added allow_xauth_from_root

1 files changed, 24 insertions, 0 deletions

diff --git a/share/libmsec.py b/share/libmsec.py
index d15ce3e..5edd04c 100644
--- a/share/libmsec.py
+++ b/share/libmsec.py
@@ -79,6 +79,7 @@ SYSLOGCONF = '/etc/syslog.conf'
 SYSTEM_AUTH = '/etc/pam.d/system-auth'
 XDM = '/etc/pam.d/xdm'
 XSERVERS = '/etc/X11/xdm/Xservers'
+EXPORT = '/root/.xauth/export'
 
 # constants to keep in sync with shadow.py
 NONE=0
@@ -1231,6 +1232,29 @@ def password_aging(max, inactive=-1):
 
 ################################################################################
 
+def allow_xauth_from_root(arg):
+    ''' Allow/forbid to export display when passing from the root account
+to the other users. See pam_xauth(8) for more details.'''
+    export = ConfigFile.get_config_file(EXPORT)
+
+    allow = export.exists() and export.get_match('^\*$')
+
+    # don't lower security when not changing security level
+    if same_level():
+        if not allow:
+            return
+
+    if arg:
+        if not allow:
+            _interactive and log(_('Allowing export display from root'))
+            export.insert_at(0, '*')
+    else:
+        if allow:
+            _interactive and log(_('Forbidding export display from root'))
+            export.remove_line_matching('^\*$')
+
+################################################################################
+
 def set_security_conf(var, value):
     '''1 Set the variable \\fIvar\\fP to the value \\fIvalue\\fP in /var/lib/msec/security.conf.
 The best way to override the default setting is to use create /etc/security/msec/security.conf