core: assume root always has a session for connection visibility
Normally, users which are not part of a login session can't access connections. Root won't always be part of a login session, so allow root to bypass visibility checks. The code already bypassed the ACL checks for root, but in multiple places. Consolidate those checks into one function.
This commit is contained in:
Dan Williams
@@ -512,6 +512,10 @@ nm_auth_uid_in_acl (NMConnection *connection,
|
|||||||
g_return_val_if_fail (connection != NULL, FALSE);
|
g_return_val_if_fail (connection != NULL, FALSE);
|
||||||
g_return_val_if_fail (smon != NULL, FALSE);
|
g_return_val_if_fail (smon != NULL, FALSE);
|
||||||
|
|
||||||
|
/* Root gets a free pass */
|
||||||
|
if (0 == uid)
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
s_con = nm_connection_get_setting_connection (connection);
|
s_con = nm_connection_get_setting_connection (connection);
|
||||||
g_assert (s_con);
|
g_assert (s_con);
|
||||||
|
|
||||||
|
|||||||
@@ -573,7 +573,6 @@ request_add_agent (Request *req,
|
|||||||
* or that the permissions is empty (ie, visible by everyone).
|
* or that the permissions is empty (ie, visible by everyone).
|
||||||
*/
|
*/
|
||||||
agent_uid = nm_secret_agent_get_owner_uid (agent);
|
agent_uid = nm_secret_agent_get_owner_uid (agent);
|
||||||
if (0 != agent_uid) {
|
|
||||||
if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) {
|
if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) {
|
||||||
nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)",
|
nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)",
|
||||||
nm_secret_agent_get_description (agent),
|
nm_secret_agent_get_description (agent),
|
||||||
@@ -581,8 +580,6 @@ request_add_agent (Request *req,
|
|||||||
/* Connection not visible to this agent's user */
|
/* Connection not visible to this agent's user */
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
/* Caller is allowed to manipulate this connection */
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the request should filter agents by UID, do that now */
|
/* If the request should filter agents by UID, do that now */
|
||||||
if (req->filter_by_uid && (agent_uid != req->uid_filter)) {
|
if (req->filter_by_uid && (agent_uid != req->uid_filter)) {
|
||||||
|
|||||||
@@ -946,7 +946,6 @@ check_user_in_acl (NMConnection *connection,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Make sure the UID can view this connection */
|
/* Make sure the UID can view this connection */
|
||||||
if (0 != sender_uid) {
|
|
||||||
if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) {
|
if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) {
|
||||||
g_set_error_literal (error,
|
g_set_error_literal (error,
|
||||||
NM_SETTINGS_ERROR,
|
NM_SETTINGS_ERROR,
|
||||||
@@ -955,7 +954,6 @@ check_user_in_acl (NMConnection *connection,
|
|||||||
g_free (error_desc);
|
g_free (error_desc);
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if (out_sender_uid)
|
if (out_sender_uid)
|
||||||
*out_sender_uid = sender_uid;
|
*out_sender_uid = sender_uid;
|
||||||
|
|||||||
@@ -1147,10 +1147,9 @@ nm_settings_add_connection (NMSettings *self,
|
|||||||
/* Ensure the caller's username exists in the connection's permissions,
|
/* Ensure the caller's username exists in the connection's permissions,
|
||||||
* or that the permissions is empty (ie, visible by everyone).
|
* or that the permissions is empty (ie, visible by everyone).
|
||||||
*/
|
*/
|
||||||
if (0 != caller_uid) {
|
|
||||||
if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) {
|
if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) {
|
||||||
error = g_error_new_literal (NM_SETTINGS_ERROR,
|
error = g_error_new_literal (NM_SETTINGS_ERROR,
|
||||||
NM_SETTINGS_ERROR_NOT_PRIVILEGED,
|
NM_SETTINGS_ERROR_PERMISSION_DENIED,
|
||||||
error_desc);
|
error_desc);
|
||||||
g_free (error_desc);
|
g_free (error_desc);
|
||||||
callback (self, NULL, error, context, user_data);
|
callback (self, NULL, error, context, user_data);
|
||||||
@@ -1158,9 +1157,6 @@ nm_settings_add_connection (NMSettings *self,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Caller is allowed to add this connection */
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the caller is the only user in the connection's permissions, then
|
/* If the caller is the only user in the connection's permissions, then
|
||||||
* we use the 'modify.own' permission instead of 'modify.system'. If the
|
* we use the 'modify.own' permission instead of 'modify.system'. If the
|
||||||
* request affects more than just the caller, require 'modify.system'.
|
* request affects more than just the caller, require 'modify.system'.
|
||||||
|
|||||||
Reference in New Issue
Block a user