diff options
author | John (J5) Palmieri <johnp@redhat.com> | 2004-08-25 22:11:49 +0000 |
---|---|---|
committer | John (J5) Palmieri <johnp@redhat.com> | 2004-08-25 22:11:49 +0000 |
commit | b78d222083d1a1186743e2bb3aded49b5a950fe2 (patch) | |
tree | 96e6386e5d27afc636a5ecc983466d14585b243e /dbus | |
parent | 8a2c91b8a549402040c94b45b063311975583efd (diff) |
Console user security policy
* bus/config-parser.c:
(struct PolicyType): Add POLICY_CONSOLE
(struct Element.d.policy): s/gid_or_uid/gid_uid_or_at_console
(start_busconfig_child): Sets up console element when
<policy at_console=""> is encountered in a policy file
(append_rule_from_element): Convert console elements to console
rules.
* bus/policy.c:
(bus_policy_create_client_policy): Add console rules to the client
policy based on if the client is at the console
(bus_policy_append_console_rule): New function for adding a
console rule to a policy
(bus_policy_merge): Handle console rule merging
* dbus/dbus-sysdeps.h: Added the DBUS_CONSOLE_DIR constant
where we check for console user files
* dbus/dbus-sysdeps.c:
(_dbus_file_exists): New function which checks if the given
file exists
(_dbus_user_at_console): New function which does the system
specific process of checking if the user is at the console
* dbus/dbus-userdb.c:
(_dbus_is_console_user): New function converts a UID to user name
and then calls the system specific _dbus_user_at_console to
see if the user is at the console and therefor a console user
Diffstat (limited to 'dbus')
-rw-r--r-- | dbus/dbus-sysdeps.c | 49 | ||||
-rw-r--r-- | dbus/dbus-sysdeps.h | 5 | ||||
-rw-r--r-- | dbus/dbus-userdb.c | 43 | ||||
-rw-r--r-- | dbus/dbus-userdb.h | 3 |
4 files changed, 99 insertions, 1 deletions
diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index e5d4bdba..4af70931 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -3332,6 +3332,55 @@ _dbus_set_signal_handler (int sig, sigaction (sig, &act, 0); } +/** Checks if a file exists +* +* @param file full path to the file +* @returns #TRUE if file exists +*/ +dbus_bool_t +_dbus_file_exists (const char *file) +{ + return (access (file, F_OK) == 0); +} + +/** Checks if user is at the console +* +* @param username user to check +* @param error return location for errors +* @returns #TRUE is the user is at the consolei and there are no errors +*/ +dbus_bool_t +_dbus_user_at_console (const char *username, + DBusError *error) +{ + + DBusString f; + dbus_bool_t result; + + if (!_dbus_string_init (&f)) + { + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); + return FALSE; + } + + if (!_dbus_string_append (&f, DBUS_CONSOLE_DIR)) + { + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); + return FALSE; + } + + + if (!_dbus_string_append (&f, username)) + { + dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); + return FALSE; + } + + result = _dbus_file_exists (_dbus_string_get_const_data (&f)); + _dbus_string_free (&f); + + return result; +} #ifdef DBUS_BUILD_TESTS #include <stdlib.h> diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h index ecfef69a..8ac131a7 100644 --- a/dbus/dbus-sysdeps.h +++ b/dbus/dbus-sysdeps.h @@ -99,6 +99,8 @@ typedef unsigned long dbus_gid_t; #define DBUS_UID_FORMAT "%lu" #define DBUS_GID_FORMAT "%lu" +#define DBUS_CONSOLE_DIR "/var/run/console/" + /** * Struct representing socket credentials */ @@ -309,6 +311,9 @@ typedef void (* DBusSignalHandler) (int sig); void _dbus_set_signal_handler (int sig, DBusSignalHandler handler); +dbus_bool_t _dbus_file_exists (const char *file); +dbus_bool_t _dbus_user_at_console (const char *username, + DBusError *error); /* Define DBUS_VA_COPY() to do the right thing for copying va_list variables. * config.h may have already defined DBUS_VA_COPY as va_copy or __va_copy. diff --git a/dbus/dbus-userdb.c b/dbus/dbus-userdb.c index 1e105b29..833256c5 100644 --- a/dbus/dbus-userdb.c +++ b/dbus/dbus-userdb.c @@ -38,6 +38,7 @@ struct DBusUserDatabase DBusHashTable *groups; /**< Groups in the database by GID */ DBusHashTable *users_by_name; /**< Users in the database by name */ DBusHashTable *groups_by_name; /**< Groups in the database by name */ + }; static void @@ -399,6 +400,48 @@ _dbus_get_user_id (const DBusString *username, } /** + * Checks to see if the UID sent in is the console user + * + * @param uid UID of person to check + * @param error return location for errors + * @returns #TRUE if the UID is the same as the console user and there are no errors + */ +dbus_bool_t +_dbus_is_console_user (dbus_uid_t uid, + DBusError *error) +{ + + DBusUserDatabase *db; + const DBusUserInfo *info; + DBusString *console_file; + dbus_bool_t result = FALSE; + + _dbus_user_database_lock_system (); + + db = _dbus_user_database_get_system (); + if (db == NULL) + { + dbus_set_error (error, DBUS_ERROR_FAILED, "Could not get system database."); + _dbus_user_database_unlock_system (); + return FALSE; + } + + info = _dbus_user_database_lookup (db, uid, NULL, error); + + if (info == NULL) + { + _dbus_user_database_unlock_system (); + return FALSE; + } + + result = _dbus_user_at_console (info->username, error); + + _dbus_user_database_unlock_system (); + + return result; +} + +/** * Gets group ID given groupname * * @param groupname the groupname diff --git a/dbus/dbus-userdb.h b/dbus/dbus-userdb.h index 683b0b76..51f2fa7c 100644 --- a/dbus/dbus-userdb.h +++ b/dbus/dbus-userdb.h @@ -56,7 +56,6 @@ dbus_bool_t _dbus_user_database_get_groupname (DBusUserDatabase *db, DBusError *error); - DBusUserDatabase* _dbus_user_database_get_system (void); void _dbus_user_database_lock_system (void); void _dbus_user_database_unlock_system (void); @@ -75,6 +74,8 @@ dbus_bool_t _dbus_credentials_from_username (const DBusString *username, DBusCredentials *credentials); dbus_bool_t _dbus_credentials_from_uid (dbus_uid_t user_id, DBusCredentials *credentials); +dbus_bool_t _dbus_is_console_user (dbus_uid_t uid, + DBusError *error); DBUS_END_DECLS; |