core: avoid getpwuid() unless necessary in permission check
Most profiles don't have "connection.permissions" set. Avoid resolving the UID to the name via getpwuid() (in nm_auth_is_subject_in_acl()), until we know that we require it.
This commit is contained in:
Thomas Haller
@@ -8,6 +8,7 @@
|
||||
#include "nm-auth-utils.h"
|
||||
|
||||
#include "libnm-glib-aux/nm-c-list.h"
|
||||
#include "libnm-core-intern/nm-core-internal.h"
|
||||
#include "nm-setting-connection.h"
|
||||
#include "libnm-core-aux-intern/nm-auth-subject.h"
|
||||
#include "nm-auth-manager.h"
|
||||
@@ -603,7 +604,6 @@ gboolean
|
||||
nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char **out_error_desc)
|
||||
{
|
||||
NMSettingConnection *s_con;
|
||||
gs_free char *user = NULL;
|
||||
gulong uid;
|
||||
|
||||
g_return_val_if_fail(connection, FALSE);
|
||||
@@ -621,13 +621,6 @@ nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char
|
||||
if (0 == uid)
|
||||
return TRUE;
|
||||
|
||||
user = nm_utils_uid_to_name(uid);
|
||||
if (!user) {
|
||||
NM_SET_OUT(out_error_desc,
|
||||
g_strdup_printf("Could not determine username for uid %lu", uid));
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
s_con = nm_connection_get_setting_connection(connection);
|
||||
if (!s_con) {
|
||||
/* This can only happen when called from AddAndActivate, so we know
|
||||
@@ -637,7 +630,7 @@ nm_auth_is_subject_in_acl(NMConnection *connection, NMAuthSubject *subject, char
|
||||
}
|
||||
|
||||
/* Match the username returned by the session check to a user in the ACL */
|
||||
if (!nm_setting_connection_permissions_user_allowed(s_con, user)) {
|
||||
if (!nm_setting_connection_permissions_user_allowed_by_uid(s_con, uid)) {
|
||||
NM_SET_OUT(out_error_desc,
|
||||
g_strdup_printf("uid %lu has no permission to perform this operation", uid));
|
||||
return FALSE;
|
||||
|
||||
@@ -355,19 +355,10 @@ invalid:
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* nm_setting_connection_permissions_user_allowed:
|
||||
* @setting: the #NMSettingConnection
|
||||
* @uname: the user name to check permissions for
|
||||
*
|
||||
* Checks whether the given username is allowed to view/access this connection.
|
||||
*
|
||||
* Returns: %TRUE if the requested user is allowed to view this connection,
|
||||
* %FALSE if the given user is not allowed to view this connection
|
||||
*/
|
||||
gboolean
|
||||
nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, const char *uname)
|
||||
static gboolean
|
||||
_permissions_user_allowed(NMSettingConnection *setting, const char *uname, gulong uid)
|
||||
{
|
||||
gs_free char *uname_free = NULL;
|
||||
NMSettingConnectionPrivate *priv;
|
||||
guint i;
|
||||
|
||||
@@ -384,13 +375,51 @@ nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, con
|
||||
for (i = 0; i < priv->permissions->len; i++) {
|
||||
const Permission *permission = &nm_g_array_index(priv->permissions, Permission, i);
|
||||
|
||||
if (permission->ptype == PERM_TYPE_USER && nm_streq(permission->item, uname))
|
||||
if (permission->ptype != PERM_TYPE_USER)
|
||||
continue;
|
||||
|
||||
if (!uname) {
|
||||
if (uid != G_MAXULONG)
|
||||
uname_free = nm_utils_uid_to_name(uid);
|
||||
if (!uname_free)
|
||||
return FALSE;
|
||||
uname = uname_free;
|
||||
}
|
||||
|
||||
if (nm_streq(permission->item, uname))
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* nm_setting_connection_permissions_user_allowed:
|
||||
* @setting: the #NMSettingConnection
|
||||
* @uname: the user name to check permissions for
|
||||
*
|
||||
* Checks whether the given username is allowed to view/access this connection.
|
||||
*
|
||||
* Returns: %TRUE if the requested user is allowed to view this connection,
|
||||
* %FALSE if the given user is not allowed to view this connection
|
||||
*/
|
||||
gboolean
|
||||
nm_setting_connection_permissions_user_allowed(NMSettingConnection *setting, const char *uname)
|
||||
{
|
||||
g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), FALSE);
|
||||
g_return_val_if_fail(uname != NULL, FALSE);
|
||||
|
||||
return _permissions_user_allowed(setting, uname, G_MAXULONG);
|
||||
}
|
||||
|
||||
gboolean
|
||||
nm_setting_connection_permissions_user_allowed_by_uid(NMSettingConnection *setting, gulong uid)
|
||||
{
|
||||
g_return_val_if_fail(NM_IS_SETTING_CONNECTION(setting), FALSE);
|
||||
|
||||
return _permissions_user_allowed(setting, NULL, uid);
|
||||
}
|
||||
|
||||
/**
|
||||
* nm_setting_connection_add_permission:
|
||||
* @setting: the #NMSettingConnection
|
||||
|
||||
@@ -533,6 +533,9 @@ GPtrArray *_nm_setting_bridge_port_get_vlans(NMSettingBridgePort *setting);
|
||||
|
||||
GArray *_nm_setting_connection_get_secondaries(NMSettingConnection *setting);
|
||||
|
||||
gboolean nm_setting_connection_permissions_user_allowed_by_uid(NMSettingConnection *setting,
|
||||
gulong uid);
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
NMSettingBluetooth *_nm_connection_get_setting_bluetooth_for_nap(NMConnection *connection);
|
||||
|
||||
Reference in New Issue
Block a user