|
 |
71e593 |
From 4760eae9b1b3ebb94fc5590cf5ba1a268e3120be Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
71e593 |
Date: Wed, 31 Oct 2018 13:07:26 +0100
|
|
|
71e593 |
Subject: [PATCH] sbus: allow access for sssd user
|
|
|
71e593 |
|
|
|
71e593 |
D-Bus allows access for root and euid by default, however when running
|
|
|
71e593 |
in non-root mode monitor continues to run as root but responsers as sssd
|
|
|
71e593 |
user. Therefore monitor euid != sssd user and the connection is terminated.
|
|
|
71e593 |
|
|
|
71e593 |
We must explicitly allow the connection for sssd user uid.
|
|
|
71e593 |
|
|
|
71e593 |
Resolves:
|
|
|
71e593 |
https://pagure.io/SSSD/sssd/issue/3871
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
---
|
|
|
71e593 |
src/sbus/server/sbus_server.c | 21 +++++++++++++++++++++
|
|
|
71e593 |
1 file changed, 21 insertions(+)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/sbus/server/sbus_server.c b/src/sbus/server/sbus_server.c
|
|
|
71e593 |
index 576cff616..5405dae56 100644
|
|
|
71e593 |
--- a/src/sbus/server/sbus_server.c
|
|
|
71e593 |
+++ b/src/sbus/server/sbus_server.c
|
|
|
71e593 |
@@ -400,6 +400,22 @@ sbus_server_filter_add(struct sbus_server *server,
|
|
|
71e593 |
return true;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+static dbus_bool_t
|
|
|
71e593 |
+sbus_server_check_connection_uid(DBusConnection *dbus_conn,
|
|
|
71e593 |
+ unsigned long uid,
|
|
|
71e593 |
+ void *data)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ struct sbus_server *sbus_server;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ sbus_server = talloc_get_type(data, struct sbus_server);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (uid == 0 || uid == sbus_server->uid) {
|
|
|
71e593 |
+ return true;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return false;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
static void
|
|
|
71e593 |
sbus_server_new_connection(DBusServer *dbus_server,
|
|
|
71e593 |
DBusConnection *dbus_conn,
|
|
|
71e593 |
@@ -415,6 +431,11 @@ sbus_server_new_connection(DBusServer *dbus_server,
|
|
|
71e593 |
|
|
|
71e593 |
DEBUG(SSSDBG_FUNC_DATA, "Adding connection %p.\n", dbus_conn);
|
|
|
71e593 |
|
|
|
71e593 |
+ /* Allow access from uid that is associated with this sbus server. */
|
|
|
71e593 |
+ dbus_connection_set_unix_user_function(dbus_conn,
|
|
|
71e593 |
+ sbus_server_check_connection_uid,
|
|
|
71e593 |
+ sbus_server, NULL);
|
|
|
71e593 |
+
|
|
|
71e593 |
/* First, add a message filter that will take care of routing messages
|
|
|
71e593 |
* between connections. */
|
|
|
71e593 |
bret = sbus_server_filter_add(sbus_server, dbus_conn);
|
|
|
71e593 |
--
|
|
|
71e593 |
2.19.1
|
|
|
71e593 |
|