From aa871e019f00493dfa53b48f906132bf94eeae9f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 7 Oct 2014 19:44:44 +0200
Subject: SBUS: Allow connections from other UIDs

Unless dbus_connection_set_unix_user_function() is used, D-Bus only
allows connections from UID 0. This patch adds a custom checker function
that allows either UID 0 or the pre-configured SSSD user ID.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
---
 src/monitor/monitor.c           |  3 +++
 src/sbus/sssd_dbus.h            |  4 ++++
 src/sbus/sssd_dbus_connection.c | 20 ++++++++++++++++++++
 3 files changed, 27 insertions(+)

(limited to 'src')

diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index b6777784c..fc6b2963f 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -2392,6 +2392,9 @@ static int monitor_service_init(struct sbus_connection *conn, void *data)
     mini->ctx = ctx;
     mini->conn = conn;
 
+    /* Allow access from the SSSD user */
+    sbus_allow_uid(conn, &ctx->uid);
+
     /* 10 seconds should be plenty */
     tv = tevent_timeval_current_ofs(10, 0);
 
diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h
index d01926368..5b128eaed 100644
--- a/src/sbus/sssd_dbus.h
+++ b/src/sbus/sssd_dbus.h
@@ -209,6 +209,10 @@ int sbus_conn_send(struct sbus_connection *conn,
 void sbus_conn_send_reply(struct sbus_connection *conn,
                           DBusMessage *reply);
 
+/* Set up D-BUS access control. If there is a SSSD user, we must allow
+ * him to connect. root is always allowed */
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid);
+
 /*
  * This structure is passed to all dbus method and property
  * handlers. It is a talloc context which will be valid until
diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c
index 06256a85b..6102ef9ae 100644
--- a/src/sbus/sssd_dbus_connection.c
+++ b/src/sbus/sssd_dbus_connection.c
@@ -922,3 +922,23 @@ void sbus_conn_send_reply(struct sbus_connection *conn, DBusMessage *reply)
 {
     dbus_connection_send(conn->dbus.conn, reply, NULL);
 }
+
+dbus_bool_t is_uid_sssd_user(DBusConnection *connection,
+                             unsigned long   uid,
+                             void           *data)
+{
+    uid_t sssd_user = * (uid_t *) data;
+
+    if (uid == 0 || uid == sssd_user) {
+        return TRUE;
+    }
+
+    return FALSE;
+}
+
+void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid)
+{
+    dbus_connection_set_unix_user_function(sbus_get_connection(conn),
+                                           is_uid_sssd_user,
+                                           uid, NULL);
+}
-- 
cgit