dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 1017fbf75cc0859c691b120482fd13b52b44780b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 7 Oct 2014 19:44:44 +0200
Subject: [PATCH 28/46] SBUS: Allow connections from other UIDs

Unless dbus_connection_set_unix_user_function() is used, D-Bus only
allows connections from UID 0. This patch adds a custom checker function
that allows either UID 0 or the pre-configured SSSD user ID.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
(cherry picked from commit aa871e019f00493dfa53b48f906132bf94eeae9f)
---
 src/monitor/monitor.c           |  3 +++
 src/sbus/sssd_dbus.h            |  4 ++++
 src/sbus/sssd_dbus_connection.c | 20 ++++++++++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index b6777784cd289e85c865fc16490d0287a63192a5..fc6b2963fff41a2a2aefdaf502817f6764e95b1e 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2392,6 +2392,9 @@ static int monitor_service_init(struct sbus_connection *conn, void *data)
     mini->ctx = ctx;
     mini->conn = conn;
 
+    /* Allow access from the SSSD user */
+    sbus_allow_uid(conn, &ctx->uid);
+
     /* 10 seconds should be plenty */
     tv = tevent_timeval_current_ofs(10, 0);
 
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
index d01926368ce0ae5312d8ea0057a89d9a7176836b..5b128eaedb320cb745c1b635867e1b53ca556ec9 100644
--- a/src/sbus/sssd_dbus.h
+++ b/src/sbus/sssd_dbus.h
@@ -209,6 +209,10 @@ int sbus_conn_send(struct sbus_connection *conn,
 void sbus_conn_send_reply(struct sbus_connection *conn,
                           DBusMessage *reply);
 
+/* Set up D-BUS access control. If there is a SSSD user, we must allow
+ * him to connect. root is always allowed */
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid);
+
 /*
  * This structure is passed to all dbus method and property
  * handlers. It is a talloc context which will be valid until
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 06256a85b5e81b39d50923db6d41b64015114ce1..6102ef9ae4715d36a623b802b9095ec1c99c1a39 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -922,3 +922,23 @@ void sbus_conn_send_reply(struct sbus_connection *conn, DBusMessage *reply)
 {
     dbus_connection_send(conn->dbus.conn, reply, NULL);
 }
+
+dbus_bool_t is_uid_sssd_user(DBusConnection *connection,
+                             unsigned long   uid,
+                             void           *data)
+{
+    uid_t sssd_user = * (uid_t *) data;
+
+    if (uid == 0 || uid == sssd_user) {
+        return TRUE;
+    }
+
+    return FALSE;
+}
+
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid)
+{
+    dbus_connection_set_unix_user_function(sbus_get_connection(conn),
+                                           is_uid_sssd_user,
+                                           uid, NULL);
+}
-- 
1.9.3