diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-11-06 14:12:11 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-05-13 21:46:57 +0200 |
| commit | 3660f49f81e4db07be66fe0887af9d62065f1f2c (patch) | |
| tree | c7f85d5103fd68d823136239f7cc006bb5ec07c2 /src/responder/ifp/ifpsrv_util.c | |
| parent | f92ace4a52602e8c38a34f2392bec3deeac2dddd (diff) | |
| download | sssd-3660f49f81e4db07be66fe0887af9d62065f1f2c.tar.gz sssd-3660f49f81e4db07be66fe0887af9d62065f1f2c.tar.xz sssd-3660f49f81e4db07be66fe0887af9d62065f1f2c.zip | |
IFP: use a list of allowed_uids for authentication
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
Diffstat (limited to 'src/responder/ifp/ifpsrv_util.c')
| -rw-r--r-- | src/responder/ifp/ifpsrv_util.c | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c index e16d36279..2bce20186 100644 --- a/src/responder/ifp/ifpsrv_util.c +++ b/src/responder/ifp/ifpsrv_util.c @@ -29,6 +29,7 @@ errno_t ifp_req_create(struct sbus_request *dbus_req, struct ifp_req **_ifp_req) { struct ifp_req *ireq = NULL; + errno_t ret; if (ifp_ctx->sysbus == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n"); @@ -43,8 +44,52 @@ errno_t ifp_req_create(struct sbus_request *dbus_req, ireq->ifp_ctx = ifp_ctx; ireq->dbus_req = dbus_req; + if (dbus_req->client == -1) { + /* We got a sysbus message but couldn't identify the + * caller? Bail out! */ + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Received a message without a known caller!\n"); + ret = EACCES; + goto done; + } + + ret = check_allowed_uids(dbus_req->client, + ifp_ctx->rctx->allowed_uids_count, + ifp_ctx->rctx->allowed_uids); + if (ret == EACCES) { + DEBUG(SSSDBG_MINOR_FAILURE, + "User %"PRIi64" not in ACL\n", dbus_req->client); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot check if user %"PRIi64" is present in ACL\n", + dbus_req->client); + goto done; + } + *_ifp_req = ireq; - return EOK; + ret = EOK; +done: + if (ret != EOK) { + talloc_free(ireq); + } + return ret; +} + +int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err) +{ + if (err == EACCES) { + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_ACCESS_DENIED, + "User %"PRIi64" not in ACL\n", + dbus_req->client)); + } + + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_FAILED, + "Cannot create IFP request\n")); } const char *ifp_path_strip_prefix(const char *path, const char *prefix) |