mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-11-04 13:29:59 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

* Add new "auth-group=" parameter to protocol-native-unix

Browse source 
* Rename "public=" argument  of protocol-{esound,native} to "auth-anonymous"


git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@601 fefdeb5f-60dc-0310-8127-8f9354f1896f
This commit is contained in:
Lennart Poettering 2006-02-24 17:14:23 +00:00
parent 25bcc106d0
commit 4358977415
6 changed files with 86 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/daemon/main.c
View file

@ -160,7 +160,7 @@ int main(int argc, char *argv[]) {
#ifdef HAVE_GETUID #ifdef HAVE_GETUID
suid_root = getuid() != 0 && geteuid() == 0; suid_root = getuid() != 0 && geteuid() == 0;
if (suid_root && (pa_uid_in_group("realtime", &gid) <= 0 || gid >= 1000)) { if (suid_root && (pa_own_uid_in_group("realtime", &gid) <= 0 || gid >= 1000)) {
pa_log_warn(__FILE__": WARNING: called SUID root, but not in group 'realtime'."); pa_log_warn(__FILE__": WARNING: called SUID root, but not in group 'realtime'.");
pa_drop_root(); pa_drop_root();
} }

17
src/modules/module-protocol-stub.c
View file

@ -110,14 +110,23 @@
#define TCPWRAP_SERVICE "polypaudio-native" #define TCPWRAP_SERVICE "polypaudio-native"
#define IPV4_PORT PA_NATIVE_DEFAULT_PORT #define IPV4_PORT PA_NATIVE_DEFAULT_PORT
#define UNIX_SOCKET PA_NATIVE_DEFAULT_UNIX_SOCKET #define UNIX_SOCKET PA_NATIVE_DEFAULT_UNIX_SOCKET
#define MODULE_ARGUMENTS "public", "cookie", #define MODULE_ARGUMENTS_COMMON "cookie", "auth-anonymous",
#ifdef USE_TCP_SOCKETS #ifdef USE_TCP_SOCKETS
#include "module-native-protocol-tcp-symdef.h" #include "module-native-protocol-tcp-symdef.h"
#else #else
#include "module-native-protocol-unix-symdef.h" #include "module-native-protocol-unix-symdef.h"
#endif #endif
#if defined(SCM_CREDENTIALS) && !defined(USE_TCP_SOCKETS)
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group",
#define AUTH_USAGE "auth-group=<local group to allow access>"
#else
#define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON
#define AUTH_USAGE
#endif
PA_MODULE_DESCRIPTION("Native protocol "SOCKET_DESCRIPTION) PA_MODULE_DESCRIPTION("Native protocol "SOCKET_DESCRIPTION)
PA_MODULE_USAGE("public=<don't check for cookies?> cookie=<path to cookie file> "SOCKET_USAGE) PA_MODULE_USAGE("auth-anonymous=<don't check for cookies?> cookie=<path to cookie file> "AUTH_USAGE SOCKET_USAGE)
#elif defined(USE_PROTOCOL_ESOUND) #elif defined(USE_PROTOCOL_ESOUND)
#include <polypcore/protocol-esound.h> #include <polypcore/protocol-esound.h>
#include <polypcore/esound.h> #include <polypcore/esound.h>
@ -126,14 +135,14 @@
#define TCPWRAP_SERVICE "esound" #define TCPWRAP_SERVICE "esound"
#define IPV4_PORT ESD_DEFAULT_PORT #define IPV4_PORT ESD_DEFAULT_PORT
#define UNIX_SOCKET ESD_UNIX_SOCKET_NAME #define UNIX_SOCKET ESD_UNIX_SOCKET_NAME
#define MODULE_ARGUMENTS "sink", "source", "public", "cookie", #define MODULE_ARGUMENTS "sink", "source", "auth-anonymous", "cookie",
#ifdef USE_TCP_SOCKETS #ifdef USE_TCP_SOCKETS
#include "module-esound-protocol-tcp-symdef.h" #include "module-esound-protocol-tcp-symdef.h"
#else #else
#include "module-esound-protocol-unix-symdef.h" #include "module-esound-protocol-unix-symdef.h"
#endif #endif
PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION) PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION)
PA_MODULE_USAGE("sink=<sink to connect to> source=<source to connect to> public=<don't check for cookies?> cookie=<path to cookie file> "SOCKET_USAGE) PA_MODULE_USAGE("sink=<sink to connect to> source=<source to connect to> auth-anonymous=<don't check for cookies?> cookie=<path to cookie file> "SOCKET_USAGE)
#else #else
#error "Broken build system" #error "Broken build system"
#endif #endif

4
src/polypcore/protocol-esound.c
View file

@ -1139,8 +1139,8 @@ pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *serve
p = pa_xnew(pa_protocol_esound, 1); p = pa_xnew(pa_protocol_esound, 1);
if (pa_modargs_get_value_boolean(ma, "public", &public) < 0) { if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
pa_log(__FILE__": public= expects a boolean argument."); pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
return NULL; return NULL;
} }

25
src/polypcore/protocol-native.c
View file

@ -129,6 +129,9 @@ struct pa_protocol_native {
pa_idxset *connections; pa_idxset *connections;
uint8_t auth_cookie[PA_NATIVE_COOKIE_LENGTH]; uint8_t auth_cookie[PA_NATIVE_COOKIE_LENGTH];
int auth_cookie_in_property; int auth_cookie_in_property;
#ifdef SCM_CREDENTIALS
char *auth_group;
#endif
}; };
static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk); static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk);
@ -878,15 +881,22 @@ static void command_auth(PA_GCC_UNUSED pa_pdispatch *pd, PA_GCC_UNUSED uint32_t
const struct ucred *ucred = pa_pdispatch_creds(pd); const struct ucred *ucred = pa_pdispatch_creds(pd);
if (ucred) { if (ucred) {
if (ucred->uid == getuid()) if (ucred->uid == getuid())
success = 1; success = 1;
else if (c->protocol->auth_group) {
int r;
if ((r = pa_uid_in_group(ucred->uid, c->protocol->auth_group)) < 0)
pa_log_warn(__FILE__": failed to check group membership.");
else if (r > 0)
success = 1;
}
pa_log_info(__FILE__": Got credentials: pid=%lu uid=%lu gid=%lu auth=%i", pa_log_info(__FILE__": Got credentials: pid=%lu uid=%lu gid=%lu auth=%i",
(unsigned long) ucred->pid, (unsigned long) ucred->pid,
(unsigned long) ucred->uid, (unsigned long) ucred->uid,
(unsigned long) ucred->gid, (unsigned long) ucred->gid,
success); success);
} }
#endif #endif
@ -2247,8 +2257,8 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
int public = 0; int public = 0;
assert(c && ma); assert(c && ma);
if (pa_modargs_get_value_boolean(ma, "public", &public) < 0) { if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
pa_log(__FILE__": public= expects a boolean argument."); pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
return NULL; return NULL;
} }
@ -2258,6 +2268,10 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
p->public = public; p->public = public;
p->server = NULL; p->server = NULL;
#ifdef SCM_CREDENTIALS
p->auth_group = pa_xstrdup(pa_modargs_get_value(ma, "auth-group", NULL));
#endif
if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) { if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) {
pa_xfree(p); pa_xfree(p);
return NULL; return NULL;
@ -2317,6 +2331,9 @@ void pa_protocol_native_free(pa_protocol_native *p) {
if (p->auth_cookie_in_property) if (p->auth_cookie_in_property)
pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME); pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME);
#ifdef SCM_CREDENTIALS
pa_xfree(p->auth_group);
#endif
pa_xfree(p); pa_xfree(p);
} }

52
src/polypcore/util.c
View file

@ -166,7 +166,7 @@ int pa_make_secure_parent_dir(const char *fn) {
int ret = -1; int ret = -1;
char *slash, *dir = pa_xstrdup(fn); char *slash, *dir = pa_xstrdup(fn);
slash = pa_path_get_filename(dir); slash = (char*) pa_path_get_filename(dir);
if (slash == fn) if (slash == fn)
goto finish; goto finish;
*(slash-1) = 0; *(slash-1) = 0;
@ -636,13 +636,13 @@ char *pa_get_binary_name(char *s, size_t l) {
/* Return a pointer to the filename inside a path (which is the last /* Return a pointer to the filename inside a path (which is the last
* component). */ * component). */
char *pa_path_get_filename(const char *p) { const char *pa_path_get_filename(const char *p) {
char *fn; char *fn;
if ((fn = strrchr(p, PATH_SEP))) if ((fn = strrchr(p, PATH_SEP)))
return fn+1; return fn+1;
return (char*) p; return (const char*) p;
} }
/* Try to parse a boolean string value.*/ /* Try to parse a boolean string value.*/
@ -745,7 +745,6 @@ static int is_group(gid_t gid, const char *name) {
goto finish; goto finish;
} }
r = strcmp(name, result->gr_name) == 0; r = strcmp(name, result->gr_name) == 0;
finish: finish:
@ -767,7 +766,7 @@ finish:
} }
/* Check the current user is member of the specified group */ /* Check the current user is member of the specified group */
int pa_uid_in_group(const char *name, gid_t *gid) { int pa_own_uid_in_group(const char *name, gid_t *gid) {
GETGROUPS_T *gids, tgid; GETGROUPS_T *gids, tgid;
int n = sysconf(_SC_NGROUPS_MAX); int n = sysconf(_SC_NGROUPS_MAX);
int r = -1, i; int r = -1, i;
@ -803,9 +802,50 @@ finish:
return r; return r;
} }
int pa_uid_in_group(uid_t uid, const char *name) {
char *g_buf, *p_buf;
long g_n, p_n;
struct group grbuf, *gr;
char **i;
int r = -1;
g_n = sysconf(_SC_GETGR_R_SIZE_MAX);
g_buf = pa_xmalloc(g_n);
p_n = sysconf(_SC_GETPW_R_SIZE_MAX);
p_buf = pa_xmalloc(p_n);
if (getgrnam_r(name, &grbuf, g_buf, (size_t) g_n, &gr) != 0 || !gr)
goto finish;
r = 0;
for (i = gr->gr_mem; *i; i++) {
struct passwd pwbuf, *pw;
if (getpwnam_r(*i, &pwbuf, p_buf, (size_t) p_n, &pw) != 0 || !pw)
continue;
if (pw->pw_uid == uid) {
r = 1;
break;
}
}
finish:
pa_xfree(g_buf);
pa_xfree(p_buf);
return r;
}
#else /* HAVE_GRP_H */ #else /* HAVE_GRP_H */
int pa_uid_in_group(const char *name, gid_t *gid) { int pa_own_uid_in_group(const char *name, gid_t *gid) {
return -1;
}
int pa_uid_in_group(uid_t uid, const char *name) {
return -1; return -1;
} }

5
src/polypcore/util.h
View file

@ -53,7 +53,7 @@ char *pa_get_fqdn(char *s, size_t l);
char *pa_get_binary_name(char *s, size_t l); char *pa_get_binary_name(char *s, size_t l);
char *pa_get_home_dir(char *s, size_t l); char *pa_get_home_dir(char *s, size_t l);
char *pa_path_get_filename(const char *p); const char *pa_path_get_filename(const char *p);
int pa_gettimeofday(struct timeval *tv); int pa_gettimeofday(struct timeval *tv);
pa_usec_t pa_timeval_diff(const struct timeval *a, const struct timeval *b); pa_usec_t pa_timeval_diff(const struct timeval *a, const struct timeval *b);
@ -75,7 +75,8 @@ char *pa_strip_nl(char *s);
const char *pa_strsignal(int sig); const char *pa_strsignal(int sig);
int pa_uid_in_group(const char *name, gid_t *gid); int pa_own_uid_in_group(const char *name, gid_t *gid);
int pa_uid_in_group(uid_t uid, const char *name);
int pa_lock_fd(int fd, int b); int pa_lock_fd(int fd, int b);