Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor ip address handling #2251

Merged
merged 6 commits into from
May 19, 2022

Conversation

matt335672
Copy link
Member

Fixes #392 #2239

Replacement for the withdrawn #2223

The main reason for withdrawing #2223 was I discovered there were two separate places in the xrdp_client_info structure which described the currently connected client:-

  1. The connection_description field. This was originally (and confusingly) called client_ip, and introduced by commit d797b2c for xrdp v0.6.0

  2. The client_addr and client_port fields introduced by commit 2536946 for xrdp v0.8.0

In terms of maintainability and readability, it made sense to unify these two sets of fields into a single set of fields.

Another confusion is the presence of the 'C' argument to the session allocation policy in sesman.ini. The code for this in sesman uses the connection_description field. This is explored further in #2239

This series of commits does the following:-

  1. Replaces connection_description, client_addr and client_port with two unified fields in xrdp_client_info. These fields are
    client_ip and client_description. they are used as follows:-
    • for AF_INET/AF_INET6 connections only, client_ip contains the IP address of the client. For other connection types (e.g. AF_UNIX and AF_VSOCK) this field is empty.
    • for all connection types, client_description contains a string which describes the connected client.
  2. PAM_RHOST support is added (Pass remote ip address to PAM #392) for PAM stacks that can make use of this information.
  3. A couple of utility functions g_bitmask_to_charstr() and g_charstr_to_bitmask() are added to string_calls.c. These are intended for parsing the Policy string in sesman.ini in a more flexible way.
  4. Unit tests are added for the above.
  5. The session allocation policy code is updated as discussed in Session allocation policy - Connection setting not useful? #2239. Not only does this make the policy more flexible (see, for example Added clientname to session policy and environment #2099), but it makes it possible to trace the action of session matching by enabling standard debug logging.

This PR changes the public interface of the session allocation policy in sesman.ini. Effectively, the old 'C' policy is achieved by setting the policy to 'Separate'. This is I believe a little clearer, and I also think it is unlikely there are many users of the 'Separate' policy anyway. A use of the old 'C' flag is not honoured, but a warning is currently generated if it is discovered.

@matt335672 matt335672 linked an issue May 5, 2022 that may be closed by this pull request
The connected client is currently described in two places in
the xrdp_client_info structure:-

1) In the connection_description field. This was introduced as
   field client_ip by commit d797b2c
   for xrdp v0.6.0

2) In the client_addr and client_port fields introduced by commit
   2536946 for xrdp v0.8.0

This commit unifies these two sets of fields into a single
set of fields describing the connection IP and port (for
AF_INET/AF_INET6 connections only) and a connection description
for all connection types.

The code in os_calls to provide client logging has been simplified
somewhat which should make it easier to add new connection types (e.g.
AF_VSOCK).

The old connection_description field used to be passed to sesman to
inform sesman of the IP address of the client, and also to provide
a string for 'C' field session policy matching. 'C' field session policy
matching does not actually need this string (see neutrinolabs#2239), and so now only
the IP field is passed to sesman.
Supplies the IP address that an authentication event is
received from as the PAM parameter PAM_RHOST for PAM-capable systems.
Made session allocation policies more readable and maintainable.

The 'C' policy which was confusing before has been replaced with the
'Separate' keyword. This is a public interface change, but is unlikely
to affect many users.

The logging in session_get_bydata() is substantially improved, making
it far easier to spot why sessions are getting matched or not matched.
@matt335672 matt335672 force-pushed the refactor_ip_addr_handling branch from 67e0337 to 3e48877 Compare May 18, 2022 11:35
@matt335672 matt335672 merged commit 6c4bdf7 into neutrinolabs:devel May 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Session allocation policy - Connection setting not useful? Pass remote ip address to PAM
1 participant