static void
spawn_portal_bridge (CockpitPortal *self)
{
CockpitPipe *pipe;
const gchar *data;
const gchar **argv;
g_assert (self->other == NULL);
argv = current_argv (self);
g_debug ("launching portal bridge: %s", argv[0]);
pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
self->other = cockpit_pipe_transport_new (pipe);
g_object_unref (pipe);
self->other_recv_sig = g_signal_connect (self->other, "recv", G_CALLBACK (on_other_recv), self);
self->other_control_sig = g_signal_connect (self->other, "control", G_CALLBACK (on_other_control), self);
self->other_closed_sig = g_signal_connect (self->other, "closed", G_CALLBACK (on_other_closed), self);
if (!self->last_init)
{
data = "{\"command\":\"init\",\"version\":1}";
self->last_init = g_bytes_new_static (data, strlen (data));
}
cockpit_transport_send (self->other, NULL, self->last_init);
}
static gboolean
on_handle_stream_socket (CockpitWebServer *server,
const gchar *path,
GIOStream *io_stream,
GHashTable *headers,
GByteArray *input,
guint in_length,
gpointer user_data)
{
CockpitTransport *transport;
const gchar *query = NULL;
CockpitCreds *creds;
CockpitPipe *pipe;
gchar *value;
gchar **env;
if (!g_str_has_prefix (path, "/cockpit/socket"))
return FALSE;
if (path[15] == '?')
query = path + 16;
else if (path[15] != '\0')
return FALSE;
if (service)
{
g_object_ref (service);
}
else
{
value = g_strdup_printf ("%d", server_port);
env = g_environ_setenv (g_get_environ (), "COCKPIT_TEST_SERVER_PORT", value, TRUE);
creds = cockpit_creds_new (g_get_user_name (), "test",
COCKPIT_CRED_CSRF_TOKEN, "myspecialtoken",
NULL);
pipe = cockpit_pipe_spawn ((const gchar **)bridge_argv, (const gchar **)env, NULL, FALSE);
transport = cockpit_pipe_transport_new (pipe);
service = cockpit_web_service_new (creds, transport);
cockpit_creds_unref (creds);
g_object_unref (transport);
g_object_unref (pipe);
g_free (value);
g_strfreev (env);
/* Clear the pointer automatically when service is done */
g_object_add_weak_pointer (G_OBJECT (service), (gpointer *)&service);
}
if (query)
cockpit_channel_socket_open (service, "/cockpit/socket", query, io_stream, headers, input);
else
cockpit_web_service_socket (service, "/cockpit/socket", io_stream, headers, input);
/* Keeps ref on itself until it closes */
g_object_unref (service);
return TRUE;
}
static void
on_newusers_close (CockpitPipe *pipe,
const gchar *problem,
gpointer user_data)
{
CommitAdmin1 *context = user_data;
CockpitPipe *next;
const gchar *argv[] = { cockpit_bridge_path_chpasswd, "--encrypted", NULL };
if (!check_pipe_exit_status (pipe, problem, "couldn't run newusers command"))
{
g_dbus_method_invocation_return_error (context->invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
_("Couldn't create new users"));
commit_passwd1_free (context);
}
else
{
g_debug ("batch changing user passwords");
next = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
g_signal_connect (next, "close", G_CALLBACK (on_chpasswd_close), context);
cockpit_pipe_write (next, context->chpasswd);
cockpit_pipe_close (next, NULL);
}
g_object_unref (pipe);
}
static void
perform_usermod (CommitAdmin1 *context)
{
CockpitPipe *pipe;
GHashTableIter iter;
gpointer name;
gpointer grouplist;
const gchar *argv[] = { cockpit_bridge_path_usermod, "xx", "--append", "--group", "yy", NULL };
g_hash_table_iter_init (&iter, context->usermod);
if (g_hash_table_iter_next (&iter, &name, &grouplist))
{
argv[1] = (gchar *)name;
argv[4] = ((GString *)grouplist)->str;
g_debug ("adding user '%s' to groups: %s", argv[1], argv[4]);
pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
g_hash_table_iter_remove (&iter);
g_signal_connect (pipe, "close", G_CALLBACK (on_usermod_close), context);
cockpit_pipe_close (pipe, NULL);
}
else
{
/* All done, success */
g_dbus_method_invocation_return_value (context->invocation, NULL);
commit_passwd1_free (context);
}
}
static void
cockpit_text_stream_constructed (GObject *object)
{
CockpitTextStream *self = COCKPIT_TEXT_STREAM (object);
CockpitChannel *channel = COCKPIT_CHANNEL (self);
GSocketAddress *address;
const gchar *unix_path;
const gchar **argv;
const gchar **env;
G_OBJECT_CLASS (cockpit_text_stream_parent_class)->constructed (object);
unix_path = cockpit_channel_get_option (channel, "unix");
argv = cockpit_channel_get_strv_option (channel, "spawn");
if (argv == NULL && unix_path == NULL)
{
g_warning ("did not receive a unix or spawn option");
g_idle_add_full (G_PRIORITY_DEFAULT, on_idle_protocol_error,
g_object_ref (channel), g_object_unref);
return;
}
else if (argv != NULL && unix_path != NULL)
{
g_warning ("received both a unix and spawn option");
g_idle_add_full (G_PRIORITY_DEFAULT, on_idle_protocol_error,
g_object_ref (channel), g_object_unref);
return;
}
else if (unix_path)
{
self->name = unix_path;
address = g_unix_socket_address_new (unix_path);
self->pipe = cockpit_pipe_connect (self->name, address);
g_object_unref (address);
}
else if (argv)
{
self->name = argv[0];
env = cockpit_channel_get_strv_option (channel, "environ");
if (cockpit_channel_get_bool_option (channel, "pty"))
self->pipe = cockpit_pipe_pty (argv, env, NULL);
else
self->pipe = cockpit_pipe_spawn (argv, env, NULL);
}
self->sig_read = g_signal_connect (self->pipe, "read", G_CALLBACK (on_pipe_read), self);
self->sig_close = g_signal_connect (self->pipe, "close", G_CALLBACK (on_pipe_close), self);
self->open = TRUE;
cockpit_channel_ready (channel);
}
/* Called by @server when handling HTTP requests to /socket - runs in a separate
* thread dedicated to the request so it may do blocking I/O
*/
static gboolean
on_handle_stream_socket (CockpitWebServer *server,
CockpitWebServerRequestType reqtype,
const gchar *resource,
GIOStream *io_stream,
GHashTable *headers,
GByteArray *input,
guint in_length,
gpointer user_data)
{
CockpitWebService *service;
CockpitCreds *creds;
CockpitPipe *pipe;
const gchar *argv[] = {
"./cockpit-agent",
NULL,
};
if (!g_str_equal (resource, "/socket"))
return FALSE;
creds = cockpit_creds_new (g_get_user_name (),
NULL);
pipe = cockpit_pipe_spawn(argv, NULL, NULL);
service = cockpit_web_service_new (creds, pipe);
g_object_unref (pipe);
cockpit_web_service_socket (service, io_stream, headers, input);
/* Keeps ref on itself until it closes */
g_object_unref (service);
cockpit_creds_unref (creds);
return TRUE;
}
static void
cockpit_polkit_agent_initiate_authentication (PolkitAgentListener *listener,
const gchar *action_id,
const gchar *message,
const gchar *icon_name,
PolkitDetails *details,
const gchar *cookie,
GList *identities,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
CockpitPolkitAgent *self = COCKPIT_POLKIT_AGENT (listener);
PolkitIdentity *identity = NULL;
GSimpleAsyncResult *result = NULL;
GString *unsupported = NULL;
ReauthorizeCaller *caller;
gchar *string;
uid_t uid;
GList *l;
const gchar *argv[] = {
PACKAGE_LIBEXEC_DIR "/cockpit-polkit",
cookie,
NULL,
};
g_debug ("polkit is requesting authentication");
result = g_simple_async_result_new (G_OBJECT (self), callback, user_data,
cockpit_polkit_agent_initiate_authentication);
uid = getuid ();
unsupported = g_string_new ("");
for (l = identities; l != NULL; l = g_list_next (l))
{
if (POLKIT_IS_UNIX_USER (l->data))
{
if (polkit_unix_user_get_uid (l->data) == uid)
{
identity = g_object_ref (l->data);
break;
}
}
string = polkit_identity_to_string (l->data);
g_string_append_printf (unsupported, "%s ", string);
g_free (string);
}
if (!identity)
{
g_message ("cannot reauthorize identity(s): %s", unsupported->str);
g_simple_async_result_set_error (result, POLKIT_ERROR, POLKIT_ERROR_FAILED,
"Reauthorization not supported for identity");
g_simple_async_result_complete_in_idle (result);
goto out;
}
string = polkit_identity_to_string (identity);
g_message ("Reauthorizing %s", string);
g_free (string);
caller = g_new0 (ReauthorizeCaller, 1);
caller->cookie = g_strdup (cookie);
caller->helper = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
caller->read_sig = g_signal_connect (caller->helper, "read", G_CALLBACK (on_helper_read), caller);
caller->close_sig = g_signal_connect (caller->helper, "close", G_CALLBACK (on_helper_close), caller);
caller->cancellable = g_object_ref (cancellable);
caller->cancel_sig = g_cancellable_connect (cancellable, G_CALLBACK (on_cancelled), caller, NULL);
caller->result = g_object_ref (result);
caller->self = self;
g_hash_table_replace (self->callers, caller->cookie, caller);
g_debug ("cockpit-polkit helper starting");
out:
if (unsupported)
g_string_free (unsupported, TRUE);
g_object_unref (result);
if (identity)
g_object_unref (identity);
}
int
main (int argc,
char *argv[])
{
gint ret = 1;
CockpitWebServer *server = NULL;
GOptionContext *context;
CockpitHandlerData data;
GTlsCertificate *certificate = NULL;
GError *local_error = NULL;
GError **error = &local_error;
gchar **roots = NULL;
gchar *cert_path = NULL;
GMainLoop *loop = NULL;
gchar *login_html = NULL;
gchar *login_po_html = NULL;
CockpitPipe *pipe = NULL;
int outfd = -1;
signal (SIGPIPE, SIG_IGN);
g_setenv ("GSETTINGS_BACKEND", "memory", TRUE);
g_setenv ("GIO_USE_PROXY_RESOLVER", "dummy", TRUE);
g_setenv ("GIO_USE_VFS", "local", TRUE);
/* Any interaction with a krb5 ccache should be explicit */
g_setenv ("KRB5CCNAME", "FILE:/dev/null", TRUE);
g_setenv ("G_TLS_GNUTLS_PRIORITY", "SECURE128:%LATEST_RECORD_VERSION:-VERS-SSL3.0:-VERS-TLS1.0", FALSE);
memset (&data, 0, sizeof (data));
context = g_option_context_new (NULL);
g_option_context_add_main_entries (context, cmd_entries, NULL);
if (!g_option_context_parse (context, &argc, &argv, error))
{
goto out;
}
if (opt_version)
{
print_version ();
ret = 0;
goto out;
}
/*
* This process talks on stdin/stdout. However lots of stuff wants to write
* to stdout, such as g_debug, and uses fd 1 to do that. Reroute fd 1 so that
* it goes to stderr, and use another fd for stdout.
*/
outfd = dup (1);
if (outfd < 0 || dup2 (2, 1) < 1)
{
g_printerr ("ws couldn't redirect stdout to stderr");
if (outfd > -1)
close (outfd);
goto out;
}
cockpit_set_journal_logging (NULL, !isatty (2));
if (opt_local_session || opt_no_tls)
{
/* no certificate */
}
else
{
cert_path = cockpit_certificate_locate (FALSE, error);
if (cert_path != NULL)
certificate = cockpit_certificate_load (cert_path, error);
if (certificate == NULL)
goto out;
g_info ("Using certificate: %s", cert_path);
}
loop = g_main_loop_new (NULL, FALSE);
data.os_release = cockpit_system_load_os_release ();
data.auth = cockpit_auth_new (opt_local_ssh);
roots = setup_static_roots (data.os_release);
data.branding_roots = (const gchar **)roots;
login_html = g_strdup (DATADIR "/cockpit/static/login.html");
data.login_html = (const gchar *)login_html;
login_po_html = g_strdup (DATADIR "/cockpit/static/login.po.html");
data.login_po_html = (const gchar *)login_po_html;
server = cockpit_web_server_new (opt_address,
opt_port,
certificate,
NULL,
error);
if (server == NULL)
{
g_prefix_error (error, "Error starting web server: ");
goto out;
}
cockpit_web_server_set_redirect_tls (server, !cockpit_conf_bool ("WebService", "AllowUnencrypted", FALSE));
if (cockpit_conf_string ("WebService", "UrlRoot"))
{
g_object_set (server, "url-root",
cockpit_conf_string ("WebService", "UrlRoot"),
NULL);
}
if (cockpit_web_server_get_socket_activated (server))
g_signal_connect_swapped (data.auth, "idling", G_CALLBACK (g_main_loop_quit), loop);
/* Ignores stuff it shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_socket), &data);
/* External channels, ignore stuff they shouldn't handle */
g_signal_connect (server, "handle-stream",
G_CALLBACK (cockpit_handler_external), &data);
/* Don't redirect to TLS for /ping */
g_object_set (server, "ssl-exception-prefix", "/ping", NULL);
g_signal_connect (server, "handle-resource::/ping",
G_CALLBACK (cockpit_handler_ping), &data);
/* Files that cannot be cache-forever, because of well known names */
g_signal_connect (server, "handle-resource::/favicon.ico",
G_CALLBACK (cockpit_handler_root), &data);
g_signal_connect (server, "handle-resource::/apple-touch-icon.png",
G_CALLBACK (cockpit_handler_root), &data);
/* The fallback handler for everything else */
g_signal_connect (server, "handle-resource",
G_CALLBACK (cockpit_handler_default), &data);
if (opt_local_session)
{
struct passwd *pwd;
if (g_str_equal (opt_local_session, "-"))
{
pipe = cockpit_pipe_new (opt_local_session, 0, outfd);
outfd = -1;
}
else
{
const gchar *args[] = { opt_local_session, NULL };
pipe = cockpit_pipe_spawn (args, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
}
/* Spawn a local session as a bridge */
pwd = getpwuid (geteuid ());
if (!pwd)
{
g_printerr ("Failed to resolve current user id %u\n", geteuid ());
goto out;
}
cockpit_auth_local_async (data.auth, pwd->pw_name, pipe, on_local_ready, g_object_ref (server));
g_object_unref (pipe);
}
else
{
/* When no local bridge, start serving immediately */
cockpit_web_server_start (server);
}
/* Debugging issues during testing */
#if WITH_DEBUG
signal (SIGABRT, cockpit_test_signal_backtrace);
signal (SIGSEGV, cockpit_test_signal_backtrace);
#endif
g_main_loop_run (loop);
ret = 0;
out:
if (outfd >= 0)
close (outfd);
if (loop)
g_main_loop_unref (loop);
if (local_error)
{
g_printerr ("cockpit-ws: %s\n", local_error->message);
g_error_free (local_error);
}
g_clear_object (&server);
g_clear_object (&data.auth);
if (data.os_release)
g_hash_table_unref (data.os_release);
g_clear_object (&certificate);
g_free (cert_path);
g_strfreev (roots);
g_free (login_po_html);
g_free (login_html);
g_free (opt_address);
g_free (opt_local_session);
cockpit_conf_cleanup ();
return ret;
}
static void
setup_commit_passwd1 (GVariant *parameters,
GDBusMethodInvocation *invocation)
{
const gchar *mechanism;
GVariant *transferred = NULL;
const gchar **lines;
GHashTable *users = NULL;
GHashTable *groups = NULL;
GString *chpasswd = NULL;
GString *newusers = NULL;
CommitAdmin1 *context;
CockpitPipe *pipe;
gsize length, i, j;
gchar **parts;
GBytes *bytes;
GVariant *pwdata = NULL;
GVariant *grdata = NULL;
GHashTable *usermod;
gchar **memlist;
GString *string;
gboolean user_exists;
/* We are getting crypted passwords so we need to use
* --crypt-method=NONE with newusers and chpasswd so that the string
* is installed unchanged. Unfortunately, newusers might or might
* not support the --crypt-method option, depending on whether it
* was compiled with or without PAM. When the option is missing, we
* fix up the password afterwards via chpasswd.
*
* However, newusers needs some valid password to create new users.
* Thus, we need a good random string that passes all password
* quality criteria, and we just use the crpyted password for that.
*/
const gchar *argv[] = { cockpit_bridge_path_newusers, "--crypt-method=NONE", NULL };
if (!cockpit_bridge_have_newusers_crypt_method)
argv[1] = NULL;
g_variant_get (parameters, "(&sv)", &mechanism, &transferred);
if (!g_str_equal (mechanism, "passwd1"))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_NOT_SUPPORTED,
"Unsupported setup mechanism: %s", mechanism);
goto out;
}
if (!g_variant_is_of_type (transferred, G_VARIANT_TYPE ("(asas)")))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_INVALID_ARGS,
"Bad data passed for passwd1 mechanism");
goto out;
}
users = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
groups = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, NULL);
if (!fgetpwent_callback (add_name_to_hashtable, users) ||
!fgetgrent_callback (add_group_to_hashtable, groups))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
_("Couldn't list local users"));
goto out;
}
g_debug ("starting setup synchronization");
g_variant_get (transferred, "(@as@as)", &pwdata, &grdata);
chpasswd = g_string_new ("");
newusers = g_string_new ("");
usermod = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, string_free);
lines = g_variant_get_strv (pwdata, &length);
for (i = 0; i < length; i++)
{
parts = g_strsplit(lines[i], ":", 3);
user_exists = (g_hash_table_lookup (users, parts[0]) != NULL);
if (!user_exists)
{
g_string_append (newusers, lines[i]);
g_string_append_c (newusers, '\n');
}
if (user_exists || !cockpit_bridge_have_newusers_crypt_method)
{
g_string_append_printf (chpasswd, "%s:%s\n", parts[0], parts[1]);
}
g_strfreev (parts);
}
g_free (lines);
lines = g_variant_get_strv (grdata, &length);
for (i = 0; i < length; i++)
{
parts = g_strsplit(lines[i], ":", 4);
if (g_hash_table_lookup (groups, parts[0]))
{
memlist = g_strsplit (parts[3], ",", -1);
for (j = 0; memlist[j] != NULL; j++)
{
string = g_hash_table_lookup (usermod, memlist[j]);
if (!string)
{
string = g_string_new ("");
g_hash_table_insert (usermod, g_strdup (memlist[j]), string);
}
if (string->len > 0)
g_string_append_c (string, ',');
g_string_append (string, parts[0]);
}
g_strfreev (memlist);
}
g_strfreev (parts);
}
g_free (lines);
context = g_new0 (CommitAdmin1, 1);
context->invocation = g_object_ref (invocation);
context->chpasswd = g_string_free_to_bytes (chpasswd);
context->usermod = usermod;
g_debug ("batch creating new users");
bytes = g_string_free_to_bytes (newusers);
pipe = cockpit_pipe_spawn (argv, NULL, NULL, COCKPIT_PIPE_FLAGS_NONE);
g_signal_connect (pipe, "close", G_CALLBACK (on_newusers_close), context);
cockpit_pipe_write (pipe, bytes);
cockpit_pipe_close (pipe, NULL);
g_bytes_unref (bytes);
out:
if (users)
g_hash_table_unref (users);
if (groups)
g_hash_table_unref (groups);
if (pwdata)
g_variant_unref (pwdata);
if (grdata)
g_variant_unref (grdata);
g_variant_unref (transferred);
}
