core: avoid getpwuid() unless necessary in permission check

Most profiles don't have "connection.permissions" set. Avoid resolving the
UID to the name via getpwuid() (in nm_auth_is_subject_in_acl()), until we
know that we require it.

src/core/nm-auth-utils.c

@@ -8,6 +8,7 @@
 #include "nm-auth-utils.h"
 
 #include "libnm-glib-aux/nm-c-list.h"
+#include "libnm-core-intern/nm-core-internal.h"
 #include "nm-setting-connection.h"
 #include "libnm-core-aux-intern/nm-auth-subject.h"
 #include "nm-auth-manager.h"
@@ -603,7 +604,6 @@ gboolean
 nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char **out_error_desc)
 {
     NMSettingConnection *s_con;
-    gs_free char        *user = NULL;
     gulong               uid;
 
     g_return_val_if_fail(connection, FALSE);
@@ -621,13 +621,6 @@ nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char
     if (0 == uid)
         return TRUE;
 
-    user = nm_utils_uid_to_name(uid);
-    if (!user) {
-        NM_SET_OUT(out_error_desc,
-                   g_strdup_printf("Could not determine username for uid %lu", uid));
-        return FALSE;
-    }
-
     s_con = nm_connection_get_setting_connection(connection);
     if (!s_con) {
         /* This can only happen when called from AddAndActivate, so we know
@@ -637,7 +630,7 @@ nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char
     }
 
     /* Match the username returned by the session check to a user in the ACL */
-    if (!nm_setting_connection_permissions_user_allowed(s_con, user)) {
+    if (!nm_setting_connection_permissions_user_allowed_by_uid(s_con, uid)) {
         NM_SET_OUT(out_error_desc,
                    g_strdup_printf("uid %lu has no permission to perform this operation", uid));
         return FALSE;

src/libnm-core-impl/nm-setting-connection.c

@@ -355,19 +355,10 @@ invalid:
     return TRUE;
 }
 
-/**
+static gboolean
- * nm_setting_connection_permissions_user_allowed:
+_permissions_user_allowed(NMSettingConnection *setting, const char *uname, gulong uid)
- * @setting: the #NMSettingConnection
- * @uname: the user name to check permissions for
- *
- * Checks whether the given username is allowed to view/access this connection.
- *
- * Returns: %TRUE if the requested user is allowed to view this connection,
- * %FALSE if the given user is not allowed to view this connection
- */
-gboolean
-nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, const char *uname)
 {
+    gs_free char               *uname_free = NULL;
     NMSettingConnectionPrivate *priv;
     guint                       i;
 
@@ -384,13 +375,51 @@ nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, con
     for (i = 0; i < priv->permissions->len; i++) {
         const Permission *permission = &nm_g_array_index(priv->permissions, Permission, i);
 
-        if (permission->ptype == PERM_TYPE_USER && nm_streq(permission->item, uname))
+        if (permission->ptype != PERM_TYPE_USER)
+            continue;
+
+        if (!uname) {
+            if (uid != G_MAXULONG)
+                uname_free = nm_utils_uid_to_name(uid);
+            if (!uname_free)
+                return FALSE;
+            uname = uname_free;
+        }
+
+        if (nm_streq(permission->item, uname))
             return TRUE;
     }
 
     return FALSE;
 }
 
+/**
+ * nm_setting_connection_permissions_user_allowed:
+ * @setting: the #NMSettingConnection
+ * @uname: the user name to check permissions for
+ *
+ * Checks whether the given username is allowed to view/access this connection.
+ *
+ * Returns: %TRUE if the requested user is allowed to view this connection,
+ * %FALSE if the given user is not allowed to view this connection
+ */
+gboolean
+nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, const char *uname)
+{
+    g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), FALSE);
+    g_return_val_if_fail(uname != NULL, FALSE);
+
+    return _permissions_user_allowed(setting, uname, G_MAXULONG);
+}
+
+gboolean
+nm_setting_connection_permissions_user_allowed_by_uid(NMSettingConnection *setting, gulong uid)
+{
+    g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), FALSE);
+
+    return _permissions_user_allowed(setting, NULL, uid);
+}
+
 /**
  * nm_setting_connection_add_permission:
  * @setting: the #NMSettingConnection

src/libnm-core-intern/nm-core-internal.h

@@ -533,6 +533,9 @@ GPtrArray *_nm_setting_bridge_port_get_vlans(NMSettingBridgePort *setting);
 
 GArray *_nm_setting_connection_get_secondaries(NMSettingConnection *setting);
 
+gboolean nm_setting_connection_permissions_user_allowed_by_uid(NMSettingConnection *setting,
+                                                               gulong               uid);
+
 /*****************************************************************************/
 
 NMSettingBluetooth *_nm_connection_get_setting_bluetooth_for_nap(NMConnection *connection);