summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-11-06 14:12:11 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-06-03 13:31:25 +0200
commit2c3fa3a3264c957957db48c6c488049b6cf8b7a1 (patch)
tree5896b953c18d80bfce6657212400590829a818e3 /src/responder
parentf0875d13c3bd4766eea72b054365abfb9fd610a4 (diff)
downloadsssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.tar.gz
sssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.tar.xz
sssd-2c3fa3a3264c957957db48c6c488049b6cf8b7a1.zip
IFP: use a list of allowed_uids for authentication
Similar to the PAC responder, the InfoPipe uses a list of UIDs that are allowed to communicate with the IFP responder. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Stef Walter <stefw@redhat.com> (cherry picked from commit 3660f49f81e4db07be66fe0887af9d62065f1f2c)
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/ifp/ifp_private.h3
-rw-r--r--src/responder/ifp/ifpsrv.c20
-rw-r--r--src/responder/ifp/ifpsrv_cmd.c6
-rw-r--r--src/responder/ifp/ifpsrv_util.c47
4 files changed, 75 insertions, 1 deletions
diff --git a/src/responder/ifp/ifp_private.h b/src/responder/ifp/ifp_private.h
index 472d10441..bc476291a 100644
--- a/src/responder/ifp/ifp_private.h
+++ b/src/responder/ifp/ifp_private.h
@@ -56,6 +56,9 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
struct ifp_ctx *ifp_ctx,
struct ifp_req **_ifp_req);
+/* Returns an appropriate DBus error for specific ifp_req_create failures */
+int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err);
+
const char *ifp_path_strip_prefix(const char *path, const char *prefix);
errno_t ifp_add_ldb_el_to_dict(DBusMessageIter *iter_dict,
struct ldb_message_element *el);
diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c
index 2f98cf838..65613b941 100644
--- a/src/responder/ifp/ifpsrv.c
+++ b/src/responder/ifp/ifpsrv.c
@@ -40,6 +40,8 @@
#include "responder/ifp/ifp_private.h"
#include "responder/common/responder_sbus.h"
+#define DEFAULT_ALLOWED_UIDS "0"
+
struct mon_cli_iface monitor_ifp_methods = {
{ &mon_cli_iface_meta, 0 },
.ping = monitor_common_pong,
@@ -201,6 +203,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
struct be_conn *iter;
int ret;
int max_retries;
+ char *uid_str;
ifp_cmds = get_ifp_cmds();
ret = sss_process_init(mem_ctx, ev, cdb,
@@ -236,6 +239,23 @@ int ifp_process_init(TALLOC_CTX *mem_ctx,
goto fail;
}
+ ret = confdb_get_string(ifp_ctx->rctx->cdb, ifp_ctx->rctx,
+ CONFDB_IFP_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS,
+ DEFAULT_ALLOWED_UIDS, &uid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to get allowed UIDs.\n"));
+ goto fail;
+ }
+
+ ret = csv_string_to_uid_array(ifp_ctx->rctx, uid_str, true,
+ &ifp_ctx->rctx->allowed_uids_count,
+ &ifp_ctx->rctx->allowed_uids);
+ talloc_free(uid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, ("Failed to set allowed UIDs.\n"));
+ goto fail;
+ }
+
/* Enable automatic reconnection to the Data Provider */
ret = confdb_get_int(ifp_ctx->rctx->cdb,
CONFDB_IFP_CONF_ENTRY,
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
index 4f73342dd..e26bcfa58 100644
--- a/src/responder/ifp/ifpsrv_cmd.c
+++ b/src/responder/ifp/ifpsrv_cmd.c
@@ -39,12 +39,18 @@ int ifp_ping(struct sbus_request *dbus_req, void *data)
static const char *pong = "PONG";
const char *request;
DBusError dberr;
+ errno_t ret;
+ struct ifp_req *ifp_req;
if (ifp_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n");
return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID);
}
+ ret = ifp_req_create(dbus_req, ifp_ctx, &ifp_req);
+ if (ret != EOK) {
+ return ifp_req_create_handle_failure(dbus_req, ret);
+ }
if (!sbus_request_parse_or_finish(dbus_req,
DBUS_TYPE_STRING, &request,
diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c
index e16d36279..2bce20186 100644
--- a/src/responder/ifp/ifpsrv_util.c
+++ b/src/responder/ifp/ifpsrv_util.c
@@ -29,6 +29,7 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
struct ifp_req **_ifp_req)
{
struct ifp_req *ireq = NULL;
+ errno_t ret;
if (ifp_ctx->sysbus == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n");
@@ -43,8 +44,52 @@ errno_t ifp_req_create(struct sbus_request *dbus_req,
ireq->ifp_ctx = ifp_ctx;
ireq->dbus_req = dbus_req;
+ if (dbus_req->client == -1) {
+ /* We got a sysbus message but couldn't identify the
+ * caller? Bail out! */
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "BUG: Received a message without a known caller!\n");
+ ret = EACCES;
+ goto done;
+ }
+
+ ret = check_allowed_uids(dbus_req->client,
+ ifp_ctx->rctx->allowed_uids_count,
+ ifp_ctx->rctx->allowed_uids);
+ if (ret == EACCES) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "User %"PRIi64" not in ACL\n", dbus_req->client);
+ goto done;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot check if user %"PRIi64" is present in ACL\n",
+ dbus_req->client);
+ goto done;
+ }
+
*_ifp_req = ireq;
- return EOK;
+ ret = EOK;
+done:
+ if (ret != EOK) {
+ talloc_free(ireq);
+ }
+ return ret;
+}
+
+int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err)
+{
+ if (err == EACCES) {
+ return sbus_request_fail_and_finish(dbus_req,
+ sbus_error_new(dbus_req,
+ DBUS_ERROR_ACCESS_DENIED,
+ "User %"PRIi64" not in ACL\n",
+ dbus_req->client));
+ }
+
+ return sbus_request_fail_and_finish(dbus_req,
+ sbus_error_new(dbus_req,
+ DBUS_ERROR_FAILED,
+ "Cannot create IFP request\n"));
}
const char *ifp_path_strip_prefix(const char *path, const char *prefix)
generated by cgit (git 2.34.1) at 2024-05-07 15:49:27 +0000