]>
Commit | Line | Data |
---|---|---|
d6c9574f | 1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
9a1ac7b9 LP |
2 | |
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <assert.h> | |
23 | #include <sys/socket.h> | |
24 | #include <errno.h> | |
25 | #include <unistd.h> | |
a8f11321 LP |
26 | #include <stdio.h> |
27 | #include <stdlib.h> | |
9a1ac7b9 LP |
28 | #include <dbus/dbus.h> |
29 | ||
30 | #include "log.h" | |
31 | #include "dbus-common.h" | |
b9978121 | 32 | #include "util.h" |
f6a6225e | 33 | #include "def.h" |
9a1ac7b9 LP |
34 | |
35 | int bus_check_peercred(DBusConnection *c) { | |
36 | int fd; | |
37 | struct ucred ucred; | |
38 | socklen_t l; | |
39 | ||
40 | assert(c); | |
41 | ||
42 | assert_se(dbus_connection_get_unix_fd(c, &fd)); | |
43 | ||
44 | l = sizeof(struct ucred); | |
45 | if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &l) < 0) { | |
46 | log_error("SO_PEERCRED failed: %m"); | |
47 | return -errno; | |
48 | } | |
49 | ||
50 | if (l != sizeof(struct ucred)) { | |
51 | log_error("SO_PEERCRED returned wrong size."); | |
52 | return -E2BIG; | |
53 | } | |
54 | ||
55 | if (ucred.uid != 0) | |
56 | return -EPERM; | |
57 | ||
58 | return 1; | |
59 | } | |
60 | ||
a8f11321 LP |
61 | static int sync_auth(DBusConnection *bus, DBusError *error) { |
62 | usec_t begin, tstamp; | |
9a1ac7b9 | 63 | |
a8f11321 | 64 | assert(bus); |
b9978121 | 65 | |
a8f11321 LP |
66 | /* This complexity should probably move into D-Bus itself: |
67 | * | |
68 | * https://bugs.freedesktop.org/show_bug.cgi?id=35189 */ | |
9a1ac7b9 | 69 | |
a8f11321 LP |
70 | begin = tstamp = now(CLOCK_MONOTONIC); |
71 | for (;;) { | |
9a1ac7b9 | 72 | |
f6a6225e | 73 | if (tstamp > begin + DEFAULT_TIMEOUT_USEC) |
a8f11321 | 74 | break; |
9a1ac7b9 | 75 | |
a8f11321 LP |
76 | if (dbus_connection_get_is_authenticated(bus)) |
77 | break; | |
f4579ce7 | 78 | |
f6a6225e | 79 | if (!dbus_connection_read_write_dispatch(bus, ((begin + DEFAULT_TIMEOUT_USEC - tstamp) + USEC_PER_MSEC - 1) / USEC_PER_MSEC)) |
a8f11321 | 80 | break; |
b9978121 | 81 | |
a8f11321 LP |
82 | tstamp = now(CLOCK_MONOTONIC); |
83 | } | |
b9978121 | 84 | |
a8f11321 LP |
85 | if (!dbus_connection_get_is_connected(bus)) { |
86 | dbus_set_error_const(error, DBUS_ERROR_NO_SERVER, "Connection terminated during authentication."); | |
87 | return -ECONNREFUSED; | |
88 | } | |
b9978121 | 89 | |
a8f11321 LP |
90 | if (!dbus_connection_get_is_authenticated(bus)) { |
91 | dbus_set_error_const(error, DBUS_ERROR_TIMEOUT, "Failed to authenticate in time."); | |
92 | return -EACCES; | |
93 | } | |
b9978121 | 94 | |
a8f11321 LP |
95 | return 0; |
96 | } | |
b9978121 | 97 | |
a8f11321 LP |
98 | int bus_connect(DBusBusType t, DBusConnection **_bus, bool *private, DBusError *error) { |
99 | DBusConnection *bus; | |
100 | int r; | |
b9978121 | 101 | |
a8f11321 | 102 | assert(_bus); |
b9978121 | 103 | |
a8f11321 LP |
104 | /* If we are root, then let's not go via the bus */ |
105 | if (geteuid() == 0 && t == DBUS_BUS_SYSTEM) { | |
91b22f21 | 106 | |
2b583ce6 | 107 | if (!(bus = dbus_connection_open_private("unix:path=/run/systemd/private", error))) { |
91b22f21 LP |
108 | #ifndef LEGACY |
109 | dbus_error_free(error); | |
110 | ||
111 | /* Retry with the pre v21 socket name, to ease upgrades */ | |
112 | if (!(bus = dbus_connection_open_private("unix:abstract=/org/freedesktop/systemd1/private", error))) | |
113 | #endif | |
114 | return -EIO; | |
115 | } | |
a8f11321 LP |
116 | |
117 | dbus_connection_set_exit_on_disconnect(bus, FALSE); | |
118 | ||
119 | if (bus_check_peercred(bus) < 0) { | |
b9978121 LP |
120 | dbus_connection_close(bus); |
121 | dbus_connection_unref(bus); | |
122 | ||
a8f11321 | 123 | dbus_set_error_const(error, DBUS_ERROR_ACCESS_DENIED, "Failed to verify owner of bus."); |
b9978121 LP |
124 | return -EACCES; |
125 | } | |
126 | ||
f4579ce7 LP |
127 | if (private) |
128 | *private = true; | |
129 | ||
9a1ac7b9 | 130 | } else { |
51bc5d4b | 131 | if (!(bus = dbus_bus_get_private(t, error))) |
9a1ac7b9 | 132 | return -EIO; |
f4579ce7 | 133 | |
a8f11321 LP |
134 | dbus_connection_set_exit_on_disconnect(bus, FALSE); |
135 | ||
f4579ce7 LP |
136 | if (private) |
137 | *private = false; | |
9a1ac7b9 LP |
138 | } |
139 | ||
a8f11321 LP |
140 | if ((r = sync_auth(bus, error)) < 0) { |
141 | dbus_connection_close(bus); | |
142 | dbus_connection_unref(bus); | |
143 | return r; | |
144 | } | |
145 | ||
146 | *_bus = bus; | |
147 | return 0; | |
148 | } | |
149 | ||
150 | int bus_connect_system_ssh(const char *user, const char *host, DBusConnection **_bus, DBusError *error) { | |
151 | DBusConnection *bus; | |
152 | char *p = NULL; | |
153 | int r; | |
154 | ||
155 | assert(_bus); | |
156 | assert(user || host); | |
157 | ||
158 | if (user && host) | |
159 | asprintf(&p, "exec:path=ssh,argv1=-xT,argv2=%s@%s,argv3=systemd-stdio-bridge", user, host); | |
160 | else if (user) | |
161 | asprintf(&p, "exec:path=ssh,argv1=-xT,argv2=%s@localhost,argv3=systemd-stdio-bridge", user); | |
162 | else if (host) | |
163 | asprintf(&p, "exec:path=ssh,argv1=-xT,argv2=%s,argv3=systemd-stdio-bridge", host); | |
164 | ||
165 | if (!p) { | |
166 | dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, NULL); | |
167 | return -ENOMEM; | |
168 | } | |
169 | ||
170 | bus = dbus_connection_open_private(p, error); | |
171 | free(p); | |
172 | ||
173 | if (!bus) | |
174 | return -EIO; | |
175 | ||
176 | dbus_connection_set_exit_on_disconnect(bus, FALSE); | |
177 | ||
178 | if ((r = sync_auth(bus, error)) < 0) { | |
179 | dbus_connection_close(bus); | |
180 | dbus_connection_unref(bus); | |
181 | return r; | |
182 | } | |
183 | ||
184 | if (!dbus_bus_register(bus, error)) { | |
185 | dbus_connection_close(bus); | |
186 | dbus_connection_unref(bus); | |
187 | return r; | |
188 | } | |
189 | ||
190 | *_bus = bus; | |
191 | return 0; | |
192 | } | |
193 | ||
194 | int bus_connect_system_polkit(DBusConnection **_bus, DBusError *error) { | |
195 | DBusConnection *bus; | |
196 | int r; | |
197 | ||
198 | assert(_bus); | |
199 | ||
200 | /* Don't bother with PolicyKit if we are root */ | |
201 | if (geteuid() == 0) | |
202 | return bus_connect(DBUS_BUS_SYSTEM, _bus, NULL, error); | |
203 | ||
204 | if (!(bus = dbus_connection_open_private("exec:path=pkexec,argv1=" SYSTEMD_STDIO_BRIDGE_BINARY_PATH, error))) | |
205 | return -EIO; | |
206 | ||
9a1ac7b9 LP |
207 | dbus_connection_set_exit_on_disconnect(bus, FALSE); |
208 | ||
a8f11321 LP |
209 | if ((r = sync_auth(bus, error)) < 0) { |
210 | dbus_connection_close(bus); | |
211 | dbus_connection_unref(bus); | |
212 | return r; | |
213 | } | |
214 | ||
215 | if (!dbus_bus_register(bus, error)) { | |
216 | dbus_connection_close(bus); | |
217 | dbus_connection_unref(bus); | |
218 | return r; | |
219 | } | |
220 | ||
9a1ac7b9 LP |
221 | *_bus = bus; |
222 | return 0; | |
223 | } | |
4cf5d675 LP |
224 | |
225 | const char *bus_error_message(const DBusError *error) { | |
226 | assert(error); | |
227 | ||
228 | /* Sometimes the D-Bus server is a little bit too verbose with | |
229 | * its error messages, so let's override them here */ | |
230 | if (dbus_error_has_name(error, DBUS_ERROR_ACCESS_DENIED)) | |
231 | return "Access denied"; | |
232 | ||
233 | return error->message; | |
234 | } |