core: make nm_auth_is_caller_root() more generic
This commit is contained in:
Dan Williams
@@ -267,22 +267,21 @@ nm_auth_chain_unref (NMAuthChain *self)
|
|||||||
/************ utils **************/
|
/************ utils **************/
|
||||||
|
|
||||||
gboolean
|
gboolean
|
||||||
nm_auth_is_caller_root (DBusGMethodInvocation *context,
|
nm_auth_get_caller_uid (DBusGMethodInvocation *context,
|
||||||
NMDBusManager *dbus_mgr,
|
NMDBusManager *dbus_mgr,
|
||||||
gboolean *out_is_root,
|
gulong *out_uid,
|
||||||
const char **out_error_desc)
|
const char **out_error_desc)
|
||||||
{
|
{
|
||||||
DBusConnection *connection;
|
DBusConnection *connection;
|
||||||
char *sender = NULL;
|
char *sender = NULL;
|
||||||
gulong sender_uid = G_MAXULONG;
|
|
||||||
gboolean success = FALSE;
|
gboolean success = FALSE;
|
||||||
DBusError dbus_error;
|
DBusError dbus_error;
|
||||||
|
|
||||||
g_return_val_if_fail (context != NULL, FALSE);
|
g_return_val_if_fail (context != NULL, FALSE);
|
||||||
g_return_val_if_fail (dbus_mgr != NULL, FALSE);
|
g_return_val_if_fail (dbus_mgr != NULL, FALSE);
|
||||||
g_return_val_if_fail (out_is_root != NULL, FALSE);
|
g_return_val_if_fail (out_uid != NULL, FALSE);
|
||||||
|
|
||||||
*out_is_root = FALSE;
|
*out_uid = G_MAXULONG;
|
||||||
|
|
||||||
sender = dbus_g_method_get_sender (context);
|
sender = dbus_g_method_get_sender (context);
|
||||||
if (!sender) {
|
if (!sender) {
|
||||||
@@ -300,19 +299,17 @@ nm_auth_is_caller_root (DBusGMethodInvocation *context,
|
|||||||
|
|
||||||
dbus_error_init (&dbus_error);
|
dbus_error_init (&dbus_error);
|
||||||
/* FIXME: do this async */
|
/* FIXME: do this async */
|
||||||
sender_uid = dbus_bus_get_unix_user (connection, sender, &dbus_error);
|
*out_uid = dbus_bus_get_unix_user (connection, sender, &dbus_error);
|
||||||
if (dbus_error_is_set (&dbus_error)) {
|
if (dbus_error_is_set (&dbus_error)) {
|
||||||
if (out_error_desc)
|
if (out_error_desc)
|
||||||
*out_error_desc = "Could not determine the Unix user ID of the requestor";
|
*out_error_desc = "Could not determine the user ID of the requestor";
|
||||||
dbus_error_free (&dbus_error);
|
dbus_error_free (&dbus_error);
|
||||||
goto out;
|
*out_uid = G_MAXULONG;
|
||||||
}
|
} else
|
||||||
|
success = TRUE;
|
||||||
success = TRUE;
|
|
||||||
if (0 == sender_uid)
|
|
||||||
*out_is_root = TRUE;
|
|
||||||
|
|
||||||
out:
|
out:
|
||||||
|
g_free (sender);
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -74,9 +74,9 @@ gboolean nm_auth_chain_add_call (NMAuthChain *chain,
|
|||||||
void nm_auth_chain_unref (NMAuthChain *chain);
|
void nm_auth_chain_unref (NMAuthChain *chain);
|
||||||
|
|
||||||
/* Utils */
|
/* Utils */
|
||||||
gboolean nm_auth_is_caller_root (DBusGMethodInvocation *context,
|
gboolean nm_auth_get_caller_uid (DBusGMethodInvocation *context,
|
||||||
NMDBusManager *dbus_mgr,
|
NMDBusManager *dbus_mgr,
|
||||||
gboolean *out_is_root,
|
gulong *out_uid,
|
||||||
const char **out_error_desc);
|
const char **out_error_desc);
|
||||||
|
|
||||||
#endif /* NM_MANAGER_AUTH_H */
|
#endif /* NM_MANAGER_AUTH_H */
|
||||||
|
|||||||
@@ -2430,13 +2430,13 @@ is_user_request_authorized (NMManager *manager,
|
|||||||
{
|
{
|
||||||
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager);
|
NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE (manager);
|
||||||
DBusConnection *connection;
|
DBusConnection *connection;
|
||||||
char *sender = NULL;
|
|
||||||
gulong sender_uid = G_MAXULONG;
|
gulong sender_uid = G_MAXULONG;
|
||||||
DBusError dbus_error;
|
DBusError dbus_error;
|
||||||
char *service_owner = NULL;
|
char *service_owner = NULL;
|
||||||
const char *service_name;
|
const char *service_name;
|
||||||
gulong service_uid = G_MAXULONG;
|
gulong service_uid = G_MAXULONG;
|
||||||
gboolean success = FALSE;
|
gboolean success = FALSE;
|
||||||
|
const char *error_desc = NULL;
|
||||||
|
|
||||||
/* Ensure the request to activate the user connection came from the
|
/* Ensure the request to activate the user connection came from the
|
||||||
* same session as the user settings service. FIXME: use ConsoleKit
|
* same session as the user settings service. FIXME: use ConsoleKit
|
||||||
@@ -2449,36 +2449,15 @@ is_user_request_authorized (NMManager *manager,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
sender = dbus_g_method_get_sender (context);
|
if (!nm_auth_get_caller_uid (context, priv->dbus_mgr, &sender_uid, &error_desc)) {
|
||||||
if (!sender) {
|
g_set_error_literal (error,
|
||||||
g_set_error (error, NM_MANAGER_ERROR,
|
NM_MANAGER_ERROR,
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||||
"%s", "Could not determine D-Bus requestor");
|
error_desc);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
connection = nm_dbus_manager_get_dbus_connection (priv->dbus_mgr);
|
/* Let root activate anything */
|
||||||
if (!connection) {
|
|
||||||
g_set_error (error, NM_MANAGER_ERROR,
|
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
|
||||||
"%s", "Could not get the D-Bus system bus");
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
dbus_error_init (&dbus_error);
|
|
||||||
/* FIXME: do this async */
|
|
||||||
sender_uid = dbus_bus_get_unix_user (connection, sender, &dbus_error);
|
|
||||||
if (dbus_error_is_set (&dbus_error)) {
|
|
||||||
dbus_error_free (&dbus_error);
|
|
||||||
g_set_error (error, NM_MANAGER_ERROR,
|
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
|
||||||
"%s", "Could not determine the Unix user ID of the requestor");
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Let root activate anything.
|
|
||||||
* FIXME: use a PolicyKit permission instead
|
|
||||||
*/
|
|
||||||
if (0 == sender_uid) {
|
if (0 == sender_uid) {
|
||||||
success = TRUE;
|
success = TRUE;
|
||||||
goto out;
|
goto out;
|
||||||
@@ -2489,8 +2468,8 @@ is_user_request_authorized (NMManager *manager,
|
|||||||
g_set_error (error, NM_MANAGER_ERROR,
|
g_set_error (error, NM_MANAGER_ERROR,
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||||
"%s", "Could not determine user settings service name");
|
"%s", "Could not determine user settings service name");
|
||||||
goto out;
|
|
||||||
}
|
}
|
||||||
|
goto out;
|
||||||
|
|
||||||
service_owner = nm_dbus_manager_get_name_owner (priv->dbus_mgr, service_name, NULL);
|
service_owner = nm_dbus_manager_get_name_owner (priv->dbus_mgr, service_name, NULL);
|
||||||
if (!service_owner) {
|
if (!service_owner) {
|
||||||
@@ -2522,11 +2501,12 @@ is_user_request_authorized (NMManager *manager,
|
|||||||
success = TRUE;
|
success = TRUE;
|
||||||
|
|
||||||
out:
|
out:
|
||||||
g_free (sender);
|
|
||||||
g_free (service_owner);
|
g_free (service_owner);
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
static void
|
static void
|
||||||
impl_manager_activate_connection (NMManager *manager,
|
impl_manager_activate_connection (NMManager *manager,
|
||||||
const char *service_name,
|
const char *service_name,
|
||||||
@@ -2826,7 +2806,7 @@ impl_manager_sleep (NMManager *self,
|
|||||||
NMManagerPrivate *priv;
|
NMManagerPrivate *priv;
|
||||||
NMAuthChain *chain;
|
NMAuthChain *chain;
|
||||||
GError *error = NULL;
|
GError *error = NULL;
|
||||||
gboolean is_root = FALSE;
|
gulong sender_uid = G_MAXULONG;
|
||||||
const char *error_desc = NULL;
|
const char *error_desc = NULL;
|
||||||
|
|
||||||
g_return_if_fail (NM_IS_MANAGER (self));
|
g_return_if_fail (NM_IS_MANAGER (self));
|
||||||
@@ -2842,7 +2822,7 @@ impl_manager_sleep (NMManager *self,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!nm_auth_is_caller_root (context, priv->dbus_mgr, &is_root, &error_desc)) {
|
if (!nm_auth_get_caller_uid (context, priv->dbus_mgr, &sender_uid, &error_desc)) {
|
||||||
error = g_error_new_literal (NM_MANAGER_ERROR,
|
error = g_error_new_literal (NM_MANAGER_ERROR,
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||||
error_desc);
|
error_desc);
|
||||||
@@ -2852,7 +2832,7 @@ impl_manager_sleep (NMManager *self,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Root doesn't need PK authentication */
|
/* Root doesn't need PK authentication */
|
||||||
if (is_root) {
|
if (0 == sender_uid) {
|
||||||
_internal_sleep (self, do_sleep);
|
_internal_sleep (self, do_sleep);
|
||||||
dbus_g_method_return (context);
|
dbus_g_method_return (context);
|
||||||
return;
|
return;
|
||||||
@@ -2962,7 +2942,7 @@ impl_manager_enable (NMManager *self,
|
|||||||
NMManagerPrivate *priv;
|
NMManagerPrivate *priv;
|
||||||
NMAuthChain *chain;
|
NMAuthChain *chain;
|
||||||
GError *error = NULL;
|
GError *error = NULL;
|
||||||
gboolean is_root = FALSE;
|
gulong sender_uid = G_MAXULONG;
|
||||||
const char *error_desc = NULL;
|
const char *error_desc = NULL;
|
||||||
|
|
||||||
g_return_if_fail (NM_IS_MANAGER (self));
|
g_return_if_fail (NM_IS_MANAGER (self));
|
||||||
@@ -2978,7 +2958,7 @@ impl_manager_enable (NMManager *self,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!nm_auth_is_caller_root (context, priv->dbus_mgr, &is_root, &error_desc)) {
|
if (!nm_auth_get_caller_uid (context, priv->dbus_mgr, &sender_uid, &error_desc)) {
|
||||||
error = g_error_new_literal (NM_MANAGER_ERROR,
|
error = g_error_new_literal (NM_MANAGER_ERROR,
|
||||||
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
NM_MANAGER_ERROR_PERMISSION_DENIED,
|
||||||
error_desc);
|
error_desc);
|
||||||
@@ -2988,7 +2968,7 @@ impl_manager_enable (NMManager *self,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Root doesn't need PK authentication */
|
/* Root doesn't need PK authentication */
|
||||||
if (is_root) {
|
if (0 == sender_uid) {
|
||||||
_internal_enable (self, enable);
|
_internal_enable (self, enable);
|
||||||
dbus_g_method_return (context);
|
dbus_g_method_return (context);
|
||||||
return;
|
return;
|
||||||
|
|||||||
Reference in New Issue
Block a user