From 5cd9340f831c5fab1e8749fcc3de4722d1701439 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Thu, 15 Mar 2018 13:53:23 +0100
Subject: [PATCH] dbus: disable all but EXTERNAL D-Bus authentication for
 private sockets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We use a private D-Bus socket for example for DHCP clients to report back
at unix:path=/var/run/NetworkManager/private-dhcp.

By default, gdbus will enable the authentication mechanisms EXTERNAL
and DBUS_COOKIE_SHA1. However, DBUS_COOKIE_SHA1 requires a /root/.dbus-keyrings
directory, which is not available to NetworkManager as it is started with
ProtectHome=read-only. And writing to /root would be a bad idea anyway.

This leads to a warning

  NetworkManager[10962]: Error adding entry to keyring: Error creating directory “/root/.dbus-keyrings”: Read-only file system

Disable all but the EXTERNAL mechanism.

See-also: https://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms

https://bugzilla.gnome.org/show_bug.cgi?id=793116
https://github.com/NetworkManager/NetworkManager/pull/79
---
 src/nm-dbus-manager.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/nm-dbus-manager.c b/src/nm-dbus-manager.c
index 82a9b75f0c..e0977b1fc9 100644
--- a/src/nm-dbus-manager.c
+++ b/src/nm-dbus-manager.c
@@ -305,6 +305,14 @@ private_server_authorize (GDBusAuthObserver *observer,
 	return g_credentials_get_unix_user (credentials, NULL) == 0;
 }
 
+static gboolean
+private_server_allow_mechanism (GDBusAuthObserver *observer,
+                                const char *mechanism,
+                                gpointer user_data)
+{
+	return NM_IN_STRSET (mechanism, "EXTERNAL");
+}
+
 static void
 private_server_free (gpointer ptr)
 {
@@ -362,6 +370,8 @@ nm_dbus_manager_private_server_register (NMDBusManager *self,
 	auth_observer = g_dbus_auth_observer_new ();
 	g_signal_connect (auth_observer, "authorize-authenticated-peer",
 	                  G_CALLBACK (private_server_authorize), NULL);
+	g_signal_connect (auth_observer, "allow-mechanism",
+	                  G_CALLBACK (private_server_allow_mechanism), NULL);
 	server = g_dbus_server_new_sync (address,
 	                                 G_DBUS_SERVER_FLAGS_NONE,
 	                                 guid,