fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-03-07 01:40:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

settings: make use of nm_auth_uid_in_acl()

Browse source
This commit is contained in:
Dan Williams 2010-11-18 14:05:33 -06:00
parent 47eaf97d67
commit a53c31427d
2 changed files with 34 additions and 119 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
src/settings/nm-settings.c
View file

@ -107,6 +107,7 @@ typedef struct {
guint auth_changed_id;
char *config_file;
NMSessionMonitor *session_monitor;
GSList *auths;
GSList *plugins;
@ -766,35 +767,6 @@ add_new_connection (NMSettings *self,
return NULL;
}
static char *
get_user_name (gulong uid)
{
struct passwd pwd;
struct passwd *result;
char *buf, *uname = NULL;
size_t bufsize;
int s;
bufsize = sysconf (_SC_GETPW_R_SIZE_MAX);
if (bufsize == -1)
bufsize = 16384; /* adequate fallback */
buf = g_malloc0 (bufsize);
g_assert (buf);
s = getpwuid_r (uid, &pwd, buf, bufsize, &result);
if (result)
uname = g_strdup (pwd.pw_name);
else if (s == 0) {
nm_log_dbg (LOGD_SYS_SET, "Lookup failed for UID %lu: not found", uid);
} else {
nm_log_dbg (LOGD_SYS_SET, "Lookup failed for UID %lu: %d", uid, s);
}
g_free (buf);
return uname;
}
static void
pk_add_cb (NMAuthChain *chain,
GError *chain_error,
@ -849,29 +821,11 @@ pk_add_cb (NMAuthChain *chain,
* or that the permissions is empty (ie, visible by everyone).
*/
if (0 != caller_uid) {
NMSettingConnection *s_con;
char *uname;
gboolean allowed;
uname = get_user_name (caller_uid);
if (!uname) {
error = g_error_new (NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_NOT_PRIVILEGED,
"Unable to determine username for UID %lu.",
caller_uid);
goto done;
}
s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
g_assert (s_con);
allowed = nm_setting_connection_permissions_user_allowed (s_con, uname);
g_free (uname);
if (allowed == FALSE) {
if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) {
error = g_error_new_literal (NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_NOT_PRIVILEGED,
"Cannot add an inaccessible connection.");
NM_SETTINGS_ERROR_NOT_PRIVILEGED,
error_desc);
g_free (error_desc);
goto done;
}
@ -1377,6 +1331,25 @@ nm_settings_new (const char *config_file,
return self;
}
static void
nm_settings_init (NMSettings *self)
{
NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE (self);
GError *error = NULL;
priv->connections = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_object_unref);
priv->authority = polkit_authority_get_sync (NULL, &error);
if (!priv->authority) {
nm_log_warn (LOGD_SYS_SET, "failed to create PolicyKit authority: (%d) %s",
error ? error->code : -1,
error && error->message ? error->message : "(unknown)");
g_clear_error (&error);
}
priv->session_monitor = nm_session_monitor_get ();
}
static void
dispose (GObject *object)
{
@ -1395,6 +1368,8 @@ dispose (GObject *object)
g_object_unref (priv->dbus_mgr);
g_object_unref (priv->session_monitor);
G_OBJECT_CLASS (nm_settings_parent_class)->dispose (object);
}
@ -1574,20 +1549,3 @@ nm_settings_class_init (NMSettingsClass *class)
}
static void
nm_settings_init (NMSettings *self)
{
NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE (self);
GError *error = NULL;
priv->connections = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_object_unref);
priv->authority = polkit_authority_get_sync (NULL, &error);
if (!priv->authority) {
nm_log_warn (LOGD_SYS_SET, "failed to create PolicyKit authority: (%d) %s",
error ? error->code : -1,
error && error->message ? error->message : "(unknown)");
g_clear_error (&error);
}
}

59
src/settings/nm-sysconfig-connection.c
View file

@ -112,55 +112,6 @@ perm_to_user (const char *perm, char *out_user, gsize out_user_size)
return TRUE;
}
static gboolean
uid_in_acl (NMConnection *self,
NMSessionMonitor *smon,
const uid_t uid,
GError **error)
{
NMSettingConnection *s_con;
const char *user = NULL;
GError *local = NULL;
g_return_val_if_fail (self != NULL, FALSE);
g_return_val_if_fail (smon != NULL, FALSE);
s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (self, NM_TYPE_SETTING_CONNECTION));
g_assert (s_con);
/* Reject the request if the request comes from no session at all */
if (!nm_session_monitor_uid_has_session (smon, uid, &user, &local)) {
g_set_error (error,
NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_PERMISSION_DENIED,
"No session found for uid %d (%s)",
uid,
local && local->message ? local->message : "unknown");
g_clear_error (&local);
return FALSE;
}
if (!user) {
g_set_error (error,
NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_PERMISSION_DENIED,
"Could not determine username for uid %d",
uid);
return FALSE;
}
/* Match the username returned by the session check to a user in the ACL */
if (nm_setting_connection_permissions_user_allowed (s_con, user))
return TRUE;
g_set_error (error,
NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_PERMISSION_DENIED,
"uid %d has no permission to perform this operation",
uid);
return FALSE;
}
/**************************************************************/
static void
@ -643,8 +594,14 @@ auth_start (NMSysconfigConnection *self,
/* Make sure the UID can view this connection */
if (0 != sender_uid) {
if (!uid_in_acl (NM_CONNECTION (self), priv->session_monitor, sender_uid, &error)) {
g_assert (error);
if (!nm_auth_uid_in_acl (NM_CONNECTION (self),
priv->session_monitor,
sender_uid,
&error_desc)) {
error = g_error_new_literal (NM_SETTINGS_ERROR,
NM_SETTINGS_ERROR_PERMISSION_DENIED,
error_desc);
g_free (error_desc);
goto error;
}
}