static dbus_bool_t auth_via_default_rules (DBusTransport *transport) { DBusCredentials *auth_identity; DBusCredentials *our_identity; dbus_bool_t allow; auth_identity = _dbus_auth_get_identity (transport->auth); _dbus_assert (auth_identity != NULL); /* By default, connection is allowed if the client is 1) root or 2) * has the same UID as us or 3) anonymous is allowed. */ our_identity = _dbus_credentials_new_from_current_process (); if (our_identity == NULL) { /* OOM */ return FALSE; } if (transport->allow_anonymous || _dbus_credentials_get_unix_uid (auth_identity) == 0 || _dbus_credentials_same_user (our_identity, auth_identity)) { if (_dbus_credentials_include(our_identity,DBUS_CREDENTIAL_WINDOWS_SID)) _dbus_verbose ("Client authorized as SID '%s'" "matching our SID '%s'\n", _dbus_credentials_get_windows_sid(auth_identity), _dbus_credentials_get_windows_sid(our_identity)); else _dbus_verbose ("Client authorized as UID "DBUS_UID_FORMAT " matching our UID "DBUS_UID_FORMAT"\n", _dbus_credentials_get_unix_uid(auth_identity), _dbus_credentials_get_unix_uid(our_identity)); /* We have authenticated! */ allow = TRUE; } else { if (_dbus_credentials_include(our_identity,DBUS_CREDENTIAL_WINDOWS_SID)) _dbus_verbose ("Client authorized as SID '%s'" " but our SID is '%s', disconnecting\n", _dbus_credentials_get_windows_sid(auth_identity), _dbus_credentials_get_windows_sid(our_identity)); else _dbus_verbose ("Client authorized as UID "DBUS_UID_FORMAT " but our UID is "DBUS_UID_FORMAT", disconnecting\n", _dbus_credentials_get_unix_uid(auth_identity), _dbus_credentials_get_unix_uid(our_identity)); _dbus_transport_disconnect (transport); allow = FALSE; } _dbus_credentials_unref (our_identity); return allow; }
/** * See dbus_connection_get_unix_user(). * * @param transport the transport * @param uid return location for the user ID * @returns #TRUE if uid is filled in with a valid user ID */ dbus_bool_t _dbus_transport_get_unix_user (DBusTransport *transport, unsigned long *uid) { DBusCredentials *auth_identity; *uid = _DBUS_INT32_MAX; /* better than some root or system user in * case of bugs in the caller. Caller should * never use this value on purpose, however. */ if (!transport->authenticated) return FALSE; auth_identity = _dbus_auth_get_identity (transport->auth); if (_dbus_credentials_include (auth_identity, DBUS_CREDENTIAL_UNIX_USER_ID)) { *uid = _dbus_credentials_get_unix_uid (auth_identity); return TRUE; } else return FALSE; }
static dbus_bool_t auth_via_unix_user_function (DBusTransport *transport) { DBusCredentials *auth_identity; dbus_bool_t allow; DBusConnection *connection; DBusAllowUnixUserFunction unix_user_function; void *unix_user_data; dbus_uid_t uid; /* Dropping the lock here probably isn't that safe. */ auth_identity = _dbus_auth_get_identity (transport->auth); _dbus_assert (auth_identity != NULL); connection = transport->connection; unix_user_function = transport->unix_user_function; unix_user_data = transport->unix_user_data; uid = _dbus_credentials_get_unix_uid (auth_identity); _dbus_verbose ("unlock %s\n", _DBUS_FUNCTION_NAME); _dbus_connection_unlock (connection); allow = (* unix_user_function) (connection, uid, unix_user_data); _dbus_verbose ("lock %s post unix user function\n", _DBUS_FUNCTION_NAME); _dbus_connection_lock (connection); if (allow) { _dbus_verbose ("Client UID "DBUS_UID_FORMAT" authorized\n", uid); } else { _dbus_verbose ("Client UID "DBUS_UID_FORMAT " was rejected, disconnecting\n", _dbus_credentials_get_unix_uid (auth_identity)); _dbus_transport_disconnect (transport); } return allow; }
dbus_bool_t _dbus_credentials_test (const char *test_data_dir) { DBusCredentials *creds; DBusCredentials *creds2; if (test_data_dir == NULL) return TRUE; creds = make_credentials (12, 511, SAMPLE_SID); if (creds == NULL) _dbus_assert_not_reached ("oom"); /* test refcounting */ _dbus_credentials_ref (creds); _dbus_credentials_unref (creds); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds) == 12); _dbus_assert (_dbus_credentials_get_pid (creds) == 511); _dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds), SAMPLE_SID) == 0); _dbus_assert (!_dbus_credentials_are_empty (creds)); _dbus_assert (!_dbus_credentials_are_anonymous (creds)); /* Test copy */ creds2 = _dbus_credentials_copy (creds); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (_dbus_credentials_include (creds2, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds2) == 12); _dbus_assert (_dbus_credentials_get_pid (creds2) == 511); _dbus_assert (strcmp (_dbus_credentials_get_windows_sid (creds2), SAMPLE_SID) == 0); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Same user if both unix and windows are the same */ creds2 = make_credentials (12, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (_dbus_credentials_same_user (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Windows is missing */ creds2 = make_credentials (12, DBUS_PID_UNSET, NULL); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Windows is different */ creds2 = make_credentials (12, DBUS_PID_UNSET, OTHER_SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (!_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Unix is missing */ creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if Unix is different */ creds2 = make_credentials (15, DBUS_PID_UNSET, SAMPLE_SID); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (!_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Not the same user if both are missing */ creds2 = make_credentials (DBUS_UID_UNSET, DBUS_PID_UNSET, NULL); if (creds2 == NULL) _dbus_assert_not_reached ("oom"); _dbus_assert (!_dbus_credentials_same_user (creds, creds2)); _dbus_assert (_dbus_credentials_are_superset (creds, creds2)); _dbus_credentials_unref (creds2); /* Clearing credentials works */ _dbus_credentials_clear (creds); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_USER_ID)); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_UNIX_PROCESS_ID)); _dbus_assert (!_dbus_credentials_include (creds, DBUS_CREDENTIAL_WINDOWS_SID)); _dbus_assert (_dbus_credentials_get_unix_uid (creds) == DBUS_UID_UNSET); _dbus_assert (_dbus_credentials_get_pid (creds) == DBUS_PID_UNSET); _dbus_assert (_dbus_credentials_get_windows_sid (creds) == NULL); _dbus_assert (_dbus_credentials_are_empty (creds)); _dbus_assert (_dbus_credentials_are_anonymous (creds)); _dbus_credentials_unref (creds); return TRUE; }