0 && b->number_length != 0 &&
> +          (a->number_length != b->number_length ||
> +           memcmp(a->number, b->number, a->number_length) != 0))
> +        return 0;
> +    return 1;
>  }

Both Tilmann's patch in 

     https://bugs.freedesktop.org/attachment.cgi?id=65284

and mine address the missing handling of FamilyWild in xauth.

When a FamilyWild entry is found Tilman's patch also takes the the 
address length and address into account while in the above patch 
this data is ignored if one of the entries to compare belongs to 
FamilyWild.

Tilman's patch introduces a special handling for FamilyWild in 
iterdpy() when match_auth_dpy() fails while the above fix directly 
adds this handling to match_auth_dpy().
The modification of match_auth_dpy() also affects match_auth() which 
calls this function.

I've now looked for indicators if the address should be ignored when 
a FamilyWild is encountered.

1. 'man Xsecurity' states: 
    ...  A special connection family (FamilyWild, value 65535) causes an 
    entry to match  every  display, allowing  the  entry  to be used for 
    all connections. ...

2. Looking at XauGetAuthByAddr() and XauGetBestAuthByAddr() in libXau, 
   the address field gets ignored when one of the two entries to compare 
   is FamilyWild.
   In fact the patch makes the comparisons in match_auth_dpy() and match_auth()
   very much identical to those in XauGetAuthByAddr() and XauGetBestAuthByAddr()
   
The goal I tried to achieve in my patch was to make the behavior of xauth 
identical to the behavior of X clients looking for the closest matching 
authentication entry in the credentials file. X clients use XauGetBestAuthByAddr() 
(thru xcb) to find this entry.
   

Cheers,
	Egbert.


More information about the xorg-devel mailing list