From a53c31427d520706ce1fe5629fee3d7d58c998a3 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 18 Nov 2010 14:05:33 -0600 Subject: [PATCH] settings: make use of nm_auth_uid_in_acl() --- src/settings/nm-settings.c | 94 +++++++------------------- src/settings/nm-sysconfig-connection.c | 59 +++------------- 2 files changed, 34 insertions(+), 119 deletions(-) diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c index 2aed950e70..0c9aa43d21 100644 --- a/src/settings/nm-settings.c +++ b/src/settings/nm-settings.c @@ -107,6 +107,7 @@ typedef struct { guint auth_changed_id; char *config_file; + NMSessionMonitor *session_monitor; GSList *auths; GSList *plugins; @@ -766,35 +767,6 @@ add_new_connection (NMSettings *self, return NULL; } -static char * -get_user_name (gulong uid) -{ - struct passwd pwd; - struct passwd *result; - char *buf, *uname = NULL; - size_t bufsize; - int s; - - bufsize = sysconf (_SC_GETPW_R_SIZE_MAX); - if (bufsize == -1) - bufsize = 16384; /* adequate fallback */ - - buf = g_malloc0 (bufsize); - g_assert (buf); - - s = getpwuid_r (uid, &pwd, buf, bufsize, &result); - if (result) - uname = g_strdup (pwd.pw_name); - else if (s == 0) { - nm_log_dbg (LOGD_SYS_SET, "Lookup failed for UID %lu: not found", uid); - } else { - nm_log_dbg (LOGD_SYS_SET, "Lookup failed for UID %lu: %d", uid, s); - } - - g_free (buf); - return uname; -} - static void pk_add_cb (NMAuthChain *chain, GError *chain_error, @@ -849,29 +821,11 @@ pk_add_cb (NMAuthChain *chain, * or that the permissions is empty (ie, visible by everyone). */ if (0 != caller_uid) { - NMSettingConnection *s_con; - char *uname; - gboolean allowed; - - uname = get_user_name (caller_uid); - if (!uname) { - error = g_error_new (NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_NOT_PRIVILEGED, - "Unable to determine username for UID %lu.", - caller_uid); - goto done; - } - - s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION)); - g_assert (s_con); - - allowed = nm_setting_connection_permissions_user_allowed (s_con, uname); - g_free (uname); - - if (allowed == FALSE) { + if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) { error = g_error_new_literal (NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_NOT_PRIVILEGED, - "Cannot add an inaccessible connection."); + NM_SETTINGS_ERROR_NOT_PRIVILEGED, + error_desc); + g_free (error_desc); goto done; } @@ -1377,6 +1331,25 @@ nm_settings_new (const char *config_file, return self; } +static void +nm_settings_init (NMSettings *self) +{ + NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE (self); + GError *error = NULL; + + priv->connections = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_object_unref); + + priv->authority = polkit_authority_get_sync (NULL, &error); + if (!priv->authority) { + nm_log_warn (LOGD_SYS_SET, "failed to create PolicyKit authority: (%d) %s", + error ? error->code : -1, + error && error->message ? error->message : "(unknown)"); + g_clear_error (&error); + } + + priv->session_monitor = nm_session_monitor_get (); +} + static void dispose (GObject *object) { @@ -1395,6 +1368,8 @@ dispose (GObject *object) g_object_unref (priv->dbus_mgr); + g_object_unref (priv->session_monitor); + G_OBJECT_CLASS (nm_settings_parent_class)->dispose (object); } @@ -1574,20 +1549,3 @@ nm_settings_class_init (NMSettingsClass *class) } -static void -nm_settings_init (NMSettings *self) -{ - NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE (self); - GError *error = NULL; - - priv->connections = g_hash_table_new_full (g_str_hash, g_str_equal, NULL, g_object_unref); - - priv->authority = polkit_authority_get_sync (NULL, &error); - if (!priv->authority) { - nm_log_warn (LOGD_SYS_SET, "failed to create PolicyKit authority: (%d) %s", - error ? error->code : -1, - error && error->message ? error->message : "(unknown)"); - g_clear_error (&error); - } -} - diff --git a/src/settings/nm-sysconfig-connection.c b/src/settings/nm-sysconfig-connection.c index 96b546a53b..b25736117d 100644 --- a/src/settings/nm-sysconfig-connection.c +++ b/src/settings/nm-sysconfig-connection.c @@ -112,55 +112,6 @@ perm_to_user (const char *perm, char *out_user, gsize out_user_size) return TRUE; } -static gboolean -uid_in_acl (NMConnection *self, - NMSessionMonitor *smon, - const uid_t uid, - GError **error) -{ - NMSettingConnection *s_con; - const char *user = NULL; - GError *local = NULL; - - g_return_val_if_fail (self != NULL, FALSE); - g_return_val_if_fail (smon != NULL, FALSE); - - s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (self, NM_TYPE_SETTING_CONNECTION)); - g_assert (s_con); - - /* Reject the request if the request comes from no session at all */ - if (!nm_session_monitor_uid_has_session (smon, uid, &user, &local)) { - g_set_error (error, - NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_PERMISSION_DENIED, - "No session found for uid %d (%s)", - uid, - local && local->message ? local->message : "unknown"); - g_clear_error (&local); - return FALSE; - } - - if (!user) { - g_set_error (error, - NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_PERMISSION_DENIED, - "Could not determine username for uid %d", - uid); - return FALSE; - } - - /* Match the username returned by the session check to a user in the ACL */ - if (nm_setting_connection_permissions_user_allowed (s_con, user)) - return TRUE; - - g_set_error (error, - NM_SETTINGS_ERROR, - NM_SETTINGS_ERROR_PERMISSION_DENIED, - "uid %d has no permission to perform this operation", - uid); - return FALSE; -} - /**************************************************************/ static void @@ -643,8 +594,14 @@ auth_start (NMSysconfigConnection *self, /* Make sure the UID can view this connection */ if (0 != sender_uid) { - if (!uid_in_acl (NM_CONNECTION (self), priv->session_monitor, sender_uid, &error)) { - g_assert (error); + if (!nm_auth_uid_in_acl (NM_CONNECTION (self), + priv->session_monitor, + sender_uid, + &error_desc)) { + error = g_error_new_literal (NM_SETTINGS_ERROR, + NM_SETTINGS_ERROR_PERMISSION_DENIED, + error_desc); + g_free (error_desc); goto error; } }