5559N/AFrom 65b6bdc8096ef4ac5b3bd41a0f2d38afe12c75ee Mon Sep 17 00:00:00 2001
5559N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
5559N/ADate: Sat, 2 Jan 2016 22:23:10 -0800
5559N/ASubject: [PATCH] security-policy
5398N/ABug 15284497 SUNBT6317441 Allow admins to remove user-configurability from
5559N/A- Upstream rejected as "I will never implement that, because it's stupid and
5398N/A unenforcible." Unfortunately, we're stuck with Common Criteria requirements,
5398N/A which do not allow for common sense.
5398N/ABug 15779180 SUNBT7154101 Not able to unlock screen after xlock after su to a
5559N/A 7 files changed, 163 insertions(+), 11 deletions(-)
5559N/Aindex 3d86087..3a4ab09 100644
5559N/A@@ -1701,9 +1702,10 @@ flush_dialog_changes_and_save (state *s)
5398N/A # define COPYSTR(FIELD,NAME) \
5398N/A+ if ((p->FIELD != p2->FIELD) && \
5398N/A- strcmp(p->FIELD, p2->FIELD)) \
5398N/A+ strcmp(p->FIELD, p2->FIELD))) \
5559N/A@@ -2765,6 +2767,70 @@ update_list_sensitivity (state *s)
5398N/A+# define SENSITIZE(NAME,SENSITIVEP) \
5398N/A+ gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP))
5398N/A+ gtk_widget_hide (name_to_widget (s, (NAME)))
5398N/A+ if (((idletime = getuserattruid(getuid(),
5398N/A+ USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) &&
5398N/A+ ((timeout = atoi(idletime)) != 0) || timeout)
5398N/A+ GtkWidget *timeout_spinbutton = name_to_widget(s, "timeout_spinbutton");
5398N/A+ GtkAdjustment *adj = gtk_spin_button_get_adjustment((GtkSpinButton *) timeout_spinbutton);
5398N/A+ SET_ADJ_UPPER(adj, (gdouble) timeout);
5398N/A+ if (GET_ADJ_VALUE(adj) > (gdouble) timeout)
5398N/A+ SET_ADJ_VALUE(adj, (gdouble) timeout);
5398N/A+ gtk_spin_button_set_adjustment((GtkSpinButton *) timeout_spinbutton, adj);
5398N/A+ /* enforce timeout with idlecmd */
5398N/A+ if ((idlecmd = getuserattruid(getuid(),
5398N/A+ USERATTR_IDLECMD_KW, NULL, NULL)) == NULL)
5398N/A+ idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW);
5398N/A+ if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0)
5559N/A+ gtk_label_set_text_with_mnemonic(
5559N/A+ GTK_LABEL (name_to_widget (s, "timeout_label")),
5398N/A+ HIDEWIDGET("cycle_label");
5398N/A+ HIDEWIDGET("cycle_spinbutton");
5398N/A+ HIDEWIDGET("cycle_mlabel");
5398N/A+ HIDEWIDGET("pwd_spinbutton");
5398N/A+ HIDEWIDGET("pwd_button_eventbox");
5559N/A+ gtk_label_set_text_with_mnemonic(
5559N/A+ GTK_LABEL (name_to_widget(s, "timeout_label")),
5398N/A+ SENSITIZE("lock_spinbutton", 0);
5398N/A+ SENSITIZE("lock_mlabel", 0);
5398N/A+ SENSITIZE("lock_button", 0);
5398N/A+ HIDEWIDGET("lock_spinbutton");
5398N/A+ HIDEWIDGET("lock_mlabel");
5398N/A+ HIDEWIDGET("lock_button");
5398N/A+ HIDEWIDGET("lock_button_eventbox");
5398N/A+ free(idletime); /* free works on a NULL value */
5398N/A+ free(idlecmd); /* when you're all with idlecmd */
5398N/A populate_prefs_page (state *s)
5559N/A@@ -2921,10 +2987,6 @@ populate_prefs_page (state *s)
5398N/A #endif /* HAVE_DPMS_EXTENSION */
5398N/A-# define SENSITIZE(NAME,SENSITIVEP) \
5398N/A- gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP))
5559N/A@@ -2964,10 +3026,13 @@ dpms_supported=1;
5398N/A SENSITIZE ("fade_spinbutton", (fading_possible &&
5398N/A (p->fade_p || p->unfade_p)));
5398N/A populate_popup_window (state *s)
5559N/Aindex 52538a8..20f3a4a 100644
5398N/A /* This file doesn't need the Xt headers, so stub these types out... */
5559N/A@@ -1186,6 +1187,37 @@ load_init_file (Display *dpy, saver_preferences *p)
5398N/A+ if (((idletime = getuserattruid(getuid(),
5398N/A+ USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) &&
5398N/A+ ((timeout = atoi(idletime) * 60 * 1000) != 0))
5398N/A+ /* always lock or logout and do not show blank screen */
5398N/A+ if (p->mode == DONT_BLANK)
5398N/A+ p->forcedlock_p = p->lock_p = True;
5398N/A+ /* enforce timeout with idlecmd */
5398N/A+ if ((idlecmd = getuserattruid(getuid(),
5398N/A+ USERATTR_IDLECMD_KW, NULL, NULL)) == NULL)
5398N/A+ idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW);
5398N/A+ if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0)
5398N/A+ free(idletime); /* free works on a NULL value */
5398N/A+ free(idlecmd); /* when you're all with idlecmd */
5398N/A if (system_default_screenhack_count) /* note: first_time is also true */
5398N/A merge_system_screenhacks (dpy, p, system_default_screenhacks,
5559N/A@@ -940,6 +940,30 @@ check_if_hacks_dir_exists(Bool verbose_p)
5398N/A+/* Added separate function for logout as we need to find better way to log user
5398N/A+logout(saver_screen_info *ssi)
5398N/A+ saver_info *si = ssi->global;
5398N/A+ saver_preferences *p = &si->prefs;
5398N/A+ if (!(si->emergency_lock_p || si->locked_p))
5398N/A+ snprintf (buf, sizeof(buf), "%s: couldn't fork", blurb());
5398N/A spawn_screenhack (saver_screen_info *ssi)
5559N/A@@ -97,6 +97,9 @@ struct saver_preferences {
5398N/A Bool xsync_p; /* whether XSynchronize has been called */
5398N/A Bool lock_p; /* whether to lock as well as save */
5398N/A+ Bool forcedlock_p; /* whether to forced lock */
5398N/A+ Bool forcedlogout_p; /* whether to forced logout */
5398N/A Bool unlock_timeout_p; /* whether to timeout unlock dialog */
5559N/Aindex a7a06a6..85b8069 100644
5398N/A <property name="update_policy">GTK_UPDATE_ALWAYS</property>
5398N/A <property name="snap_to_ticks">True</property>
5398N/A <property name="wrap">False</property>
5398N/A- <property name="adjustment">0 0 720 1 15 15</property>
5398N/A+ <property name="adjustment">0 0 720 1 15 0</property>
5398N/A <atkrelation target="pwd_button" type="controlled-by"/>
5398N/A <atkrelation target="pwd_button" type="labelled-by"/>
5559N/A@@ -1242,6 +1243,9 @@ main_loop (saver_info *si)
5398N/A maybe_reload_init_file (si);
5559N/A@@ -1532,6 +1536,20 @@ DONE:
5398N/A static void analyze_display (saver_info *si);
5398N/A static void fix_fds (void);
5398N/A+ * Is Role attached to userid
5398N/A+ if (((type = getuserattruid(uid, USERATTR_TYPE_KW, NULL, NULL)) != NULL) &&
5398N/A+ (strcmp(type, USERATTR_TYPE_NONADMIN_KW) == 0))
5398N/A main (int argc, char **argv)
5559N/A@@ -1542,6 +1560,14 @@ main (int argc, char **argv)
5398N/A+ if (uid == 0 && isRoleAttached(uid))
5398N/A+ fprintf(stderr, "Roles Can not login directly.\n");
5398N/A /* It turns out that if we do setlocale (LC_ALL, "") here, people
5398N/A running in Japanese locales get font craziness on the password
5398N/A dialog, presumably because it is displaying Japanese characters
5559N/A@@ -2054,7 +2080,7 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p)
5398N/A /* Ignore EXIT message if the screen is locked. */
5398N/A- if (until_idle_p || !si->locked_p)
5398N/A+ if (!(p->forcedlogout_p || p->forcedlock_p) && (until_idle_p || !si->locked_p))
5398N/A clientmessage_response (si, window, False,
5398N/A "EXIT ClientMessage received.",
5559N/A@@ -2071,8 +2097,8 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p)
5398N/A clientmessage_response (si, window, True,
5398N/A- "EXIT ClientMessage received while locked.",
5398N/A+ "EXIT ClientMessage received.",
5398N/A+ "screen is locked or does not have privilege to exit.");
5398N/A else if (type == XA_RESTART)
5398N/A@@ -170,6 +170,8 @@ extern struct screenhack_job *make_job (pid_t pid, int screen,
5398N/A+extern void logout(saver_screen_info *ssi);
5398N/A /* =======================================================================
5398N/A ======================================================================= */