static void spawn_portal_bridge (CockpitPortal *self) { CockpitPipe *pipe; const gchar *data; const gchar **argv; g_assert (self->other == NULL); argv = current_argv (self); g_debug ("launching portal bridge: %s", argv[0]); pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); self->other = cockpit_pipe_transport_new (pipe); g_object_unref (pipe); self->other_recv_sig = g_signal_connect (self->other, "recv", G_CALLBACK (on_other_recv), self); self->other_control_sig = g_signal_connect (self->other, "control", G_CALLBACK (on_other_control), self); self->other_closed_sig = g_signal_connect (self->other, "closed", G_CALLBACK (on_other_closed), self); if (!self->last_init) { data = "{\"command\":\"init\",\"version\":1}"; self->last_init = g_bytes_new_static (data, strlen (data)); } cockpit_transport_send (self->other, NULL, self->last_init); }
static gboolean on_handle_stream_socket (CockpitWebServer *server, const gchar *path, GIOStream *io_stream, GHashTable *headers, GByteArray *input, guint in_length, gpointer user_data) { CockpitTransport *transport; const gchar *query = NULL; CockpitCreds *creds; CockpitPipe *pipe; gchar *value; gchar **env; if (!g_str_has_prefix (path, "/cockpit/socket")) return FALSE; if (path[15] == '?') query = path + 16; else if (path[15] != '\0') return FALSE; if (service) { g_object_ref (service); } else { value = g_strdup_printf ("%d", server_port); env = g_environ_setenv (g_get_environ (), "COCKPIT_TEST_SERVER_PORT", value, TRUE); creds = cockpit_creds_new (g_get_user_name (), "test", COCKPIT_CRED_CSRF_TOKEN, "myspecialtoken", NULL); pipe = cockpit_pipe_spawn ((const gchar **)bridge_argv, (const gchar **)env, NULL, FALSE); transport = cockpit_pipe_transport_new (pipe); service = cockpit_web_service_new (creds, transport); cockpit_creds_unref (creds); g_object_unref (transport); g_object_unref (pipe); g_free (value); g_strfreev (env); /* Clear the pointer automatically when service is done */ g_object_add_weak_pointer (G_OBJECT (service), (gpointer *)&service); } if (query) cockpit_channel_socket_open (service, "/cockpit/socket", query, io_stream, headers, input); else cockpit_web_service_socket (service, "/cockpit/socket", io_stream, headers, input); /* Keeps ref on itself until it closes */ g_object_unref (service); return TRUE; }
static void on_newusers_close (CockpitPipe *pipe, const gchar *problem, gpointer user_data) { CommitAdmin1 *context = user_data; CockpitPipe *next; const gchar *argv[] = { cockpit_bridge_path_chpasswd, "--encrypted", NULL }; if (!check_pipe_exit_status (pipe, problem, "couldn't run newusers command")) { g_dbus_method_invocation_return_error (context->invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, _("Couldn't create new users")); commit_passwd1_free (context); } else { g_debug ("batch changing user passwords"); next = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); g_signal_connect (next, "close", G_CALLBACK (on_chpasswd_close), context); cockpit_pipe_write (next, context->chpasswd); cockpit_pipe_close (next, NULL); } g_object_unref (pipe); }
static void perform_usermod (CommitAdmin1 *context) { CockpitPipe *pipe; GHashTableIter iter; gpointer name; gpointer grouplist; const gchar *argv[] = { cockpit_bridge_path_usermod, "xx", "--append", "--group", "yy", NULL }; g_hash_table_iter_init (&iter, context->usermod); if (g_hash_table_iter_next (&iter, &name, &grouplist)) { argv[1] = (gchar *)name; argv[4] = ((GString *)grouplist)->str; g_debug ("adding user '%s' to groups: %s", argv[1], argv[4]); pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); g_hash_table_iter_remove (&iter); g_signal_connect (pipe, "close", G_CALLBACK (on_usermod_close), context); cockpit_pipe_close (pipe, NULL); } else { /* All done, success */ g_dbus_method_invocation_return_value (context->invocation, NULL); commit_passwd1_free (context); } }
static void cockpit_text_stream_constructed (GObject *object) { CockpitTextStream *self = COCKPIT_TEXT_STREAM (object); CockpitChannel *channel = COCKPIT_CHANNEL (self); GSocketAddress *address; const gchar *unix_path; const gchar **argv; const gchar **env; G_OBJECT_CLASS (cockpit_text_stream_parent_class)->constructed (object); unix_path = cockpit_channel_get_option (channel, "unix"); argv = cockpit_channel_get_strv_option (channel, "spawn"); if (argv == NULL && unix_path == NULL) { g_warning ("did not receive a unix or spawn option"); g_idle_add_full (G_PRIORITY_DEFAULT, on_idle_protocol_error, g_object_ref (channel), g_object_unref); return; } else if (argv != NULL && unix_path != NULL) { g_warning ("received both a unix and spawn option"); g_idle_add_full (G_PRIORITY_DEFAULT, on_idle_protocol_error, g_object_ref (channel), g_object_unref); return; } else if (unix_path) { self->name = unix_path; address = g_unix_socket_address_new (unix_path); self->pipe = cockpit_pipe_connect (self->name, address); g_object_unref (address); } else if (argv) { self->name = argv[0]; env = cockpit_channel_get_strv_option (channel, "environ"); if (cockpit_channel_get_bool_option (channel, "pty")) self->pipe = cockpit_pipe_pty (argv, env, NULL); else self->pipe = cockpit_pipe_spawn (argv, env, NULL); } self->sig_read = g_signal_connect (self->pipe, "read", G_CALLBACK (on_pipe_read), self); self->sig_close = g_signal_connect (self->pipe, "close", G_CALLBACK (on_pipe_close), self); self->open = TRUE; cockpit_channel_ready (channel); }
/* Called by @server when handling HTTP requests to /socket - runs in a separate * thread dedicated to the request so it may do blocking I/O */ static gboolean on_handle_stream_socket (CockpitWebServer *server, CockpitWebServerRequestType reqtype, const gchar *resource, GIOStream *io_stream, GHashTable *headers, GByteArray *input, guint in_length, gpointer user_data) { CockpitWebService *service; CockpitCreds *creds; CockpitPipe *pipe; const gchar *argv[] = { "./cockpit-agent", NULL, }; if (!g_str_equal (resource, "/socket")) return FALSE; creds = cockpit_creds_new (g_get_user_name (), NULL); pipe = cockpit_pipe_spawn(argv, NULL, NULL); service = cockpit_web_service_new (creds, pipe); g_object_unref (pipe); cockpit_web_service_socket (service, io_stream, headers, input); /* Keeps ref on itself until it closes */ g_object_unref (service); cockpit_creds_unref (creds); return TRUE; }
static void cockpit_polkit_agent_initiate_authentication (PolkitAgentListener *listener, const gchar *action_id, const gchar *message, const gchar *icon_name, PolkitDetails *details, const gchar *cookie, GList *identities, GCancellable *cancellable, GAsyncReadyCallback callback, gpointer user_data) { CockpitPolkitAgent *self = COCKPIT_POLKIT_AGENT (listener); PolkitIdentity *identity = NULL; GSimpleAsyncResult *result = NULL; GString *unsupported = NULL; ReauthorizeCaller *caller; gchar *string; uid_t uid; GList *l; const gchar *argv[] = { PACKAGE_LIBEXEC_DIR "/cockpit-polkit", cookie, NULL, }; g_debug ("polkit is requesting authentication"); result = g_simple_async_result_new (G_OBJECT (self), callback, user_data, cockpit_polkit_agent_initiate_authentication); uid = getuid (); unsupported = g_string_new (""); for (l = identities; l != NULL; l = g_list_next (l)) { if (POLKIT_IS_UNIX_USER (l->data)) { if (polkit_unix_user_get_uid (l->data) == uid) { identity = g_object_ref (l->data); break; } } string = polkit_identity_to_string (l->data); g_string_append_printf (unsupported, "%s ", string); g_free (string); } if (!identity) { g_message ("cannot reauthorize identity(s): %s", unsupported->str); g_simple_async_result_set_error (result, POLKIT_ERROR, POLKIT_ERROR_FAILED, "Reauthorization not supported for identity"); g_simple_async_result_complete_in_idle (result); goto out; } string = polkit_identity_to_string (identity); g_message ("Reauthorizing %s", string); g_free (string); caller = g_new0 (ReauthorizeCaller, 1); caller->cookie = g_strdup (cookie); caller->helper = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); caller->read_sig = g_signal_connect (caller->helper, "read", G_CALLBACK (on_helper_read), caller); caller->close_sig = g_signal_connect (caller->helper, "close", G_CALLBACK (on_helper_close), caller); caller->cancellable = g_object_ref (cancellable); caller->cancel_sig = g_cancellable_connect (cancellable, G_CALLBACK (on_cancelled), caller, NULL); caller->result = g_object_ref (result); caller->self = self; g_hash_table_replace (self->callers, caller->cookie, caller); g_debug ("cockpit-polkit helper starting"); out: if (unsupported) g_string_free (unsupported, TRUE); g_object_unref (result); if (identity) g_object_unref (identity); }
int main (int argc, char *argv[]) { gint ret = 1; CockpitWebServer *server = NULL; GOptionContext *context; CockpitHandlerData data; GTlsCertificate *certificate = NULL; GError *local_error = NULL; GError **error = &local_error; gchar **roots = NULL; gchar *cert_path = NULL; GMainLoop *loop = NULL; gchar *login_html = NULL; gchar *login_po_html = NULL; CockpitPipe *pipe = NULL; int outfd = -1; signal (SIGPIPE, SIG_IGN); g_setenv ("GSETTINGS_BACKEND", "memory", TRUE); g_setenv ("GIO_USE_PROXY_RESOLVER", "dummy", TRUE); g_setenv ("GIO_USE_VFS", "local", TRUE); /* Any interaction with a krb5 ccache should be explicit */ g_setenv ("KRB5CCNAME", "FILE:/dev/null", TRUE); g_setenv ("G_TLS_GNUTLS_PRIORITY", "SECURE128:%LATEST_RECORD_VERSION:-VERS-SSL3.0:-VERS-TLS1.0", FALSE); memset (&data, 0, sizeof (data)); context = g_option_context_new (NULL); g_option_context_add_main_entries (context, cmd_entries, NULL); if (!g_option_context_parse (context, &argc, &argv, error)) { goto out; } if (opt_version) { print_version (); ret = 0; goto out; } /* * This process talks on stdin/stdout. However lots of stuff wants to write * to stdout, such as g_debug, and uses fd 1 to do that. Reroute fd 1 so that * it goes to stderr, and use another fd for stdout. */ outfd = dup (1); if (outfd < 0 || dup2 (2, 1) < 1) { g_printerr ("ws couldn't redirect stdout to stderr"); if (outfd > -1) close (outfd); goto out; } cockpit_set_journal_logging (NULL, !isatty (2)); if (opt_local_session || opt_no_tls) { /* no certificate */ } else { cert_path = cockpit_certificate_locate (FALSE, error); if (cert_path != NULL) certificate = cockpit_certificate_load (cert_path, error); if (certificate == NULL) goto out; g_info ("Using certificate: %s", cert_path); } loop = g_main_loop_new (NULL, FALSE); data.os_release = cockpit_system_load_os_release (); data.auth = cockpit_auth_new (opt_local_ssh); roots = setup_static_roots (data.os_release); data.branding_roots = (const gchar **)roots; login_html = g_strdup (DATADIR "/cockpit/static/login.html"); data.login_html = (const gchar *)login_html; login_po_html = g_strdup (DATADIR "/cockpit/static/login.po.html"); data.login_po_html = (const gchar *)login_po_html; server = cockpit_web_server_new (opt_address, opt_port, certificate, NULL, error); if (server == NULL) { g_prefix_error (error, "Error starting web server: "); goto out; } cockpit_web_server_set_redirect_tls (server, !cockpit_conf_bool ("WebService", "AllowUnencrypted", FALSE)); if (cockpit_conf_string ("WebService", "UrlRoot")) { g_object_set (server, "url-root", cockpit_conf_string ("WebService", "UrlRoot"), NULL); } if (cockpit_web_server_get_socket_activated (server)) g_signal_connect_swapped (data.auth, "idling", G_CALLBACK (g_main_loop_quit), loop); /* Ignores stuff it shouldn't handle */ g_signal_connect (server, "handle-stream", G_CALLBACK (cockpit_handler_socket), &data); /* External channels, ignore stuff they shouldn't handle */ g_signal_connect (server, "handle-stream", G_CALLBACK (cockpit_handler_external), &data); /* Don't redirect to TLS for /ping */ g_object_set (server, "ssl-exception-prefix", "/ping", NULL); g_signal_connect (server, "handle-resource::/ping", G_CALLBACK (cockpit_handler_ping), &data); /* Files that cannot be cache-forever, because of well known names */ g_signal_connect (server, "handle-resource::/favicon.ico", G_CALLBACK (cockpit_handler_root), &data); g_signal_connect (server, "handle-resource::/apple-touch-icon.png", G_CALLBACK (cockpit_handler_root), &data); /* The fallback handler for everything else */ g_signal_connect (server, "handle-resource", G_CALLBACK (cockpit_handler_default), &data); if (opt_local_session) { struct passwd *pwd; if (g_str_equal (opt_local_session, "-")) { pipe = cockpit_pipe_new (opt_local_session, 0, outfd); outfd = -1; } else { const gchar *args[] = { opt_local_session, NULL }; pipe = cockpit_pipe_spawn (args, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); } /* Spawn a local session as a bridge */ pwd = getpwuid (geteuid ()); if (!pwd) { g_printerr ("Failed to resolve current user id %u\n", geteuid ()); goto out; } cockpit_auth_local_async (data.auth, pwd->pw_name, pipe, on_local_ready, g_object_ref (server)); g_object_unref (pipe); } else { /* When no local bridge, start serving immediately */ cockpit_web_server_start (server); } /* Debugging issues during testing */ #if WITH_DEBUG signal (SIGABRT, cockpit_test_signal_backtrace); signal (SIGSEGV, cockpit_test_signal_backtrace); #endif g_main_loop_run (loop); ret = 0; out: if (outfd >= 0) close (outfd); if (loop) g_main_loop_unref (loop); if (local_error) { g_printerr ("cockpit-ws: %s\n", local_error->message); g_error_free (local_error); } g_clear_object (&server); g_clear_object (&data.auth); if (data.os_release) g_hash_table_unref (data.os_release); g_clear_object (&certificate); g_free (cert_path); g_strfreev (roots); g_free (login_po_html); g_free (login_html); g_free (opt_address); g_free (opt_local_session); cockpit_conf_cleanup (); return ret; }
static void setup_commit_passwd1 (GVariant *parameters, GDBusMethodInvocation *invocation) { const gchar *mechanism; GVariant *transferred = NULL; const gchar **lines; GHashTable *users = NULL; GHashTable *groups = NULL; GString *chpasswd = NULL; GString *newusers = NULL; CommitAdmin1 *context; CockpitPipe *pipe; gsize length, i, j; gchar **parts; GBytes *bytes; GVariant *pwdata = NULL; GVariant *grdata = NULL; GHashTable *usermod; gchar **memlist; GString *string; gboolean user_exists; /* We are getting crypted passwords so we need to use * --crypt-method=NONE with newusers and chpasswd so that the string * is installed unchanged. Unfortunately, newusers might or might * not support the --crypt-method option, depending on whether it * was compiled with or without PAM. When the option is missing, we * fix up the password afterwards via chpasswd. * * However, newusers needs some valid password to create new users. * Thus, we need a good random string that passes all password * quality criteria, and we just use the crpyted password for that. */ const gchar *argv[] = { cockpit_bridge_path_newusers, "--crypt-method=NONE", NULL }; if (!cockpit_bridge_have_newusers_crypt_method) argv[1] = NULL; g_variant_get (parameters, "(&sv)", &mechanism, &transferred); if (!g_str_equal (mechanism, "passwd1")) { g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_NOT_SUPPORTED, "Unsupported setup mechanism: %s", mechanism); goto out; } if (!g_variant_is_of_type (transferred, G_VARIANT_TYPE ("(asas)"))) { g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS, "Bad data passed for passwd1 mechanism"); goto out; } users = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL); groups = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL); if (!fgetpwent_callback (add_name_to_hashtable, users) || !fgetgrent_callback (add_group_to_hashtable, groups)) { g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, _("Couldn't list local users")); goto out; } g_debug ("starting setup synchronization"); g_variant_get (transferred, "(@as@as)", &pwdata, &grdata); chpasswd = g_string_new (""); newusers = g_string_new (""); usermod = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, string_free); lines = g_variant_get_strv (pwdata, &length); for (i = 0; i < length; i++) { parts = g_strsplit(lines[i], ":", 3); user_exists = (g_hash_table_lookup (users, parts[0]) != NULL); if (!user_exists) { g_string_append (newusers, lines[i]); g_string_append_c (newusers, '\n'); } if (user_exists || !cockpit_bridge_have_newusers_crypt_method) { g_string_append_printf (chpasswd, "%s:%s\n", parts[0], parts[1]); } g_strfreev (parts); } g_free (lines); lines = g_variant_get_strv (grdata, &length); for (i = 0; i < length; i++) { parts = g_strsplit(lines[i], ":", 4); if (g_hash_table_lookup (groups, parts[0])) { memlist = g_strsplit (parts[3], ",", -1); for (j = 0; memlist[j] != NULL; j++) { string = g_hash_table_lookup (usermod, memlist[j]); if (!string) { string = g_string_new (""); g_hash_table_insert (usermod, g_strdup (memlist[j]), string); } if (string->len > 0) g_string_append_c (string, ','); g_string_append (string, parts[0]); } g_strfreev (memlist); } g_strfreev (parts); } g_free (lines); context = g_new0 (CommitAdmin1, 1); context->invocation = g_object_ref (invocation); context->chpasswd = g_string_free_to_bytes (chpasswd); context->usermod = usermod; g_debug ("batch creating new users"); bytes = g_string_free_to_bytes (newusers); pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE); g_signal_connect (pipe, "close", G_CALLBACK (on_newusers_close), context); cockpit_pipe_write (pipe, bytes); cockpit_pipe_close (pipe, NULL); g_bytes_unref (bytes); out: if (users) g_hash_table_unref (users); if (groups) g_hash_table_unref (groups); if (pwdata) g_variant_unref (pwdata); if (grdata) g_variant_unref (grdata); g_variant_unref (transferred); }