Blame SOURCES/0028-SBUS-Allow-connections-from-other-UIDs.patch

905b4d
From 1017fbf75cc0859c691b120482fd13b52b44780b Mon Sep 17 00:00:00 2001
905b4d
From: Jakub Hrozek <jhrozek@redhat.com>
905b4d
Date: Tue, 7 Oct 2014 19:44:44 +0200
905b4d
Subject: [PATCH 28/46] SBUS: Allow connections from other UIDs
905b4d
905b4d
Unless dbus_connection_set_unix_user_function() is used, D-Bus only
905b4d
allows connections from UID 0. This patch adds a custom checker function
905b4d
that allows either UID 0 or the pre-configured SSSD user ID.
905b4d
905b4d
Reviewed-by: Pavel Reichl <preichl@redhat.com>
905b4d
Reviewed-by: Simo Sorce <simo@redhat.com>
905b4d
(cherry picked from commit aa871e019f00493dfa53b48f906132bf94eeae9f)
905b4d
---
905b4d
 src/monitor/monitor.c           |  3 +++
905b4d
 src/sbus/sssd_dbus.h            |  4 ++++
905b4d
 src/sbus/sssd_dbus_connection.c | 20 ++++++++++++++++++++
905b4d
 3 files changed, 27 insertions(+)
905b4d
905b4d
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
905b4d
index b6777784cd289e85c865fc16490d0287a63192a5..fc6b2963fff41a2a2aefdaf502817f6764e95b1e 100644
905b4d
--- a/src/monitor/monitor.c
905b4d
+++ b/src/monitor/monitor.c
905b4d
@@ -2392,6 +2392,9 @@ static int monitor_service_init(struct sbus_connection *conn, void *data)
905b4d
     mini->ctx = ctx;
905b4d
     mini->conn = conn;
905b4d
 
905b4d
+    /* Allow access from the SSSD user */
905b4d
+    sbus_allow_uid(conn, &ctx->uid);
905b4d
+
905b4d
     /* 10 seconds should be plenty */
905b4d
     tv = tevent_timeval_current_ofs(10, 0);
905b4d
 
905b4d
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
905b4d
index d01926368ce0ae5312d8ea0057a89d9a7176836b..5b128eaedb320cb745c1b635867e1b53ca556ec9 100644
905b4d
--- a/src/sbus/sssd_dbus.h
905b4d
+++ b/src/sbus/sssd_dbus.h
905b4d
@@ -209,6 +209,10 @@ int sbus_conn_send(struct sbus_connection *conn,
905b4d
 void sbus_conn_send_reply(struct sbus_connection *conn,
905b4d
                           DBusMessage *reply);
905b4d
 
905b4d
+/* Set up D-BUS access control. If there is a SSSD user, we must allow
905b4d
+ * him to connect. root is always allowed */
905b4d
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid);
905b4d
+
905b4d
 /*
905b4d
  * This structure is passed to all dbus method and property
905b4d
  * handlers. It is a talloc context which will be valid until
905b4d
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
905b4d
index 06256a85b5e81b39d50923db6d41b64015114ce1..6102ef9ae4715d36a623b802b9095ec1c99c1a39 100644
905b4d
--- a/src/sbus/sssd_dbus_connection.c
905b4d
+++ b/src/sbus/sssd_dbus_connection.c
905b4d
@@ -922,3 +922,23 @@ void sbus_conn_send_reply(struct sbus_connection *conn, DBusMessage *reply)
905b4d
 {
905b4d
     dbus_connection_send(conn->dbus.conn, reply, NULL);
905b4d
 }
905b4d
+
905b4d
+dbus_bool_t is_uid_sssd_user(DBusConnection *connection,
905b4d
+                             unsigned long   uid,
905b4d
+                             void           *data)
905b4d
+{
905b4d
+    uid_t sssd_user = * (uid_t *) data;
905b4d
+
905b4d
+    if (uid == 0 || uid == sssd_user) {
905b4d
+        return TRUE;
905b4d
+    }
905b4d
+
905b4d
+    return FALSE;
905b4d
+}
905b4d
+
905b4d
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid)
905b4d
+{
905b4d
+    dbus_connection_set_unix_user_function(sbus_get_connection(conn),
905b4d
+                                           is_uid_sssd_user,
905b4d
+                                           uid, NULL);
905b4d
+}
905b4d
-- 
905b4d
1.9.3
905b4d