static dbus_bool_t
auth_via_default_rules (DBusTransport *transport)
{
DBusCredentials *auth_identity;
DBusCredentials *our_identity;
dbus_bool_t allow;
auth_identity = _dbus_auth_get_identity (transport->auth);
_dbus_assert (auth_identity != NULL);
/* By default, connection is allowed if the client is 1) root or 2)
* has the same UID as us or 3) anonymous is allowed.
*/
our_identity = _dbus_credentials_new_from_current_process ();
if (our_identity == NULL)
{
/* OOM */
return FALSE;
}
if (transport->allow_anonymous ||
_dbus_credentials_get_unix_uid (auth_identity) == 0 ||
_dbus_credentials_same_user (our_identity,
auth_identity))
{
if (_dbus_credentials_include(our_identity,DBUS_CREDENTIAL_WINDOWS_SID))
_dbus_verbose ("Client authorized as SID '%s'"
"matching our SID '%s'\n",
_dbus_credentials_get_windows_sid(auth_identity),
_dbus_credentials_get_windows_sid(our_identity));
else
_dbus_verbose ("Client authorized as UID "DBUS_UID_FORMAT
" matching our UID "DBUS_UID_FORMAT"\n",
_dbus_credentials_get_unix_uid(auth_identity),
_dbus_credentials_get_unix_uid(our_identity));
/* We have authenticated! */
allow = TRUE;
}
else
{
if (_dbus_credentials_include(our_identity,DBUS_CREDENTIAL_WINDOWS_SID))
_dbus_verbose ("Client authorized as SID '%s'"
" but our SID is '%s', disconnecting\n",
_dbus_credentials_get_windows_sid(auth_identity),
_dbus_credentials_get_windows_sid(our_identity));
else
_dbus_verbose ("Client authorized as UID "DBUS_UID_FORMAT
" but our UID is "DBUS_UID_FORMAT", disconnecting\n",
_dbus_credentials_get_unix_uid(auth_identity),
_dbus_credentials_get_unix_uid(our_identity));
_dbus_transport_disconnect (transport);
allow = FALSE;
}
_dbus_credentials_unref (our_identity);
return allow;
}
/**
* See dbus_connection_get_adt_audit_session_data().
*
* @param transport the transport
* @param data return location for the ADT audit data
* @param data_size return length of audit data
* @returns #TRUE if audit data is filled in with a valid ucred
*/
dbus_bool_t
_dbus_transport_get_adt_audit_session_data (DBusTransport *transport,
void **data,
int *data_size)
{
DBusCredentials *auth_identity;
*data = NULL;
*data_size = 0;
if (!transport->authenticated)
return FALSE;
auth_identity = _dbus_auth_get_identity (transport->auth);
if (_dbus_credentials_include (auth_identity,
DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID))
{
*data = (void *) _dbus_credentials_get_adt_audit_data (auth_identity);
*data_size = _dbus_credentials_get_adt_audit_data_size (auth_identity);
return TRUE;
}
else
return FALSE;
}
/**
* See dbus_connection_get_unix_process_id().
*
* @param transport the transport
* @param pid return location for the process ID
* @returns #TRUE if uid is filled in with a valid process ID
*/
dbus_bool_t
_dbus_transport_get_unix_process_id (DBusTransport *transport,
unsigned long *pid)
{
DBusCredentials *auth_identity;
*pid = DBUS_PID_UNSET; /* Caller should never use this value on purpose,
* but we set it to a safe number, INT_MAX,
* just to root out possible bugs in bad callers.
*/
if (!transport->authenticated)
return FALSE;
auth_identity = _dbus_auth_get_identity (transport->auth);
if (_dbus_credentials_include (auth_identity,
DBUS_CREDENTIAL_UNIX_PROCESS_ID))
{
*pid = _dbus_credentials_get_unix_pid (auth_identity);
return TRUE;
}
else
return FALSE;
}
/**
* See dbus_connection_get_unix_user().
*
* @param transport the transport
* @param uid return location for the user ID
* @returns #TRUE if uid is filled in with a valid user ID
*/
dbus_bool_t
_dbus_transport_get_unix_user (DBusTransport *transport,
unsigned long *uid)
{
DBusCredentials *auth_identity;
*uid = _DBUS_INT32_MAX; /* better than some root or system user in
* case of bugs in the caller. Caller should
* never use this value on purpose, however.
*/
if (!transport->authenticated)
return FALSE;
auth_identity = _dbus_auth_get_identity (transport->auth);
if (_dbus_credentials_include (auth_identity,
DBUS_CREDENTIAL_UNIX_USER_ID))
{
*uid = _dbus_credentials_get_unix_uid (auth_identity);
return TRUE;
}
else
return FALSE;
}
/**
* See dbus_connection_get_windows_user().
*
* @param transport the transport
* @param windows_sid_p return location for the user ID
* @returns #TRUE if user is available; the returned value may still be #NULL if no memory to copy it
*/
dbus_bool_t
_dbus_transport_get_windows_user (DBusTransport *transport,
char **windows_sid_p)
{
DBusCredentials *auth_identity;
*windows_sid_p = NULL;
if (!transport->authenticated)
return FALSE;
auth_identity = _dbus_auth_get_identity (transport->auth);
if (_dbus_credentials_include (auth_identity,
DBUS_CREDENTIAL_WINDOWS_SID))
{
/* If no memory, we are supposed to return TRUE and set NULL */
*windows_sid_p = _dbus_strdup (_dbus_credentials_get_windows_sid (auth_identity));
return TRUE;
}
else
return FALSE;
}
/**
* Returns #TRUE if we have been authenticated. Will return #TRUE
* even if the transport is disconnected.
*
* @todo we drop connection->mutex when calling the unix_user_function,
* and windows_user_function, which may not be safe really.
*
* @param transport the transport
* @returns whether we're authenticated
*/
dbus_bool_t
_dbus_transport_get_is_authenticated (DBusTransport *transport)
{
if (transport->authenticated)
return TRUE;
else
{
dbus_bool_t maybe_authenticated;
if (transport->disconnected)
return FALSE;
/* paranoia ref since we call user callbacks sometimes */
_dbus_connection_ref_unlocked (transport->connection);
maybe_authenticated =
(!(transport->send_credentials_pending ||
transport->receive_credentials_pending));
if (maybe_authenticated)
{
switch (_dbus_auth_do_work (transport->auth))
{
case DBUS_AUTH_STATE_AUTHENTICATED:
/* leave as maybe_authenticated */
break;
default:
maybe_authenticated = FALSE;
}
}
/* If we're the client, verify the GUID
*/
if (maybe_authenticated && !transport->is_server)
{
const char *server_guid;
server_guid = _dbus_auth_get_guid_from_server (transport->auth);
_dbus_assert (server_guid != NULL);
if (transport->expected_guid &&
strcmp (transport->expected_guid, server_guid) != 0)
{
_dbus_verbose ("Client expected GUID '%s' and we got '%s' from the server\n",
transport->expected_guid, server_guid);
_dbus_transport_disconnect (transport);
_dbus_connection_unref_unlocked (transport->connection);
return FALSE;
}
if (transport->expected_guid == NULL)
{
transport->expected_guid = _dbus_strdup (server_guid);
if (transport->expected_guid == NULL)
{
_dbus_verbose ("No memory to complete auth in %s\n", _DBUS_FUNCTION_NAME);
return FALSE;
}
}
}
/* If we're the server, see if we want to allow this identity to proceed.
*/
if (maybe_authenticated && transport->is_server)
{
dbus_bool_t allow;
DBusCredentials *auth_identity;
auth_identity = _dbus_auth_get_identity (transport->auth);
_dbus_assert (auth_identity != NULL);
/* If we have an auth'd user and a user function, delegate
* deciding whether auth credentials are good enough to the
* app; otherwise, use our default decision process.
*/
if (transport->unix_user_function != NULL &&
_dbus_credentials_include (auth_identity, DBUS_CREDENTIAL_UNIX_USER_ID))
{
allow = auth_via_unix_user_function (transport);
}
else if (transport->windows_user_function != NULL &&
_dbus_credentials_include (auth_identity, DBUS_CREDENTIAL_WINDOWS_SID))
{
allow = auth_via_windows_user_function (transport);
}
else
{
allow = auth_via_default_rules (transport);
}
if (!allow)
maybe_authenticated = FALSE;
}
transport->authenticated = maybe_authenticated;
_dbus_connection_unref_unlocked (transport->connection);
return maybe_authenticated;
}
}
dbus_bool_t
_dbus_credentials_test (const char *test_data_dir)
{
DBusCredentials *creds;
DBusCredentials *creds2;
if (test_data_dir == NULL)
return TRUE;
creds = make_credentials (12, 511, SAMPLE_SID);
if (creds == NULL)
_dbus_assert_not_reached ("oom");
/* test refcounting */
_dbus_credentials_ref (creds);
_dbus_credentials_unref (creds);
_dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID));
_dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID));
_dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID));
_dbus_assert (_dbus_credentials_get_unix_uid (creds) == 12);
_dbus_assert (_dbus_credentials_get_pid (creds) == 511);
_dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds), SAMPLE_SID) == 0);
_dbus_assert (!_dbus_credentials_are_empty (creds));
_dbus_assert (!_dbus_credentials_are_anonymous (creds));
/* Test copy */
creds2 = _dbus_credentials_copy (creds);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_USER_ID));
_dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_PROCESS_ID));
_dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_WINDOWS_SID));
_dbus_assert (_dbus_credentials_get_unix_uid (creds2) == 12);
_dbus_assert (_dbus_credentials_get_pid (creds2) == 511);
_dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds2), SAMPLE_SID) == 0);
_dbus_assert (_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Same user if both unix and windows are the same */
creds2 = make_credentials (12, DBUS_PID_UNSET, SAMPLE_SID);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (_dbus_credentials_same_user (creds, creds2));
_dbus_credentials_unref (creds2);
/* Not the same user if Windows is missing */
creds2 = make_credentials (12, DBUS_PID_UNSET, NULL);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (!_dbus_credentials_same_user (creds, creds2));
_dbus_assert (_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Not the same user if Windows is different */
creds2 = make_credentials (12, DBUS_PID_UNSET, OTHER_SAMPLE_SID);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (!_dbus_credentials_same_user (creds, creds2));
_dbus_assert (!_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Not the same user if Unix is missing */
creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, SAMPLE_SID);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (!_dbus_credentials_same_user (creds, creds2));
_dbus_assert (_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Not the same user if Unix is different */
creds2 = make_credentials (15, DBUS_PID_UNSET, SAMPLE_SID);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (!_dbus_credentials_same_user (creds, creds2));
_dbus_assert (!_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Not the same user if both are missing */
creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, NULL);
if (creds2 == NULL)
_dbus_assert_not_reached ("oom");
_dbus_assert (!_dbus_credentials_same_user (creds, creds2));
_dbus_assert (_dbus_credentials_are_superset (creds, creds2));
_dbus_credentials_unref (creds2);
/* Clearing credentials works */
_dbus_credentials_clear (creds);
_dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID));
_dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID));
_dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID));
_dbus_assert (_dbus_credentials_get_unix_uid (creds) == DBUS_UID_UNSET);
_dbus_assert (_dbus_credentials_get_pid (creds) == DBUS_PID_UNSET);
_dbus_assert (_dbus_credentials_get_windows_sid (creds) == NULL);
_dbus_assert (_dbus_credentials_are_empty (creds));
_dbus_assert (_dbus_credentials_are_anonymous (creds));
_dbus_credentials_unref (creds);
return TRUE;
}
