diff --git a/src/nm-manager-auth.c b/src/nm-manager-auth.c index 83f5e80948..71a4ba7948 100644 --- a/src/nm-manager-auth.c +++ b/src/nm-manager-auth.c @@ -512,6 +512,10 @@ nm_auth_uid_in_acl (NMConnection *connection, g_return_val_if_fail (connection != NULL, FALSE); g_return_val_if_fail (smon != NULL, FALSE); + /* Root gets a free pass */ + if (0 == uid) + return TRUE; + s_con = nm_connection_get_setting_connection (connection); g_assert (s_con); diff --git a/src/settings/nm-agent-manager.c b/src/settings/nm-agent-manager.c index 2b47baaf06..e61c7f1c1e 100644 --- a/src/settings/nm-agent-manager.c +++ b/src/settings/nm-agent-manager.c @@ -573,15 +573,12 @@ request_add_agent (Request *req, * or that the permissions is empty (ie, visible by everyone). */ agent_uid = nm_secret_agent_get_owner_uid (agent); - if (0 != agent_uid) { - if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) { - nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)", - nm_secret_agent_get_description (agent), - req, req->setting_name); - /* Connection not visible to this agent's user */ - return; - } - /* Caller is allowed to manipulate this connection */ + if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) { + nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)", + nm_secret_agent_get_description (agent), + req, req->setting_name); + /* Connection not visible to this agent's user */ + return; } /* If the request should filter agents by UID, do that now */ diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c index 9f1a4edb63..4d6c73b936 100644 --- a/src/settings/nm-settings-connection.c +++ b/src/settings/nm-settings-connection.c @@ -946,15 +946,13 @@ check_user_in_acl (NMConnection *connection, } /* Make sure the UID can view this connection */ - if (0 != sender_uid) { - if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) { - g_set_error_literal (error, - NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_PERMISSION_DENIED, - error_desc); - g_free (error_desc); - return FALSE; - } + if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) { + g_set_error_literal (error, + NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_PERMISSION_DENIED, + error_desc); + g_free (error_desc); + return FALSE; } if (out_sender_uid) diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c index 5ec9cea721..48b82258c9 100644 --- a/src/settings/nm-settings.c +++ b/src/settings/nm-settings.c @@ -1147,18 +1147,14 @@ nm_settings_add_connection (NMSettings *self, /* Ensure the caller's username exists in the connection's permissions, * or that the permissions is empty (ie, visible by everyone). */ - if (0 != caller_uid) { - if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) { - error = g_error_new_literal (NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_NOT_PRIVILEGED, - error_desc); - g_free (error_desc); - callback (self, NULL, error, context, user_data); - g_error_free (error); - return; - } - - /* Caller is allowed to add this connection */ + if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) { + error = g_error_new_literal (NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_PERMISSION_DENIED, + error_desc); + g_free (error_desc); + callback (self, NULL, error, context, user_data); + g_error_free (error); + return; } /* If the caller is the only user in the connection's permissions, then