[FreeNX-kNX] JJK: All patches applied
Jeffrey J. Kosowsky
freenx-knx at kosowsky.org
Sun Dec 30 21:55:03 UTC 2007
Forwarding this (along with several other postings) to the list per
Fabian's suggestion... Note: I have also previously posted a copy to
the freenx-devel list.
Jeffrey J. Kosowsky wrote at about 23:32:00 -0500 on Saturday, December 8, 2007:
> Fabian,
> Version 0.7.1 has finally made into Fedora 8 and I am glad to see that
> the patches I suggested (along with many other improvements added by
> you) have been included.
>
> Here are several more bug fixes/improvements that you might want to
> consider adding to nxnode.
>
> First, when a share is mounted, a new subdirectory is created
> ($mpoint). I believe that this directory should also be removed when
> the share is unmounted or else you end up with a lot of old stale
> mount points.
>
> My suggested change (as indicated by my initials JJK) just adds one
> line to nod_umount_smb():
>
> node_umount_smb()
> {
> [ -e "$USER_FAKE_HOME/.nx/C-$sess_id/scripts/mpoint" ] || return
> cat "$USER_FAKE_HOME/.nx/C-$sess_id/scripts/mpoint" | while read mpoint
> do
> $COMMAND_SMBUMOUNT "$mpoint" >/dev/null 2>/dev/null
> rmdir "$mpoint" >/dev/null 2>/dev/null #JJK remove mount point if empty
> done
> }
>
> Note that the directory is only removed if empty.
In my latest patches (see subsequent posting), I also added another
line to cmd_node_smbmount to remove the mount point if the mount fails.
>
> Second, on my system the sharename returned by "getparam dir" begins
> with "%24" and not "$" (note that %24 is the ASCII encoding of $).
> So I changed the line:
> dir=$(getparam dir | sed 's|$(SHARES)|MyShares|g')
> To:
> dir=$(getparam dir | sed 's/\(%24\|\$\)(SHARES)/MyShares/g')
>
> Also, note that using "|" as a separator in (gnu) sed is no longer
> recommended since it creates ambiguity with the 'or' operator
>
> Third, I made several changes to the cupsd.conf file that is
> generated in nxnode.conf that you may (or may not) want to
> include. The changes are as follows:
>
> 1. Placed all the log files in a subdirectory of
> $USR_FAKE_HOME/.nx/C-$sess_id/cups
> I also added back in access_log
> This adds clarity and is consistent with how all the log files in
> cups are usually put together.
>
> AccessLog log/access_log
> ErrorLog log/error_log
> PageLog log/page_log
>
> 2. I believe that you are using "Listen $NODE_CUPSD_SOCKET" for
> security. However, when I do this, then I cannot use the CUPS web
> interface to manage the printers since there is no port to point my
> web browser at (correct me if there is a way). Also, it may be nice
> to allow other users to access the remote printers at least at some
> non-privileged level.
>
> So, I also open up listening on $NODE_CUPSD_PORT and then use a
> more buttoned-down version of permissions to restore some
> security. Basically, I copied the security permissions that the
> regular default cupsd.conf setup uses on my Fedora system. So, in the
> end I am trading off perhaps a little security for more convenient
> access to and management of the printers.
>
> Specifically, I make the following additional changes to the
> generated cupsd.conf file [Note the first and last stanza of the
> restrictions are unchanged except for added comments]
>
> SystemGroup sys root $USER
> Listen localhost: $NODE_CUPSD_PORT
>
> #JJK: Restrict access to the server...
> <Location />
> Order Deny,Allow
> Deny From All
> Allow from 127.0.0.1
> </Location>
>
> #JJK: Restrict access to the admin pages...
> <Location /admin>
> Encryption Required
> Order allow,deny
> Allow localhost
> </Location>
>
> #JJK: Restrict access to configuration files...
> <Location /admin/conf>
> AuthType Basic
> Require user @SYSTEM
> Order allow,deny
> Allow localhost
> </Location>
>
> #JJK: Since also allowing access via $NODE_CUPSD_PORT, need to add protection
> <Policy default>
> #JJK: Job-related operations must be done by the owner or an adminstrator...
> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
> Require user @OWNER @SYSTEM
> Order deny,allow
> </Limit>
>
> #JJK:All administration operations require an adminstrator to authenticate...
> <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs>
> AuthType Basic
> Require user @SYSTEM
> Order deny,allow
> </Limit>
>
> #JJK: Except need to allow these for nxnode to work
> <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Set-Default>
> Order deny,allow
> </Limit>
>
> # Only the owner or an administrator can cancel or authenticate a job...
> <Limit Cancel-Job CUPS-Authenticate-Job>
> Require user @OWNER @SYSTEM
> Order deny,allow
> </Limit>
>
> # JJK: Allow everything else...
> <Limit All>
> AuthType None
> Order deny,allow
> </Limit>
> </Policy>
>
> 3. I like to also allow 'guest' so you can do things like print
> testpages from the CUPS web interface. Note this is required
> even for the original user to print test pages from the CUPS
> web interface
>
> To do this, change:
> PUBLIC="-u allow:$USER"
> To:
> PUBLIC="-u allow:$USER,guest"
>
> Fabian Franz wrote at about 00:18:15 +0100 on Wednesday, November 21, 2007:
> > > Fabian,
> >
> > Hi,
> >
> > > I continue to play with freenx and fix bugs as they occur and as I
> > > update my own Fedora system. I will send you my updated patches when
> > > they are cleaned up if you are interested.
> >
> > Sure. That is perfect.
> >
> > > One bug (at least on Fedora systems) is that the directive "PidFile"
> > > in cupsd.conf doesn't seem to be recognized. The result is that the
> > > daemon code that you use to launch cupsd doesn't record the pid and
> > > then it can't later be killed. I'm not sure why "PidFile" is not
> > > recognized but I tested it outside of NX by launching cupsd manually
> > > and indeed it doesn't work (I am using Cups 1.3.3).
> >
> > Yes PidFile is debian specific, but I didn't knew that.
> >
> > Your fix is fine and I will commit a similar one with -f to SVN.
> >
> > > To get around this, I use the following patch:
> > > #JJK: $COMMAND_CUPSD -c "$USER_FAKE_HOME/.nx/C-$sess_id/cups/cupsd.conf"
> > > &>/dev/null </dev/null
> > > $COMMAND_CUPSD -F -c "$USER_FAKE_HOME/.nx/C-$sess_id/cups/cupsd.conf"
> > > &>/dev/null </dev/null & NODE_CUPSD_PID=$! echo $NODE_CUPSD_PID
> > > >"$USER_FAKE_HOME/.nx/C-$sess_id/pids/cupsd"
> > > NODE_CUPSD_PID=$!
> > > echo $NODE_CUPSD_PID >"$USER_FAKE_HOME/.nx/C-$sess_id/pids/cupsd"
> > >
> > > A second problem I found is more challenging (to me).
> >
> > Not only to you.
> >
> > > Based on our earlier discussion, I am using the directive
> > > echo "NX> 709 File-sharing port: 445"
> > > to enable me to use mount.cifs/umount.cifs since smbmount is no longer
> > > supported on my system.
> > > This then sets up the ssh port forwarding: <$display+3000> --> 445
> > > So, far this makes file sharing work.
> >
> > You can use FreENx 0.7.1 that has this directive and even has it configurable.
> >
> > > However, I now can't get print sharing working. Since the smb URL for
> > > printing in 'nxnode' uses the same port while smb URL printing seems
> > > to need to be forwarded to the old port 139 standard to work.
> >
> > SMB printing won't need to be forwarded to port 139, but in SAMBA the port 445 is hardcoided to be used to switch printing to CIFS.
> >
> > So there are two possbilities:
> >
> > (1) - Patch samba to do a != 139 instead of ==445.
> >
> > (or even better apply a different idea of the patch that NoMachine did to upstream. I had been already in negotiations with Samba, but I forgot it again ...)
> >
> > (2) - Or use my old work in http://svn.berlios.de/svnroot/repos/freenx/nx-utils/nxredir/. to forward 445 to some port via LD_PRELOAD mechanism and let smbprint use it.
> >
> > (I had also written some other mail in the last month regarding this issue)
> >
> > At the moment I will go with (2) for the 0.7.2 release and with (1) for the long term.
> >
> > cu
> >
> > Fabian
More information about the FreeNX-kNX
mailing list