From a382492204ad3588c0c837e120e5bc31578df72a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 19 Jul 2006 21:48:35 +0000
Subject: * add new function pa_check_in_group() * abstract credential APis a
 little bit by introducing HAVE_CREDS and a structure pa_creds * rework
 credential authentication * fix module-volume-restore and friends for usage
 in system-wide instance * remove loopback= argument from
 moulde-*-protocol-tcp since it is a superset of listen= and usually a bad
 idea anyway since the user shouldn't load the TCP module at all if he doesn't
 want remote access * rename a few variables in the jack modules to make sure
 they don't conflict with symbols defined in the system headers * add server
 address for system-wide daemons to the default server list for the the client
 libs * update todo

git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1109 fefdeb5f-60dc-0310-8127-8f9354f1896f
---
 src/pulsecore/protocol-native.c | 55 +++++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 18 deletions(-)

(limited to 'src/pulsecore/protocol-native.c')

diff --git a/src/pulsecore/protocol-native.c b/src/pulsecore/protocol-native.c
index 14f880d7..2775d774 100644
--- a/src/pulsecore/protocol-native.c
+++ b/src/pulsecore/protocol-native.c
@@ -55,6 +55,8 @@
 #include <pulsecore/props.h>
 #include <pulsecore/sample-util.h>
 #include <pulsecore/llist.h>
+#include <pulsecore/creds.h>
+#include <pulsecore/core-util.h>
 
 #include "protocol-native.h"
 
@@ -134,7 +136,7 @@ struct pa_protocol_native {
     pa_idxset *connections;
     uint8_t auth_cookie[PA_NATIVE_COOKIE_LENGTH];
     int auth_cookie_in_property;
-#ifdef SCM_CREDENTIALS
+#ifdef HAVE_CREDS
     char *auth_group;
 #endif
 };
@@ -910,25 +912,32 @@ static void command_auth(PA_GCC_UNUSED pa_pdispatch *pd, PA_GCC_UNUSED uint32_t
     if (!c->authorized) {
         int success = 0;
         
-#ifdef SCM_CREDENTIALS
-        const struct ucred *ucred = pa_pdispatch_creds(pd);
+#ifdef HAVE_CREDS
+        const pa_creds *creds;
 
-        if (ucred) {
-            if (ucred->uid == getuid())
+        if ((creds = pa_pdispatch_creds(pd))) {
+            if (creds->uid == getuid())
                 success = 1;
             else if (c->protocol->auth_group) {
                 int r;
-                
-                if ((r = pa_uid_in_group(ucred->uid, c->protocol->auth_group)) < 0)
-                    pa_log_warn(__FILE__": failed to check group membership.");
-                else if (r > 0)
+                gid_t gid;
+
+                if ((gid = pa_get_gid_of_group(c->protocol->auth_group)) == (gid_t) -1)
+                    pa_log_warn(__FILE__": failed to get GID of group '%s'", c->protocol->auth_group);
+                else if (gid == creds->gid)
                     success = 1;
+                    
+                if (!success) {
+                    if ((r = pa_uid_in_group(creds->uid, c->protocol->auth_group)) < 0)
+                        pa_log_warn(__FILE__": failed to check group membership.");
+                    else if (r > 0)
+                        success = 1;
+                }
             }
                 
-            pa_log_info(__FILE__": Got credentials: pid=%lu uid=%lu gid=%lu auth=%i",
-                        (unsigned long) ucred->pid,
-                        (unsigned long) ucred->uid,
-                        (unsigned long) ucred->gid,
+            pa_log_info(__FILE__": Got credentials: uid=%lu gid=%lu success=%i",
+                        (unsigned long) creds->uid,
+                        (unsigned long) creds->gid,
                         success);
         }
 #endif
@@ -2100,7 +2109,7 @@ static void command_get_autoload_info_list(PA_GCC_UNUSED pa_pdispatch *pd, PA_GC
 
 /*** pstream callbacks ***/
 
-static void pstream_packet_callback(pa_pstream *p, pa_packet *packet, const struct ucred *creds, void *userdata) {
+static void pstream_packet_callback(pa_pstream *p, pa_packet *packet, const pa_creds *creds, void *userdata) {
     struct connection *c = userdata;
     assert(p && packet && packet->data && c);
 
@@ -2272,7 +2281,7 @@ static void on_connection(PA_GCC_UNUSED pa_socket_server*s, pa_iochannel *io, vo
     pa_idxset_put(p->connections, c, NULL);
 
 
-#ifdef SCM_CREDENTIALS
+#ifdef HAVE_CREDS
     if (pa_iochannel_creds_supported(io))
         pa_iochannel_creds_enable(io);
     
@@ -2323,8 +2332,18 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
     p->public = public;
     p->server = NULL;
 
-#ifdef SCM_CREDENTIALS
-    p->auth_group = pa_xstrdup(pa_modargs_get_value(ma, "auth-group", NULL));
+#ifdef HAVE_CREDS
+    {
+        int a = 1;
+        if (pa_modargs_get_value_boolean(ma, "auth-group-enabled", &a) < 0) {
+            pa_log(__FILE__": auth-group-enabled= expects a boolean argument.");
+            return NULL;
+        }
+        p->auth_group = a ? pa_xstrdup(pa_modargs_get_value(ma, "auth-group", c->is_system_instance ? PA_ACCESS_GROUP : NULL)) : NULL;
+
+        if (p->auth_group)
+            pa_log_info(__FILE__": Allowing access to group '%s'.", p->auth_group);
+    }
 #endif
     
     if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) {
@@ -2386,7 +2405,7 @@ void pa_protocol_native_free(pa_protocol_native *p) {
     if (p->auth_cookie_in_property)
         pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME);
 
-#ifdef SCM_CREDENTIALS
+#ifdef HAVE_CREDS
     pa_xfree(p->auth_group);
 #endif
     pa_xfree(p);
-- 
cgit