If we want to get the struct passwd corresponding to uid 42, but we
can't, it's much better to say
User ID "42" unknown
rather than
User "???" unknown
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
The only difference between these was that we only needed to allocate
and free buf in the getpwnam_r case. We expect that all reasonable
Unix platforms will have getpwnam_r (it's in POSIX) so adding a no-op
dbus_free(NULL) to the getpwnam code path seems harmless.
This will be helpful when we make the error handling better, in a
subsequent commit.
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
When running tests, we use DBUS_FATAL_WARNINGS=1 to make the tests fail
on internal errors. Failing to set up inotify is not really an internal
error: it's more like an environmental error, which can occur for
reasons outside our control.
Instead, log using bus_context_log(), which never crashes the process
and always just logs a warning.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/473
If we have a large number of connections to the bus, and we fail to
reload the policy for one of them (perhaps because its uid no longer
exists in the system user database), previously we would crash, which
is obviously unintended. After the previous commit, we would stop
iteration through the list of client connections, which doesn't seem
great either: one bad connection shouldn't prevent us from reloading
the rest of our state.
Instead, let's distinguish between new connections (where we want
failure to establish a security policy to be fatal), and pre-existing
connections (where the current security policy is presumably good
enough to keep using if we have nothing better). If we're unable to
reload the policy for a pre-existing connection, log a warning and
carry on iterating.
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously, if dbus_connection_get_unix_user() succeeded but
_dbus_unix_groups_from_uid() failed, then bus_connection_get_unix_groups()
would incorrectly fail without setting the error indicator, resulting
in "(null)" being logged, which is rather unhelpful.
This also lets us distinguish between ENOMEM and other errors, such as
the uid not existing in the system's user database.
Fixes: 145fb99b (untitled refactoring commit, 2006-12-12)
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Signed-off-by: Simon McVittie <smcv@collabora.com>
If policy creation fails, we can't usefully leave a NULL policy in the
BusConnectionData. If we did, the next attempt to reload policy would
crash with a NULL dereference when we tried to unref it, or with
an assertion failure.
One situation in which we can legitimately fail to create a client policy
is an out-of-memory condition. Another is if we are unable to look up a
connection's supplementary groups with SO_PEERGROUPS, and also unable to
look up the connection's uid's groups in the system user database, for
example because it belongs to a user account that has been deleted (which
is sysadmin error, but can happen, particularly in automated test systems)
or because a service required by a Name Service Switch plugin has failed.
Keeping the last known policy is consistent with what happens to all
the connections that are after this one in iteration order: after we
early-return, all of those connections retain their previous policies
(which doesn't seem ideal either, but that's how this has always worked).
[smcv: Add commit message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/343
Most of these binary blobs is mechanically derived from the
corresponding .hex file, which is hand-written.
boolean-has-no-value.message-raw is presumably either hand-constructed
or fuzzer-generated: it was committed by a Red Hat employee and never
altered, so I've assumed Red Hat is the copyright holder. Permission
was already granted by Red Hat to relicense their dbus contributions
under the MIT (Expat) license.
Signed-off-by: Simon McVittie <smcv@collabora.com>
When cross-compiling Windows binaries on (for example) Linux, we only
need a Windows C++ compiler and not a Linux C++ compiler.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/439
Signed-off-by: Simon McVittie <smcv@collabora.com>
On Unix, dbus has historically used gcc-specific lock-free atomic
intrinsics where available, falling back to a pthreads mutex where
possible. Meanwhile, on Windows, it has historically used
InterlockedIncrement() and similar library functions (in practice
wrappers around lock-free intrinsics on real Windows, but IPC calls into
wineserver on Wine).
ISO C11 provides a new header, stdatomic.h, with standardized support
for atomic operations. Exactly how these are implemented is a compiler
quality-of-implementation decision, but any reasonable compiler
implementation on a modern CPU should be using intrinsics. Let's use
this wherever possible, falling back to our old implementation only if
the C11 implementation is unsupported.
One concrete benefit that we get from this is that when compiling with
mingw-w64 gcc and running via Wine, this makes atomic reference counting
operations into a simple local operation, rather than IPC to wineserver
which can be very slow. This should make our CI tests considerably more
reliable.
In all vaguely modern gcc versions (gcc 5.5 or later) and in contemporary
versions of clang, the default compiler mode is C11 or later with GNU
extensions. We intentionally do not ask for any specific C standard, so
we can use C11 features like this one, as long as we do so conditionally.
The Microsoft Visual C compiler does not currently support this without
special options, so we still use the Interlocked family of functions
when compiling for Windows with MSVC.
Signed-off-by: Simon McVittie <smcv@collabora.com>
I want to use <stdatomic.h> in dbus-sysdeps.h, but if we do that, we
won't be able to include that header into C++ code on all compilers.
Move the declarations for new internal Windows-specific functions
introduced in commit 17a23d08
"dbus_threads_init_default, dbus_threads_init: be safe to call at any time"
into their own header.
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is generally not recommended (dbus should usually be installed from
the OS distributor's packages, which should install into a staging
directory using `DESTDIR`), but we'll want to use it in Gitlab-CI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Originally part of commit
"README,INSTALL: remove references to the autotools build system"
in dbus!378.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
In the longer term I'd like to move everything towards Meson so we only
have one primary build system, but at the moment Ralf would prefer to
keep recommending CMake for Windows builds (see dbus!378) so let's
stick with that for now.
Signed-off-by: Simon McVittie <smcv@collabora.com>
There are some differences between Autotools and Meson here:
- Because we detect native atomic operations differently, we can no
longer emulate a platform that doesn't have them, such as ARMv4;
but modern OSs no longer support ARMv4 and all significant hardware
platforms now have native atomic operations, so this is now less of
a concern.
- Similarly, we can no longer emulate a platform that doesn't have the
getrandom() library function, but that function is available in all
relevant glibc versions (such as CentOS >= 8, Debian >= 10,
Ubuntu >= 18.04) so testing the fallback path is less of a concern now.
We also no longer try to disable dnotify in the legacy build, but our
dnotify code path was removed in 2013, so --disable-dnotify didn't do
anything anyway.
[Separated from a larger commit on dbus!378 —smcv]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Now that we are recommending Meson, let's de-emphasize Autotools.
Anyone who still needs Autotools will already know how it works, at
least generically.
Signed-off-by: Simon McVittie <smcv@collabora.com>
On older 32-bit architectures such as i386, this redefines time_t to be
64-bit, and correspondingly increases the size of all system data
structures that contain a time_t, such as struct timeval and struct stat.
This is necessary to allow timestamps beyond January 2038 to be
represented; as well as things that obviously deal with timestamps,
this affects functions like stat() (and therefore our wrapper
_dbus_stat()), which will fail with EOVERFLOW if asked to inspect a
file whose correct timestamp does not fit in time_t.
In particular, if the modification or access timestamp on
/etc/machine-id has somehow been set to a post-2038 time, libdbus will
consider the inability to stat() that file to be an installation error,
and when using the deprecated dbus_get_local_machine_id(), that can
cause third-party i386 software such as the Steam client to crash.
Using 64-bit timestamps avoids that failure mode.
Using 64-bit timestamps in glibc is an opt-in and not the default,
because if done carelessly it can change libraries' ABIs. However,
libdbus is careful not to include system headers and system data
types in its own headers, with the only exceptions being extremely
basic ISO C headers like <stddef.h> and <stdarg.h>; so we can safely
do this without it breaking our ABI. This is similar to the reasoning
for why commit 96ffc2a0 "configure.ac: support large-file for stat64"
was a safe change.
This change only affects glibc. Some non-GNU operating system libraries
(such as musl) are less concerned with binary backwards compatibility
than glibc, and therefore have incompatibly changed their ABI on 32-bit
platforms to switch to 64-bit timestamps throughout; no action is needed
on those platforms. If other non-GNU OS libraries have taken a route
similar to GNU's, then maintainers of those operating systems are
welcome to send tested merge requests similar to this one.
An extra subtlety here is that _TIME_BITS=64 requires
_FILE_OFFSET_BITS=64. In the Meson build, Meson unconditionally enables
_FILE_OFFSET_BITS=64 where appropriate, and in the Autotools build,
we already had that via AC_SYS_LARGEFILE, but in the CMake build we
did not necessarily have this; so we also define _FILE_OFFSET_BITS=64
there if necessary, as a continuation of commit 96ffc2a0
"configure.ac: support large-file for stat64".
On newer 32-bit architectures like x32, time_t is always 64-bit and so
this has no practical effect.
On 64-bit, setting these would have no practical effect, but to minimize
risk I'm only doing this for 32-bit architectures.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/465
Signed-off-by: Simon McVittie <smcv@collabora.com>
Allows to track a process by pinning to a file descriptor,
which unlike a PID cannot be reused.
root@image:~# busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus GetConnectionCredentials "s" org.freedesktop.systemd1
a{sv} 3 "ProcessID" u 1 "UnixUserID" u 0 "ProcessFD" h 4
Signed-off-by: Luca Boccassi <bluca@debian.org>
The new socket option SO_PEERPIDFD allows to pin the process on the
other side of the socket by file descriptor, which closes a race
condition where a PID can be reused before we can pin it manually.
Available since Linux v6.5.
When storing credentials, pin the process by FD from the PID.
When querying the PID, if the PID FD is available, resolve
it from there first if possible.
Ensure the DBusCredentials object only returns the PID FD if it was
obtained by this call, so that we know for sure we can rely on it
being safe against PID reuse attacks.
Signed-off-by: Luca Boccassi <bluca@debian.org>
The order and arrangement of the initialization of the build directories
has been improved: the deletion of special directories have been moved to
the associated part, the rest have been merged and there is a default
value if not specified as an environment variable, making it easier to
execute on the command line.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
This customization simplifies their use, e.g. when outputting the command
line used. Because of FreeBSD, 'awk' is used instead of 'gawk' to make
sure that the tool is available.
