ldm : I can't login anymore with the fix #227295

that is essentially only reverting the fix, -ac means *everyone* in the world can connect to your display and do keylogging, take screenshots etc. -ac drops any support for xauth (.Xauthority) and all security completely...
the only breakage i'm aware of with the current patch is if you force he usage of NFS (not a default) and /root is not writable to create the xauth cookie.
are you using NFS ? if so, there is a fix in the most recent ltsp upload in hardy-proposed.

> that is essentially only reverting the fix

Not at all. Directx is an option of ltsp to dissallow cookie with xauth. That not a great idea, but ltsp propose this option but didn't work with ubuntu version. I don't reverting fix, I just add -ac ONLY if LDM_DIRECTX is set to TRUE.

I don't use NFS at all. I'm using ndb with squashfs. The problem is ldm create an .Xauthority files (which is different from the X client one's). So I can't connect my user anymore. That why you have to comment the line "create_xauth".

More information in debian bug : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469462

the fix we use is supposed to add the proper xauth cookie to your session which seems to work for many other people... are you using gutsy or hardy ? note that the debian patch you are pointing to all the time was a known bad quickfix we added, the later patch closing the issue is used in debian as well now. is the ~/.Xauthority of your user on the server writable (i.e. not owned by root because you used k3b with sudo or differently funny things ? )

I'm using gutsy.

There is 2 problems with your fix. I'll tried to explain it properly now :

- when we add the option LDM_DIRECTX to TRUE (ltsp propose this option for some reasons) ldm don't add "-ac" option to X. That bad for security but that is not a default option. That why we have :
       if (ldminfo.directx)
     argv[i++] = "-ac";
If I add LDM_DIRECTX to TRUE, the option "-ac" is add to X. When I remove this option, there is no more "-ac" option (which is greate).

- if I don't use LDM_DIRECTX, LDM will create a .Xauthority file with a generate cookie (with the fonction create_xauth();). The problem is that X client generate a cookie, ldm generate an other cookie for the X server. X client cookie and X server cookie will be different and I've this kind of error message :

Xlib: connection to "????????????????:11.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key

So if I add LDM_DIRECTX to TRUE, I can't login on it because there is no "-ac" option for X. If I remove LDM_DIRECTX option I can't login on it because I have a different cookie on client and server side.

there is and has to be no -ac option anywhere in the code anymore, to restate that again, -ac was removed upstream it is neither in debian code (at least it shouldnt be, else that would be a security bug agaist debian you should file) nor in fedora code nor in our code anymore.
your problem lies elsewhere ...

the fix we worked out upstream is supposed to take the xauth cookie created by ldm and *add it to your session* authority file *during login*. if that doesnt work for you, lets find out why, but please stop re-stating that we need to add -ac, since we will neither do that upstream nor in ubuntu.
the fix is used in debian sid as well as fedora 9 and ubuntu hardy with success.

if there is anything gone missing in gutsy due to the patch, lets inspect and fix it the proper way, just reverting to the big security hole wont help anyone.

feel free to inspect revision 837 of the ldm upstream source (http://bazaar.launchpad.net/~ltsp-upstream/ltsp/ldm-trunk) and propose a better fix, but we wont re-add -ac ...

btw, if you remove LDM_DIRECTX, xauth isnt used at all since all X transport is done through ssh and its X proxy mechanism, xauth is not involved in this.

Ok, forgett LDM_DIRECTX option, I don't need this option.

If I inspect revision 837 i can see clearly that "create_xauth()" line is remove. Please remove it for people use nbd instead of nfs.

Fix was committed for Hardy