5889N/AFrom 65b6bdc8096ef4ac5b3bd41a0f2d38afe12c75ee Mon Sep 17 00:00:00 2001
5889N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
5889N/ADate: Sat, 2 Jan 2016 22:23:10 -0800
5889N/ASubject: [PATCH] security-policy
5889N/ABug 15284497 SUNBT6317441 Allow admins to remove user-configurability from
5889N/A- Upstream rejected as "I will never implement that, because it's stupid and
5889N/A unenforcible." Unfortunately, we're stuck with Common Criteria requirements,
5889N/A which do not allow for common sense.
5889N/ABug 15779180 SUNBT7154101 Not able to unlock screen after xlock after su to a
5889N/A 7 files changed, 163 insertions(+), 11 deletions(-)
5889N/Aindex 3d86087..3a4ab09 100644
5889N/A@@ -1701,9 +1702,10 @@ flush_dialog_changes_and_save (state *s)
5889N/A # define COPYSTR(FIELD,NAME) \
5889N/A+ if ((p->FIELD != p2->FIELD) && \
5889N/A- strcmp(p->FIELD, p2->FIELD)) \
5889N/A+ strcmp(p->FIELD, p2->FIELD))) \
5889N/A@@ -2765,6 +2767,70 @@ update_list_sensitivity (state *s)
5889N/A+# define SENSITIZE(NAME,SENSITIVEP) \
5889N/A+ gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP))
5889N/A+ gtk_widget_hide (name_to_widget (s, (NAME)))
5889N/A+ if (((idletime = getuserattruid(getuid(),
5889N/A+ USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) &&
5889N/A+ ((timeout = atoi(idletime)) != 0) || timeout)
5889N/A+ GtkWidget *timeout_spinbutton = name_to_widget(s, "timeout_spinbutton");
5889N/A+ GtkAdjustment *adj = gtk_spin_button_get_adjustment((GtkSpinButton *) timeout_spinbutton);
5889N/A+ SET_ADJ_UPPER(adj, (gdouble) timeout);
5889N/A+ if (GET_ADJ_VALUE(adj) > (gdouble) timeout)
5889N/A+ SET_ADJ_VALUE(adj, (gdouble) timeout);
5889N/A+ gtk_spin_button_set_adjustment((GtkSpinButton *) timeout_spinbutton, adj);
5889N/A+ /* enforce timeout with idlecmd */
5889N/A+ if ((idlecmd = getuserattruid(getuid(),
5889N/A+ USERATTR_IDLECMD_KW, NULL, NULL)) == NULL)
5889N/A+ idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW);
5889N/A+ if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0)
5889N/A+ gtk_label_set_text_with_mnemonic(
5889N/A+ GTK_LABEL (name_to_widget (s, "timeout_label")),
5889N/A+ HIDEWIDGET("cycle_label");
5889N/A+ HIDEWIDGET("cycle_spinbutton");
5889N/A+ HIDEWIDGET("cycle_mlabel");
5889N/A+ HIDEWIDGET("pwd_spinbutton");
5889N/A+ HIDEWIDGET("pwd_button_eventbox");
5889N/A+ gtk_label_set_text_with_mnemonic(
5889N/A+ GTK_LABEL (name_to_widget(s, "timeout_label")),
5889N/A+ SENSITIZE("lock_spinbutton", 0);
5889N/A+ SENSITIZE("lock_mlabel", 0);
5889N/A+ SENSITIZE("lock_button", 0);
5889N/A+ HIDEWIDGET("lock_spinbutton");
5889N/A+ HIDEWIDGET("lock_mlabel");
5889N/A+ HIDEWIDGET("lock_button");
5889N/A+ HIDEWIDGET("lock_button_eventbox");
5889N/A+ free(idletime); /* free works on a NULL value */
5889N/A+ free(idlecmd); /* when you're all with idlecmd */
5889N/A populate_prefs_page (state *s)
5889N/A@@ -2921,10 +2987,6 @@ populate_prefs_page (state *s)
5889N/A #endif /* HAVE_DPMS_EXTENSION */
5889N/A-# define SENSITIZE(NAME,SENSITIVEP) \
5889N/A- gtk_widget_set_sensitive (name_to_widget (s, (NAME)), (SENSITIVEP))
5889N/A@@ -2964,10 +3026,13 @@ dpms_supported=1;
5889N/A SENSITIZE ("fade_spinbutton", (fading_possible &&
5889N/A (p->fade_p || p->unfade_p)));
5889N/A populate_popup_window (state *s)
5889N/Aindex 52538a8..20f3a4a 100644
5889N/A /* This file doesn't need the Xt headers, so stub these types out... */
5889N/A@@ -1186,6 +1187,37 @@ load_init_file (Display *dpy, saver_preferences *p)
5889N/A+ if (((idletime = getuserattruid(getuid(),
5889N/A+ USERATTR_IDLETIME_KW, NULL, NULL)) != NULL) &&
5889N/A+ ((timeout = atoi(idletime) * 60 * 1000) != 0))
5889N/A+ /* always lock or logout and do not show blank screen */
5889N/A+ if (p->mode == DONT_BLANK)
5889N/A+ p->forcedlock_p = p->lock_p = True;
5889N/A+ /* enforce timeout with idlecmd */
5889N/A+ if ((idlecmd = getuserattruid(getuid(),
5889N/A+ USERATTR_IDLECMD_KW, NULL, NULL)) == NULL)
5889N/A+ idlecmd = strdup(USERATTR_IDLECMD_LOCK_KW);
5889N/A+ if (idlecmd && strcasecmp(idlecmd, USERATTR_IDLECMD_LOGOUT_KW) == 0)
5889N/A+ free(idletime); /* free works on a NULL value */
5889N/A+ free(idlecmd); /* when you're all with idlecmd */
5889N/A if (system_default_screenhack_count) /* note: first_time is also true */
5889N/A merge_system_screenhacks (dpy, p, system_default_screenhacks,
5889N/A@@ -940,6 +940,30 @@ check_if_hacks_dir_exists(Bool verbose_p)
5889N/A+/* Added separate function for logout as we need to find better way to log user
5889N/A+logout(saver_screen_info *ssi)
5889N/A+ saver_info *si = ssi->global;
5889N/A+ saver_preferences *p = &si->prefs;
5889N/A+ if (!(si->emergency_lock_p || si->locked_p))
+ snprintf (buf, sizeof(buf), "%s: couldn't fork", blurb());
spawn_screenhack (saver_screen_info *ssi)
@@ -97,6 +97,9 @@ struct saver_preferences {
Bool xsync_p; /* whether XSynchronize has been called */
Bool lock_p; /* whether to lock as well as save */
+ Bool forcedlock_p; /* whether to forced lock */
+ Bool forcedlogout_p; /* whether to forced logout */
Bool unlock_timeout_p; /* whether to timeout unlock dialog */
index a7a06a6..85b8069 100644
<property name="update_policy">GTK_UPDATE_ALWAYS</property>
<property name="snap_to_ticks">True</property>
<property name="wrap">False</property>
- <property name="adjustment">0 0 720 1 15 15</property>
+ <property name="adjustment">0 0 720 1 15 0</property>
<atkrelation target="pwd_button" type="controlled-by"/>
<atkrelation target="pwd_button" type="labelled-by"/>
@@ -1242,6 +1243,9 @@ main_loop (saver_info *si)
maybe_reload_init_file (si);
+ logout(&si->screens[0]);
if (p->mode == DONT_BLANK)
@@ -1532,6 +1536,20 @@ DONE:
static void analyze_display (saver_info *si);
static void fix_fds (void);
+ * Is Role attached to userid
+isRoleAttached(uid_t uid)
+ if (((type = getuserattruid(uid, USERATTR_TYPE_KW, NULL, NULL)) != NULL) &&
+ (strcmp(type, USERATTR_TYPE_NONADMIN_KW) == 0))
main (int argc, char **argv)
@@ -1542,6 +1560,14 @@ main (int argc, char **argv)
+ if (uid == 0 && isRoleAttached(uid))
+ fprintf(stderr, "Roles Can not login directly.\n");
/* It turns out that if we do setlocale (LC_ALL, "") here, people
running in Japanese locales get font craziness on the password
dialog, presumably because it is displaying Japanese characters
@@ -2054,7 +2080,7 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p)
else if (type == XA_EXIT)
/* Ignore EXIT message if the screen is locked. */
- if (until_idle_p || !si->locked_p)
+ if (!(p->forcedlogout_p || p->forcedlock_p) && (until_idle_p || !si->locked_p))
clientmessage_response (si, window, False,
"EXIT ClientMessage received.",
@@ -2071,8 +2097,8 @@ handle_clientmessage (saver_info *si, XEvent *event, Bool until_idle_p)
clientmessage_response (si, window, True,
- "EXIT ClientMessage received while locked.",
+ "EXIT ClientMessage received.",
+ "screen is locked or does not have privilege to exit.");
else if (type == XA_RESTART)
@@ -170,6 +170,8 @@ extern struct screenhack_job *make_job (pid_t pid, int screen,
+extern void logout(saver_screen_info *ssi);
/* =======================================================================
======================================================================= */