|
 |
905b4d |
From 1017fbf75cc0859c691b120482fd13b52b44780b Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Tue, 7 Oct 2014 19:44:44 +0200
|
|
|
905b4d |
Subject: [PATCH 28/46] SBUS: Allow connections from other UIDs
|
|
|
905b4d |
|
|
|
905b4d |
Unless dbus_connection_set_unix_user_function() is used, D-Bus only
|
|
|
905b4d |
allows connections from UID 0. This patch adds a custom checker function
|
|
|
905b4d |
that allows either UID 0 or the pre-configured SSSD user ID.
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
905b4d |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
905b4d |
(cherry picked from commit aa871e019f00493dfa53b48f906132bf94eeae9f)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/monitor/monitor.c | 3 +++
|
|
|
905b4d |
src/sbus/sssd_dbus.h | 4 ++++
|
|
|
905b4d |
src/sbus/sssd_dbus_connection.c | 20 ++++++++++++++++++++
|
|
|
905b4d |
3 files changed, 27 insertions(+)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
|
|
905b4d |
index b6777784cd289e85c865fc16490d0287a63192a5..fc6b2963fff41a2a2aefdaf502817f6764e95b1e 100644
|
|
|
905b4d |
--- a/src/monitor/monitor.c
|
|
|
905b4d |
+++ b/src/monitor/monitor.c
|
|
|
905b4d |
@@ -2392,6 +2392,9 @@ static int monitor_service_init(struct sbus_connection *conn, void *data)
|
|
|
905b4d |
mini->ctx = ctx;
|
|
|
905b4d |
mini->conn = conn;
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Allow access from the SSSD user */
|
|
|
905b4d |
+ sbus_allow_uid(conn, &ctx->uid);
|
|
|
905b4d |
+
|
|
|
905b4d |
/* 10 seconds should be plenty */
|
|
|
905b4d |
tv = tevent_timeval_current_ofs(10, 0);
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
|
|
|
905b4d |
index d01926368ce0ae5312d8ea0057a89d9a7176836b..5b128eaedb320cb745c1b635867e1b53ca556ec9 100644
|
|
|
905b4d |
--- a/src/sbus/sssd_dbus.h
|
|
|
905b4d |
+++ b/src/sbus/sssd_dbus.h
|
|
|
905b4d |
@@ -209,6 +209,10 @@ int sbus_conn_send(struct sbus_connection *conn,
|
|
|
905b4d |
void sbus_conn_send_reply(struct sbus_connection *conn,
|
|
|
905b4d |
DBusMessage *reply);
|
|
|
905b4d |
|
|
|
905b4d |
+/* Set up D-BUS access control. If there is a SSSD user, we must allow
|
|
|
905b4d |
+ * him to connect. root is always allowed */
|
|
|
905b4d |
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid);
|
|
|
905b4d |
+
|
|
|
905b4d |
/*
|
|
|
905b4d |
* This structure is passed to all dbus method and property
|
|
|
905b4d |
* handlers. It is a talloc context which will be valid until
|
|
|
905b4d |
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
|
|
|
905b4d |
index 06256a85b5e81b39d50923db6d41b64015114ce1..6102ef9ae4715d36a623b802b9095ec1c99c1a39 100644
|
|
|
905b4d |
--- a/src/sbus/sssd_dbus_connection.c
|
|
|
905b4d |
+++ b/src/sbus/sssd_dbus_connection.c
|
|
|
905b4d |
@@ -922,3 +922,23 @@ void sbus_conn_send_reply(struct sbus_connection *conn, DBusMessage *reply)
|
|
|
905b4d |
{
|
|
|
905b4d |
dbus_connection_send(conn->dbus.conn, reply, NULL);
|
|
|
905b4d |
}
|
|
|
905b4d |
+
|
|
|
905b4d |
+dbus_bool_t is_uid_sssd_user(DBusConnection *connection,
|
|
|
905b4d |
+ unsigned long uid,
|
|
|
905b4d |
+ void *data)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+ uid_t sssd_user = * (uid_t *) data;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (uid == 0 || uid == sssd_user) {
|
|
|
905b4d |
+ return TRUE;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ return FALSE;
|
|
|
905b4d |
+}
|
|
|
905b4d |
+
|
|
|
905b4d |
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+ dbus_connection_set_unix_user_function(sbus_get_connection(conn),
|
|
|
905b4d |
+ is_uid_sssd_user,
|
|
|
905b4d |
+ uid, NULL);
|
|
|
905b4d |
+}
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|