diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-11-06 14:12:11 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-06-03 13:31:25 +0200 |
commit | 2c3fa3a3264c957957db48c6c488049b6cf8b7a1 (patch) | |
tree | 5896b953c18d80bfce6657212400590829a818e3 /src/responder/ifp/ifpsrv_util.c | |
parent | f0875d13c3bd4766eea72b054365abfb9fd610a4 (diff) | |
download | sssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.tar.gz sssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.tar.xz sssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.zip |
IFP: use a list of allowed_uids for authentication
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are
allowed to communicate with the IFP responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Stef Walter <stefw@redhat.com>
(cherry picked from commit 3660f49f81e4db07be66fe0887af9d62065f1f2c)
Diffstat (limited to 'src/responder/ifp/ifpsrv_util.c')
-rw-r--r-- | src/responder/ifp/ifpsrv_util.c | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c index e16d36279..2bce20186 100644 --- a/src/responder/ifp/ifpsrv_util.c +++ b/src/responder/ifp/ifpsrv_util.c @@ -29,6 +29,7 @@ errno_t ifp_req_create(struct sbus_request *dbus_req, struct ifp_req **_ifp_req) { struct ifp_req *ireq = NULL; + errno_t ret; if (ifp_ctx->sysbus == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n"); @@ -43,8 +44,52 @@ errno_t ifp_req_create(struct sbus_request *dbus_req, ireq->ifp_ctx = ifp_ctx; ireq->dbus_req = dbus_req; + if (dbus_req->client == -1) { + /* We got a sysbus message but couldn't identify the + * caller? Bail out! */ + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Received a message without a known caller!\n"); + ret = EACCES; + goto done; + } + + ret = check_allowed_uids(dbus_req->client, + ifp_ctx->rctx->allowed_uids_count, + ifp_ctx->rctx->allowed_uids); + if (ret == EACCES) { + DEBUG(SSSDBG_MINOR_FAILURE, + "User %"PRIi64" not in ACL\n", dbus_req->client); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot check if user %"PRIi64" is present in ACL\n", + dbus_req->client); + goto done; + } + *_ifp_req = ireq; - return EOK; + ret = EOK; +done: + if (ret != EOK) { + talloc_free(ireq); + } + return ret; +} + +int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err) +{ + if (err == EACCES) { + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_ACCESS_DENIED, + "User %"PRIi64" not in ACL\n", + dbus_req->client)); + } + + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_FAILED, + "Cannot create IFP request\n")); } const char *ifp_path_strip_prefix(const char *path, const char *prefix) |