19926N/A--- gnome-session-2.30.2.original/gnome-session/gsm-autostart-app.h 2010-02-09 14:22:01.000000000 +0100
19926N/A+++ gnome-session-2.30.2/gnome-session/gsm-autostart-app.h 2010-12-27 13:59:48.461969293 +0100
20260N/A@@ -69,6 +69,11 @@
19926N/A #define GSM_AUTOSTART_APP_DBUS_ARGS_KEY "X-GNOME-DBus-Start-Arguments"
19926N/A #define GSM_AUTOSTART_APP_DISCARD_KEY "X-GNOME-Autostart-discard-exec"
19926N/A
19926N/A+#define SYSTEM_ADMINISTRATOR_PROF "System Administrator"
19926N/A+#define ROOT_ROLE "root"
19926N/A+#define DESKTOP_GNOME_LOCKDOWN_DIR "/desktop/gnome/lockdown"
19926N/A+#define ALLOWED_APPLICATIONS_KEY DESKTOP_GNOME_LOCKDOWN_DIR "/allowed_applications"
19926N/A+#define RESTRICT_APPLICATION_LAUNCHING_KEY DESKTOP_GNOME_LOCKDOWN_DIR "/restrict_application_launching"
19926N/A G_END_DECLS
19926N/A
19926N/A #endif /* __GSM_AUTOSTART_APP_H__ */
19926N/A--- gnome-session-2.30.2.original/gnome-session/gsm-autostart-app.c 2010-12-27 14:00:34.695305276 +0100
19926N/A+++ gnome-session-2.30.2/gnome-session/gsm-autostart-app.c 2010-12-27 13:59:48.467537730 +0100
19926N/A@@ -30,6 +30,11 @@
19926N/A #include <gio/gio.h>
19926N/A #include <gdk/gdkx.h>
19926N/A
19926N/A+#include <exec_attr.h>
19926N/A+#include <user_attr.h>
19926N/A+#include <secdb.h>
19926N/A+#include <pwd.h>
19926N/A+
19926N/A #include <gconf/gconf-client.h>
19926N/A
19926N/A #include "gsm-autostart-app.h"
20260N/A@@ -100,6 +105,98 @@
19926N/A }
19926N/A
19926N/A static gboolean
19926N/A+has_root_role (char *username)
19926N/A+{
19926N/A+ userattr_t *userattr = NULL;
19926N/A+ gchar *rolelist = NULL;
19926N/A+ gchar *rolename = NULL;
20260N/A+ static gboolean ret_val = FALSE;
20260N/A+ static gboolean cached_root = FALSE;
19926N/A+
20260N/A+ if (cached_root == FALSE && (userattr = getusernam(username)) != NULL)
19926N/A+ {
19926N/A+ rolelist = kva_match(userattr->attr, USERATTR_ROLES_KW);
19926N/A+ rolename = strtok(rolelist, ",");
19926N/A+ while (rolename != NULL) {
19926N/A+ if (strcmp (rolename, ROOT_ROLE) == 0) {
19926N/A+ ret_val = TRUE;
19926N/A+ break;
19926N/A+ }
19926N/A+ rolename = strtok(NULL, ",");
19926N/A+ }
19926N/A+
19926N/A+ free_userattr(userattr);
20260N/A+ cached_root = TRUE;
19926N/A+ }
19926N/A+
19926N/A+ return ret_val;
19926N/A+}
19926N/A+
19926N/A+static gboolean
19926N/A+has_admin_profile (char *username)
19926N/A+{
19926N/A+ execattr_t *execattr = NULL;
20260N/A+ static gboolean ret_val = FALSE;
20260N/A+ static gboolean cached_admin = FALSE;
19926N/A+
20260N/A+ if (cached_admin == FALSE && (execattr = getexecuser (username, NULL, NULL, GET_ALL)) != NULL)
19926N/A+ {
19926N/A+ while (execattr != NULL) {
20260N/A+ if (strcmp (execattr->name, SYSTEM_ADMINISTRATOR_PROF) == 0)
19926N/A+ {
19926N/A+ ret_val = TRUE;
19926N/A+ break;
19926N/A+ }
19926N/A+ execattr = execattr->next;
19926N/A+ }
19926N/A+ free_execattr (execattr);
20260N/A+ cached_admin = TRUE;
19926N/A+ }
19926N/A+ return ret_val;
19926N/A+}
19926N/A+
19926N/A+static gboolean
19926N/A+is_user_authorized (void)
19926N/A+{
19926N/A+ uid_t uid = getuid();
19926N/A+ struct passwd *pw;
19926N/A+
19926N/A+ if ((pw = getpwuid(uid)) == NULL)
19926N/A+ return FALSE;
19926N/A+
19926N/A+ if (has_admin_profile (pw->pw_name))
19926N/A+ return TRUE;
19926N/A+
19926N/A+ if (has_root_role (pw->pw_name))
19926N/A+ return TRUE;
19926N/A+
19926N/A+ if (uid == 0)
19926N/A+ return TRUE;
19926N/A+
19926N/A+ return FALSE;
19926N/A+}
19926N/A+
19926N/A+static gboolean
19926N/A+is_restrict_enabled (void)
19926N/A+{
19926N/A+ GConfClient *client;
19926N/A+ gboolean restrict_enabled;
19926N/A+
19926N/A+ client = gconf_client_get_default ();
19926N/A+ g_assert (GCONF_IS_CLIENT (client));
19926N/A+
19926N/A+ restrict_enabled = gconf_client_get_bool (client,
19926N/A+ RESTRICT_APPLICATION_LAUNCHING_KEY, NULL);
19926N/A+
19926N/A+ g_object_unref (client);
19926N/A+
19926N/A+ if (restrict_enabled) {
19926N/A+ return TRUE;
19926N/A+ }
19926N/A+ return FALSE;
19926N/A+}
19926N/A+
19926N/A+static gboolean
19926N/A is_sunray_client (void)
19926N/A {
19926N/A Atom sunray_client_id;
20223N/A@@ -131,13 +226,108 @@
19926N/A return FALSE;
19926N/A }
19926N/A
19926N/A+gchar *
19926N/A+lockdown_get_stripped_exec (const gchar *full_exec)
19926N/A+{
19926N/A+ gchar *str1, *str2, *retval, *p;
19926N/A+
19926N/A+ str1 = g_strdup (full_exec);
19926N/A+ p = strtok (str1, " ");
19926N/A+
19926N/A+ if (p != NULL)
19926N/A+ str2 = g_strdup (p);
19926N/A+ else
19926N/A+ str2 = g_strdup (full_exec);
19926N/A+
19926N/A+ g_free (str1);
19926N/A+
19926N/A+ if (g_path_is_absolute (str2))
19926N/A+ retval = g_strdup (str2);
19926N/A+ else
19926N/A+ retval = g_strdup (g_find_program_in_path ((const gchar *)str2));
19926N/A+ g_free (str2);
19926N/A+
19926N/A+ return retval;
19926N/A+}
19926N/A+
19926N/A+gboolean
19926N/A+lockdown_is_allowed_application (const gchar *app)
19926N/A+{
19926N/A+ GConfClient *client;
20223N/A+ GSList *allowed_applications, *head;
19926N/A+ gboolean retval = FALSE;
19926N/A+
19926N/A+ client = gconf_client_get_default ();
19926N/A+ g_assert (GCONF_IS_CLIENT (client));
19926N/A+
20223N/A+ head = allowed_applications = gconf_client_get_list (client,
19926N/A+ ALLOWED_APPLICATIONS_KEY,
19926N/A+ GCONF_VALUE_STRING,
19926N/A+ NULL);
19926N/A+ g_object_unref (client);
19926N/A+
19926N/A+
19926N/A+ for (allowed_applications; allowed_applications;
19926N/A+ allowed_applications = allowed_applications->next)
19926N/A+ if (!strcmp (allowed_applications->data, app)) {
19926N/A+ retval = TRUE;
19926N/A+ break;
19926N/A+ }
19926N/A+
20223N/A+ for (allowed_applications = head; allowed_applications;
19926N/A+ allowed_applications = allowed_applications->next) {
19926N/A+ g_free (allowed_applications->data);
19926N/A+ }
19926N/A+
19926N/A+ g_slist_free (allowed_applications);
19926N/A+ allowed_applications = NULL;
19926N/A+
19926N/A+ return retval;
19926N/A+}
19926N/A+
19926N/A static gboolean
19926N/A-is_disabled (GsmApp *app)
19926N/A+lockdown_is_forbidden_launcher (GsmApp *app)
19926N/A {
19926N/A+ gchar *full_exec;
19926N/A+ gchar *stripped_exec;
19926N/A+ gboolean retval = FALSE;
19926N/A+
19926N/A+ if (!is_restrict_enabled() || is_user_authorized() ) {
19926N/A+ return retval;
19926N/A+ }
19926N/A+
19926N/A GsmAutostartAppPrivate *priv;
19926N/A
19926N/A priv = GSM_AUTOSTART_APP (app)->priv;
19926N/A
19926N/A+ if (egg_desktop_file_has_key (priv->desktop_file,
19926N/A+ "Exec", NULL)) {
19926N/A+ full_exec = egg_desktop_file_get_string (
19926N/A+ priv->desktop_file,
19926N/A+ "Exec", NULL);
19926N/A+
19926N/A+ if (full_exec != NULL) {
19926N/A+ stripped_exec = lockdown_get_stripped_exec (full_exec);
20223N/A+ // If exec is not found in path simply return False.
20223N/A+ if (stripped_exec == NULL)
20223N/A+ return retval;
19926N/A+ retval = !lockdown_is_allowed_application (stripped_exec);
19926N/A+ if (retval == TRUE) {
19926N/A+ retval = !lockdown_is_allowed_application (full_exec);
19926N/A+ }
19926N/A+ }
19926N/A+ g_free (full_exec);
19926N/A+ g_free (stripped_exec);
19926N/A+ }
19926N/A+ return retval;
19926N/A+}
19926N/A+
19926N/A+static gboolean
19926N/A+is_disabled (GsmApp *app)
19926N/A+{
19926N/A+ GsmAutostartAppPrivate *priv;
19926N/A+
19926N/A+ priv = GSM_AUTOSTART_APP (app)->priv;
19926N/A /* GSM_AUTOSTART_APP_ENABLED_KEY key, used by old gnome-session */
19926N/A if (egg_desktop_file_has_key (priv->desktop_file,
19926N/A GSM_AUTOSTART_APP_ENABLED_KEY, NULL) &&
19926N/A@@ -167,6 +354,10 @@
19926N/A if (is_disabled_for_sunray_client (app))
19926N/A return TRUE;
19926N/A
19926N/A+ /* Add additional check for Lockdown mode */
19926N/A+ if (lockdown_is_forbidden_launcher (app))
19926N/A+ return TRUE;
19926N/A+
19926N/A /* Do not check AutostartCondition - this method is only to determine
19926N/A if the app is unconditionally disabled */
19926N/A