From 01af5ff4101e540a6456bca01d56272e701bea78 Mon Sep 17 00:00:00 2001 From: Havoc Pennington Date: Sat, 4 Jan 2003 07:28:54 +0000 Subject: 2003-01-04 Havoc Pennington * test/watch.c (error_handler): make it safe if the error handler is called multiple times (if we s/error handler/disconnect handler/ we should just guarantee it's called only once) * dbus/dbus-transport.c (_dbus_transport_disconnect): call the error handler on disconnect (it's quite possible we should just change the error handler to a "disconnect handler," I'm not sure we have any other meaningful errors) * configure.in: check for getpwnam_r * dbus/dbus-transport.c, dbus/dbus-transport-unix.c, dbus/dbus-auth.c: add credentials support, add EXTERNAL auth mechanism as in SASL spec, using socket credentials * dbus/dbus-sysdeps.c (_dbus_read_credentials_unix_socket): new function (_dbus_send_credentials_unix_socket): new function * dbus/dbus-sysdeps.c (_dbus_accept_unix_socket): rename just dbus_accept() (_dbus_write): only check errno if <0 returned (_dbus_write_two): ditto --- dbus/dbus-transport.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) (limited to 'dbus/dbus-transport.c') diff --git a/dbus/dbus-transport.c b/dbus/dbus-transport.c index 085b0224..110153dd 100644 --- a/dbus/dbus-transport.c +++ b/dbus/dbus-transport.c @@ -105,6 +105,13 @@ _dbus_transport_init_base (DBusTransport *transport, transport->authenticated = FALSE; transport->messages_need_sending = FALSE; transport->disconnected = FALSE; + transport->send_credentials_pending = !server; + transport->receive_credentials_pending = server; + transport->is_server = server; + + transport->credentials.pid = -1; + transport->credentials.uid = -1; + transport->credentials.gid = -1; return TRUE; } @@ -205,8 +212,12 @@ _dbus_transport_disconnect (DBusTransport *transport) DBUS_TRANSPORT_HOLD_REF (transport); (* transport->vtable->disconnect) (transport); - + transport->disconnected = TRUE; + + _dbus_connection_transport_error (transport->connection, + DBUS_RESULT_DISCONNECTED); + DBUS_TRANSPORT_RELEASE_REF (transport); } @@ -238,9 +249,45 @@ _dbus_transport_get_is_authenticated (DBusTransport *transport) return TRUE; else { + if (transport->disconnected) + return FALSE; + transport->authenticated = + (!(transport->send_credentials_pending || + transport->receive_credentials_pending)) && _dbus_auth_do_work (transport->auth) == DBUS_AUTH_STATE_AUTHENTICATED; + /* If we've authenticated as some identity, check that the auth + * identity is the same as our own identity. In the future, we + * may have API allowing applications to specify how this is + * done, for example they may allow connection as any identity, + * but then impose restrictions on certain identities. + * Or they may give certain identities extra privileges. + */ + + if (transport->authenticated && transport->is_server) + { + DBusCredentials auth_identity; + DBusCredentials our_identity; + + _dbus_credentials_from_current_process (&our_identity); + _dbus_auth_get_identity (transport->auth, &auth_identity); + + if (!_dbus_credentials_match (&our_identity, + &auth_identity)) + { + _dbus_verbose ("Client authorized as UID %d but our UID is %d, disconnecting\n", + auth_identity.uid, our_identity.uid); + _dbus_transport_disconnect (transport); + return FALSE; + } + else + { + _dbus_verbose ("Client authorized as UID %d matching our UID %d\n", + auth_identity.uid, our_identity.uid); + } + } + return transport->authenticated; } } -- cgit