fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-09 19:20:20 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

system-settings: let UID 0 bypass PolicyKit for PK < 1.0

Browse source 
PK < 1.0 doesn't work with UID 0 processes that aren't spawned via a
session-manager, and thus don't have the XDG_SESSION_COOKIE in their
environment (which ConsoleKit uses to figure out what session the
caller is in).  But since root could just scribble over the config
files anyway, bypassing PK for UID 0 doesn't meaningfully decrease
security.
This commit is contained in:
Dan Williams 2009-07-02 12:46:32 -04:00
parent 57b8e0bf18
commit 9c8e600078
1 changed files with 37 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
src/system-settings/nm-polkit-helpers.c
View file

@ -98,14 +98,50 @@ check_polkit_privileges (DBusGConnection *dbus_connection,
DBusGMethodInvocation *context,
GError **err)
{
DBusConnection *tmp;
DBusError dbus_error;
char *sender;
gulong sender_uid = G_MAXULONG;
PolKitCaller *pk_caller;
PolKitAction *pk_action;
PolKitResult pk_result;
dbus_error_init (&dbus_error);
/* Always allow uid 0 */
tmp = dbus_g_connection_get_connection (dbus_connection);
if (!tmp) {
g_set_error (err,
NM_SYSCONFIG_SETTINGS_ERROR,
NM_SYSCONFIG_SETTINGS_ERROR_GENERAL,
"Could not get D-Bus connection.");
return FALSE;
}
sender = dbus_g_method_get_sender (context);
dbus_error_init (&dbus_error);
/* FIXME: do this async */
sender_uid = dbus_bus_get_unix_user (tmp, sender, &dbus_error);
if (dbus_error_is_set (&dbus_error)) {
g_set_error (err,
NM_SYSCONFIG_SETTINGS_ERROR,
NM_SYSCONFIG_SETTINGS_ERROR_GENERAL,
"Could not determine the Unix user ID of the requestor: %s: %s",
dbus_error.name, dbus_error.message);
dbus_error_free (&dbus_error);
return FALSE;
}
/* PolicyKit < 1.0 is not compatible with root processes spawned outside
* the session manager, and when asking ConsoleKit for the session of the
* process, ConsoleKit won't be able to get XDG_SESSION_COOKIE because it
* doesn't exist in the caller's environment for non-session-managed
* processes. So, for PK < 1.0, ignore PolicyKit for uid 0.
*/
if (0 == sender_uid)
return TRUE;
/* Non-root users need to auth via PolicyKit */
dbus_error_init (&dbus_error);
pk_caller = polkit_caller_new_from_dbus_name (dbus_g_connection_get_connection (dbus_connection),
sender,
&dbus_error);