From b78d222083d1a1186743e2bb3aded49b5a950fe2 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 25 Aug 2004 22:11:49 +0000 Subject: Console user security policy * bus/config-parser.c: (struct PolicyType): Add POLICY_CONSOLE (struct Element.d.policy): s/gid_or_uid/gid_uid_or_at_console (start_busconfig_child): Sets up console element when is encountered in a policy file (append_rule_from_element): Convert console elements to console rules. * bus/policy.c: (bus_policy_create_client_policy): Add console rules to the client policy based on if the client is at the console (bus_policy_append_console_rule): New function for adding a console rule to a policy (bus_policy_merge): Handle console rule merging * dbus/dbus-sysdeps.h: Added the DBUS_CONSOLE_DIR constant where we check for console user files * dbus/dbus-sysdeps.c: (_dbus_file_exists): New function which checks if the given file exists (_dbus_user_at_console): New function which does the system specific process of checking if the user is at the console * dbus/dbus-userdb.c: (_dbus_is_console_user): New function converts a UID to user name and then calls the system specific _dbus_user_at_console to see if the user is at the console and therefor a console user --- bus/config-parser.c | 56 +++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 12 deletions(-) (limited to 'bus/config-parser.c') diff --git a/bus/config-parser.c b/bus/config-parser.c index 3b8c3ae4..dfc313e3 100644 --- a/bus/config-parser.c +++ b/bus/config-parser.c @@ -59,7 +59,8 @@ typedef enum POLICY_DEFAULT, POLICY_MANDATORY, POLICY_USER, - POLICY_GROUP + POLICY_GROUP, + POLICY_CONSOLE } PolicyType; typedef struct @@ -79,7 +80,7 @@ typedef struct struct { PolicyType type; - unsigned long gid_or_uid; + unsigned long gid_uid_or_at_console; } policy; struct @@ -775,6 +776,7 @@ start_busconfig_child (BusConfigParser *parser, const char *context; const char *user; const char *group; + const char *at_console; if ((e = push_element (parser, ELEMENT_POLICY)) == NULL) { @@ -791,16 +793,20 @@ start_busconfig_child (BusConfigParser *parser, "context", &context, "user", &user, "group", &group, + "at_console", &at_console, NULL)) return FALSE; if (((context && user) || - (context && group)) || - (user && group) || - !(context || user || group)) + (context && group) || + (context && at_console)) || + ((user && group) || + (user && at_console)) || + (group && at_console) || + !(context || user || group || at_console)) { dbus_set_error (error, DBUS_ERROR_FAILED, - " element must have exactly one of (context|user|group) attributes"); + " element must have exactly one of (context|user|group|at_console) attributes"); return FALSE; } @@ -828,7 +834,7 @@ start_busconfig_child (BusConfigParser *parser, _dbus_string_init_const (&username, user); if (_dbus_get_user_id (&username, - &e->d.policy.gid_or_uid)) + &e->d.policy.gid_uid_or_at_console)) e->d.policy.type = POLICY_USER; else _dbus_warn ("Unknown username \"%s\" in message bus configuration file\n", @@ -840,12 +846,30 @@ start_busconfig_child (BusConfigParser *parser, _dbus_string_init_const (&group_name, group); if (_dbus_get_group_id (&group_name, - &e->d.policy.gid_or_uid)) + &e->d.policy.gid_uid_or_at_console)) e->d.policy.type = POLICY_GROUP; else _dbus_warn ("Unknown group \"%s\" in message bus configuration file\n", group); } + else if (at_console != NULL) + { + dbus_bool_t t; + t = (strcmp (at_console, "true") == 0); + if (t || strcmp (at_console, "false") == 0) + { + e->d.policy.gid_uid_or_at_console = t; + e->d.policy.type = POLICY_CONSOLE; + } + else + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "Unknown value \"%s\" for at_console in message bus configuration file", + at_console); + + return FALSE; + } + } else { _dbus_assert_not_reached ("all attributes null and we didn't set error"); @@ -936,6 +960,7 @@ append_rule_from_element (BusConfigParser *parser, const char *own; const char *user; const char *group; + BusPolicyRule *rule; if (!locate_attributes (parser, element_name, @@ -1369,7 +1394,7 @@ append_rule_from_element (BusConfigParser *parser, goto failed; } - if (!bus_policy_append_user_rule (parser->policy, pe->d.policy.gid_or_uid, + if (!bus_policy_append_user_rule (parser->policy, pe->d.policy.gid_uid_or_at_console, rule)) goto nomem; break; @@ -1382,12 +1407,19 @@ append_rule_from_element (BusConfigParser *parser, goto failed; } - if (!bus_policy_append_group_rule (parser->policy, pe->d.policy.gid_or_uid, + if (!bus_policy_append_group_rule (parser->policy, pe->d.policy.gid_uid_or_at_console, + rule)) + goto nomem; + break; + + + case POLICY_CONSOLE: + if (!bus_policy_append_console_rule (parser->policy, pe->d.policy.gid_uid_or_at_console, rule)) goto nomem; break; } - + bus_policy_rule_unref (rule); rule = NULL; } @@ -2545,7 +2577,7 @@ elements_equal (const Element *a, case ELEMENT_POLICY: if (a->d.policy.type != b->d.policy.type) return FALSE; - if (a->d.policy.gid_or_uid != b->d.policy.gid_or_uid) + if (a->d.policy.gid_uid_or_at_console != b->d.policy.gid_uid_or_at_console) return FALSE; break; -- cgit