From 968fbcffc3dbade0eaaaf5a778afe3142a537178 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Mon, 13 Jan 2025 11:39:31 +0000
Subject: [PATCH] Add XAuthorityInSystemDir option

Add an option to allow XAUTHORITY to ber moved away from $HOME. This is
modelled on the lightdm 'user-authority-in-system-dir' option
---
 docs/man/sesman.ini.5.in         | 10 +++++++++-
 sesman/libsesman/sesman_config.c |  7 +++++++
 sesman/libsesman/sesman_config.h |  6 ++++++
 sesman/sesexec/env.c             |  6 ++++++
 sesman/sesman.ini.in             |  2 +-
 5 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/docs/man/sesman.ini.5.in b/docs/man/sesman.ini.5.in
index ce386ebad2..7c38e2f001 100644
--- a/docs/man/sesman.ini.5.in
+++ b/docs/man/sesman.ini.5.in
@@ -57,7 +57,7 @@ In this instance, the system administrator is responsible for ensuring
 the socket can only be created by a suitably privileged process.
 .PP
 If the parameter does not start with a '/', a name within
-@socketdir@ is used.
+@socketdir@/\fI<uid>\fR is used.
 .RE
 
 .TP
@@ -251,6 +251,14 @@ The number of login attempts that are allowed on terminal server. If set
 to \fI0\fR, unlimited attempts are allowed. If not specified, defaults to
 \fI3\fR.
 
+.TP
+\fBXAuthorityInSystemDir\fR=\fI[no|yes]\fR
+If set to \fByes\fR, xrdp will set XAUTHORITY to be in a system directory
+(currently @socketdir@/\fI<uid>\fR) which is only accessible to the
+logged-in user.
+You may wish to use this if $HOME is NFS-mounted, or you are experiencing
+other applications overwriting the default file.
+
 .TP
 \fBTerminalServerUsers\fR=\fIgroup\fR
 Only the users belonging to the specified group are allowed to login on
diff --git a/sesman/libsesman/sesman_config.c b/sesman/libsesman/sesman_config.c
index 9e3d9e7286..7f2df78d9c 100644
--- a/sesman/libsesman/sesman_config.c
+++ b/sesman/libsesman/sesman_config.c
@@ -63,6 +63,7 @@
 */
 #define SESMAN_CFG_SECURITY                        "Security"
 #define SESMAN_CFG_SEC_LOGIN_RETRY                 "MaxLoginRetry"
+#define SESMAN_CFG_XAUTH_IN_SYSDIR                 "XAuthorityInSystemDir"
 #define SESMAN_CFG_SEC_ALLOW_ROOT                  "AllowRootLogin"
 #define SESMAN_CFG_SEC_USR_GROUP                   "TerminalServerUsers"
 #define SESMAN_CFG_SEC_ADM_GROUP                   "TerminalServerAdmins"
@@ -307,6 +308,7 @@ config_read_security(int file, struct config_security *sc,
     /* setting defaults */
     sc->allow_root = 0;
     sc->login_retry = 3;
+    sc->xauth_in_sysdir = 0;
     sc->restrict_outbound_clipboard = 0;
     sc->restrict_inbound_clipboard = 0;
     sc->allow_alternate_shell = 1;
@@ -330,6 +332,10 @@ config_read_security(int file, struct config_security *sc,
         {
             sc->login_retry = g_atoi(value);
         }
+        else if (0 == g_strcasecmp(buf, SESMAN_CFG_XAUTH_IN_SYSDIR))
+        {
+            sc->xauth_in_sysdir = g_text2bool(value);
+        }
         else if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_USR_GROUP))
         {
             g_free(sc->ts_users);
@@ -672,6 +678,7 @@ config_dump(struct config_sesman *config)
     g_writeln("Security configuration:");
     g_writeln("    AllowRootLogin:            %d", sc->allow_root);
     g_writeln("    MaxLoginRetry:             %d", sc->login_retry);
+    g_writeln("    XAuthorityInSystemDir:     %d", sc->xauth_in_sysdir);
     g_writeln("    AlwaysGroupCheck:          %d", sc->ts_always_group_check);
     g_writeln("    AllowAlternateShell:       %d", sc->allow_alternate_shell);
 #ifdef HAVE_SYS_PRCTL_H
diff --git a/sesman/libsesman/sesman_config.h b/sesman/libsesman/sesman_config.h
index aa8d43dcfb..19f584e090 100644
--- a/sesman/libsesman/sesman_config.h
+++ b/sesman/libsesman/sesman_config.h
@@ -68,6 +68,12 @@ struct config_security
      * @brief maximum login attempts
      */
     int login_retry;
+    /**
+     * @var x_authority_in_system_dir
+     * @brief Move XAUTHORITY to a system directory
+     */
+    int xauth_in_sysdir;
+
     /**
      * @var ts_users
      * @brief Terminal Server Users group
diff --git a/sesman/sesexec/env.c b/sesman/sesexec/env.c
index f56a93d449..6efc1d655e 100644
--- a/sesman/sesexec/env.c
+++ b/sesman/sesexec/env.c
@@ -162,6 +162,12 @@ env_set_user(int uid, char **passwd_file, int display,
             /* pulse source socket */
             g_snprintf(text, sizeof(text), CHANSRV_PORT_IN_BASE_STR, display);
             g_setenv("XRDP_PULSE_SOURCE_SOCKET", text, 1);
+            if (g_cfg->sec.xauth_in_sysdir)
+            {
+                g_snprintf(text, sizeof(text), XRDP_SOCKET_PATH "/Xauthority",
+                           uid);
+                g_setenv("XAUTHORITY", text, 1);
+            }
             if ((env_names != 0) && (env_values != 0) &&
                     (env_names->count == env_values->count))
             {
diff --git a/sesman/sesman.ini.in b/sesman/sesman.ini.in
index 57a6545613..baeeca1b74 100644
--- a/sesman/sesman.ini.in
+++ b/sesman/sesman.ini.in
@@ -14,6 +14,7 @@ ReconnectScript=reconnectwm.sh
 [Security]
 AllowRootLogin=true
 MaxLoginRetry=4
+XAuthorityInSystemDir=no
 TerminalServerUsers=tsusers
 TerminalServerAdmins=tsadmins
 ; When AlwaysGroupCheck=false access will be permitted
@@ -50,7 +51,6 @@ RestrictInboundClipboard=none
 ; be able to connect to your sessions.
 #SessionSockdirGroup=xrdp
 
-
 [Sessions]
 ;; X11DisplayOffset - x11 display number offset
 ; Type: integer