[FreeNX-kNX] JJK: All patches applied

Jeffrey J. Kosowsky freenx-knx at kosowsky.org
Sun Dec 30 21:55:03 UTC 2007


Forwarding this (along with several other postings) to the list per
Fabian's suggestion... Note: I have also previously posted a copy to
the freenx-devel list.

Jeffrey J. Kosowsky wrote at about 23:32:00 -0500 on Saturday, December 8, 2007:
 > Fabian,
 > Version 0.7.1 has finally made into Fedora 8 and I am glad to see that
 > the patches I suggested (along with many other improvements added by
 > you) have been included.
 > 
 > Here are several more bug fixes/improvements that you might want to
 > consider adding to nxnode. 
 > 
 > First, when a share is mounted, a new subdirectory is created
 > ($mpoint). I believe that this directory should also be removed when
 > the share is unmounted or else you end up with a lot of old stale
 > mount points.
 > 
 > My suggested change (as indicated by my initials JJK) just adds one
 > line to nod_umount_smb():
 > 
 > node_umount_smb()
 > {
 > 	[ -e "$USER_FAKE_HOME/.nx/C-$sess_id/scripts/mpoint" ] || return
 > 	cat "$USER_FAKE_HOME/.nx/C-$sess_id/scripts/mpoint" | while read mpoint
 > 	do
 > 		$COMMAND_SMBUMOUNT "$mpoint" >/dev/null 2>/dev/null
 > 		rmdir "$mpoint" >/dev/null 2>/dev/null #JJK remove mount point if empty
 > 	done
 > }
 > 
 > Note that the directory is only removed if empty.

In my latest patches (see subsequent posting), I also added another
line to cmd_node_smbmount to remove the mount point if the mount fails.

 > 
 > Second, on my system the sharename returned by "getparam dir" begins
 > with "%24" and not "$" (note that %24 is the ASCII encoding of $).
 > So I changed the line:
 >     dir=$(getparam dir | sed 's|$(SHARES)|MyShares|g')
 > To:
 > 	dir=$(getparam dir | sed 's/\(%24\|\$\)(SHARES)/MyShares/g')
 > 
 > Also, note that using "|" as a separator in (gnu) sed is no longer
 > recommended since it creates ambiguity with the 'or' operator
 > 
 > Third, I made several changes to the cupsd.conf file that is
 > generated in nxnode.conf that you may (or may not) want to
 > include. The changes are as follows:
 > 
 > 1. Placed all the log files in a subdirectory of
 >    $USR_FAKE_HOME/.nx/C-$sess_id/cups 
 >    I also added back in access_log
 >    This adds clarity and is consistent with how all the log files in
 >    cups are usually put together.
 > 
 >    AccessLog log/access_log
 >    ErrorLog log/error_log
 >    PageLog log/page_log
 > 
 > 2. I believe that you are using "Listen $NODE_CUPSD_SOCKET" for
 >    security. However, when I do this, then I cannot use the CUPS web
 >    interface to manage the printers since there is no port to point my
 >    web browser at (correct me if there is a way). Also, it may be nice
 >    to allow other users to access the remote printers at least at some
 >    non-privileged level.
 > 
 >    So, I also open up listening on $NODE_CUPSD_PORT and then use a
 >    more buttoned-down version of permissions to restore some
 >    security. Basically, I copied the security permissions that the
 >    regular default cupsd.conf setup uses on my Fedora system. So, in the
 >    end I am trading off perhaps a little security for more convenient
 >    access to and management of the printers.
 > 
 >    Specifically, I make the following additional changes to the
 >    generated cupsd.conf file [Note the first and last stanza of the
 >    restrictions are unchanged except for added comments]
 > 
 > SystemGroup sys root $USER
 > Listen localhost: $NODE_CUPSD_PORT
 > 
 > #JJK:  Restrict access to the server...
 > <Location />
 > Order Deny,Allow
 > Deny From All
 > Allow from 127.0.0.1
 > </Location>
 > 
 > #JJK: Restrict access to the admin pages...
 > <Location /admin>
 >   Encryption Required
 >   Order allow,deny
 >   Allow localhost
 > </Location>
 > 
 > #JJK: Restrict access to configuration files...
 > <Location /admin/conf>
 >   AuthType Basic
 >   Require user @SYSTEM
 >   Order allow,deny
 >   Allow localhost
 > </Location>
 > 
 > #JJK: Since also allowing access via $NODE_CUPSD_PORT, need to add protection
 > <Policy default>
 >   #JJK: Job-related operations must be done by the owner or an adminstrator...
 >   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
 >     Require user @OWNER @SYSTEM
 >     Order deny,allow
 >   </Limit>
 > 
 >   #JJK:All administration operations require an adminstrator to authenticate...
 >   <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs>
 >     AuthType Basic
 >     Require user @SYSTEM
 >     Order deny,allow
 >   </Limit>
 > 
 >   #JJK: Except need to allow these for nxnode to work
 >   <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Set-Default>
 >     Order deny,allow
 >   </Limit>
 > 
 >   # Only the owner or an administrator can cancel or authenticate a job...
 >   <Limit Cancel-Job CUPS-Authenticate-Job>
 >     Require user @OWNER @SYSTEM
 >     Order deny,allow
 >   </Limit>
 > 
 > # JJK: Allow everything else...
 >   <Limit All>
 >     AuthType None
 >     Order deny,allow
 >   </Limit>
 > </Policy>
 > 
 > 	3. I like to also allow 'guest' so you can do things like print
 > 	   testpages from the CUPS web interface. Note this is required
 > 	   even for the original user to print test pages from the CUPS
 > 	   web interface
 > 	   
 > 	   To do this, change:
 > 		  PUBLIC="-u allow:$USER"
 > 	   To:
 > 		  PUBLIC="-u allow:$USER,guest"
 > 
 > Fabian Franz wrote at about 00:18:15 +0100 on Wednesday, November 21, 2007:
 >  > > Fabian,
 >  > 
 >  > Hi,
 >  > 
 >  > > I continue to play with freenx and fix bugs as they occur and as I
 >  > > update my own Fedora system. I will send you my updated patches when
 >  > > they are cleaned up if you are interested.
 >  > 
 >  > Sure. That is perfect.
 >  > 
 >  > > One bug (at least on Fedora systems) is that the directive "PidFile"
 >  > > in cupsd.conf doesn't seem to be recognized. The result is that the
 >  > > daemon code that you use to launch cupsd doesn't record the pid and
 >  > > then it can't later be killed. I'm not sure why "PidFile" is not
 >  > > recognized but I tested it outside of NX by launching cupsd manually
 >  > > and indeed it doesn't work (I am using Cups 1.3.3).
 >  > 
 >  > Yes PidFile is debian specific, but I didn't knew that.
 >  > 
 >  > Your fix is fine and I will commit a similar one with -f to SVN.
 >  > 
 >  > > To get around this, I use the following patch:
 >  > > #JJK:   $COMMAND_CUPSD -c "$USER_FAKE_HOME/.nx/C-$sess_id/cups/cupsd.conf"
 >  > > &>/dev/null </dev/null
 >  > >     $COMMAND_CUPSD -F -c "$USER_FAKE_HOME/.nx/C-$sess_id/cups/cupsd.conf"
 >  > > &>/dev/null </dev/null & NODE_CUPSD_PID=$! echo $NODE_CUPSD_PID
 >  > > >"$USER_FAKE_HOME/.nx/C-$sess_id/pids/cupsd"
 >  > >     NODE_CUPSD_PID=$!
 >  > >     echo $NODE_CUPSD_PID >"$USER_FAKE_HOME/.nx/C-$sess_id/pids/cupsd"
 >  > > 
 >  > > A second problem I found is more challenging (to me).
 >  > 
 >  > Not only to you.
 >  > 
 >  > > Based on our earlier discussion, I am using the directive
 >  > > 	echo "NX> 709 File-sharing port: 445"
 >  > > to enable me to use mount.cifs/umount.cifs since smbmount is no longer
 >  > > supported on my system.
 >  > > This then sets up the ssh port forwarding: <$display+3000> --> 445
 >  > > So, far this makes file sharing work.
 >  > 
 >  > You can use FreENx 0.7.1 that has this directive and even has it configurable.
 >  > 
 >  > > However, I now can't get print sharing working. Since the smb URL for
 >  > > printing in 'nxnode' uses the same port while smb URL printing seems
 >  > > to need to be forwarded to the old port 139 standard to work.
 >  > 
 >  > SMB printing won't need to be forwarded to port 139, but in SAMBA the port 445 is hardcoided to be used to switch printing to CIFS.
 >  > 
 >  > So there are two possbilities:
 >  > 
 >  > (1) - Patch samba to do a != 139 instead of ==445.
 >  > 
 >  > (or even better apply a different idea of the patch that NoMachine did to upstream. I had  been already in negotiations with Samba, but I forgot it again ...)
 >  > 
 >  > (2) - Or use my old work in http://svn.berlios.de/svnroot/repos/freenx/nx-utils/nxredir/. to forward 445 to some port via LD_PRELOAD mechanism and let smbprint use it.
 >  > 
 >  > (I had also written some other mail in the last month regarding this issue)
 >  > 
 >  > At the moment I will go with (2) for the 0.7.2 release and with (1) for the long term.
 >  > 
 >  > cu
 >  > 
 >  > Fabian




More information about the FreeNX-kNX mailing list