2 * Copyright (C) 2009 Kay Sievers <kay.sievers@vrfy.org>
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or (at your option) any later version.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details:
15 #include <acl/libacl.h>
37 static int set_facl(const char* filename, uid_t uid, int add)
41 acl_entry_t entry = NULL;
43 acl_permset_t permset;
46 /* don't touch ACLs for root */
50 /* read current record */
51 acl = acl_get_file(filename, ACL_TYPE_ACCESS);
55 /* locate ACL_USER entry for uid */
56 get = acl_get_entry(acl, ACL_FIRST_ENTRY, &e);
60 acl_get_tag_type(e, &t);
64 u = (uid_t*)acl_get_qualifier(e);
77 get = acl_get_entry(acl, ACL_NEXT_ENTRY, &e);
80 /* remove ACL_USER entry for uid */
86 acl_delete_entry(acl, entry);
90 /* create ACL_USER entry for uid */
92 ret = acl_create_entry(&acl, &entry);
95 acl_set_tag_type(entry, ACL_USER);
96 acl_set_qualifier(entry, &uid);
99 /* add permissions for uid */
100 acl_get_permset(entry, &permset);
101 acl_add_perm(permset, ACL_READ|ACL_WRITE);
105 printf("%c%u %s\n", add ? '+' : '-', uid, filename);
107 ret = acl_set_file(filename, ACL_TYPE_ACCESS, acl);
115 /* check if a given uid is listed */
116 static int uid_in_list(GSList *list, uid_t uid)
120 for (l = list; l != NULL; l = g_slist_next(l))
121 if (uid == GPOINTER_TO_UINT(l->data))
126 /* return list of current uids of local active sessions */
127 static GSList *uids_with_local_active_session(const char *own_id)
132 keyfile = g_key_file_new();
133 if (g_key_file_load_from_file(keyfile, "/var/run/ConsoleKit/database", 0, NULL)) {
136 groups = g_key_file_get_groups(keyfile, NULL);
137 if (groups != NULL) {
140 for (i = 0; groups[i] != NULL; i++) {
143 if (!g_str_has_prefix(groups[i], "Session "))
145 if (own_id != NULL &&g_str_has_suffix(groups[i], own_id))
147 if (!g_key_file_get_boolean(keyfile, groups[i], "is_local", NULL))
149 if (!g_key_file_get_boolean(keyfile, groups[i], "is_active", NULL))
151 u = g_key_file_get_integer(keyfile, groups[i], "uid", NULL);
152 if (u > 0 && !uid_in_list(list, u))
153 list = g_slist_prepend(list, GUINT_TO_POINTER(u));
158 g_key_file_free(keyfile);
163 /* ConsoleKit calls us with special variables */
164 static int consolekit_called(const char *ck_action, uid_t *uid, uid_t *uid2, const char **remove_session_id, int *action)
171 const char *old_session = NULL;
173 if (ck_action == NULL || strcmp(ck_action, "seat_active_session_changed") != 0)
176 /* We can have one of: remove, add, change, no-change */
177 s = getenv("CK_SEAT_OLD_SESSION_ID");
178 s2 = getenv("CK_SEAT_SESSION_ID");
179 if (s == NULL && s2 == NULL) {
181 } else if (s2 == NULL) {
183 } else if (s == NULL) {
191 s = getenv("CK_SEAT_SESSION_USER_UID");
194 u = strtoul(s, NULL, 10);
196 s = getenv("CK_SEAT_SESSION_IS_LOCAL");
199 if (strcmp(s, "true") != 0)
204 s = getenv("CK_SEAT_OLD_SESSION_USER_UID");
207 u = strtoul(s, NULL, 10);
209 s = getenv("CK_SEAT_OLD_SESSION_IS_LOCAL");
212 if (strcmp(s, "true") != 0)
215 old_session = getenv("CK_SEAT_OLD_SESSION_ID");
216 if (old_session == NULL)
221 s = getenv("CK_SEAT_OLD_SESSION_USER_UID");
224 u = strtoul(s, NULL, 10);
225 s = getenv("CK_SEAT_SESSION_USER_UID");
228 u2 = strtoul(s, NULL, 10);
230 s = getenv("CK_SEAT_OLD_SESSION_IS_LOCAL");
231 s2 = getenv("CK_SEAT_SESSION_IS_LOCAL");
232 if (s == NULL || s2 == NULL)
234 /* don't process non-local session changes */
235 if (strcmp(s, "true") != 0 && strcmp(s2, "true") != 0)
238 if (strcmp(s, "true") == 0 && strcmp(s, "true") == 0) {
239 /* process the change */
241 /* special case: we noop if we are
242 * changing between local sessions for
246 old_session = getenv("CK_SEAT_OLD_SESSION_ID");
247 if (old_session == NULL)
249 } else if (strcmp(s, "true") == 0) {
250 /* only process the removal */
252 old_session = getenv("CK_SEAT_OLD_SESSION_ID");
253 if (old_session == NULL)
255 } else if (strcmp(s2, "true") == 0) {
256 /* only process the addition */
263 *remove_session_id = old_session;
270 /* add or remove a ACL for a given uid from all matching devices */
271 static void apply_acl_to_devices(uid_t uid, int add)
274 struct udev_enumerate *enumerate;
275 struct udev_list_entry *list_entry;
277 /* iterate over all devices tagged with ACL_SET */
279 enumerate = udev_enumerate_new(udev);
280 udev_enumerate_add_match_tag(enumerate, "udev-acl");
281 udev_enumerate_scan_devices(enumerate);
282 udev_list_entry_foreach(list_entry, udev_enumerate_get_list_entry(enumerate)) {
283 struct udev_device *device;
286 device = udev_device_new_from_syspath(udev_enumerate_get_udev(enumerate),
287 udev_list_entry_get_name(list_entry));
290 node = udev_device_get_devnode(device);
292 udev_device_unref(device);
295 set_facl(node, uid, add);
296 udev_device_unref(device);
298 udev_enumerate_unref(enumerate);
303 remove_uid (uid_t uid, const char *remove_session_id)
306 * Remove ACL for given uid from all matching devices
307 * when there is currently no local active session.
311 list = uids_with_local_active_session(remove_session_id);
312 if (!uid_in_list(list, uid))
313 apply_acl_to_devices(uid, 0);
317 int main (int argc, char* argv[])
319 static const struct option options[] = {
320 { "action", required_argument, NULL, 'a' },
321 { "device", required_argument, NULL, 'D' },
322 { "user", required_argument, NULL, 'u' },
323 { "debug", no_argument, NULL, 'd' },
324 { "help", no_argument, NULL, 'h' },
328 const char *device = NULL;
329 bool uid_given = false;
332 const char* remove_session_id = NULL;
335 /* valgrind is more important to us than a slice allocator */
336 g_slice_set_config (G_SLICE_CONFIG_ALWAYS_MALLOC, 1);
341 option = getopt_long(argc, argv, "+a:D:u:dh", options, NULL);
347 if (strcmp(optarg, "remove") == 0)
348 action = ACTION_REMOVE;
357 uid = strtoul(optarg, NULL, 10);
363 printf("Usage: udev-acl --action=ACTION [--device=DEVICEFILE] [--user=UID]\n\n");
368 if (action < 0 && device == NULL && !uid_given)
369 if (!consolekit_called(argv[optind], &uid, &uid2, &remove_session_id, &action))
373 fprintf(stderr, "missing action\n\n");
378 if (device != NULL && uid_given) {
379 fprintf(stderr, "only one option, --device=DEVICEFILE or --user=UID expected\n\n");
387 /* Add ACL for given uid to all matching devices. */
388 apply_acl_to_devices(uid, 1);
391 remove_uid(uid, remove_session_id);
394 remove_uid(uid, remove_session_id);
395 apply_acl_to_devices(uid2, 1);
401 g_assert_not_reached();
404 } else if (device != NULL) {
406 * Add ACLs for all current session uids to a given device.
408 * Or remove ACLs for uids which do not have any current local
409 * active session. Remove is not really interesting, because in
410 * most cases the device node is removed anyway.
415 list = uids_with_local_active_session(NULL);
416 for (l = list; l != NULL; l = g_slist_next(l)) {
419 u = GPOINTER_TO_UINT(l->data);
420 if (action == ACTION_ADD || !uid_in_list(list, u))
421 set_facl(device, u, action == ACTION_ADD);
425 fprintf(stderr, "--device=DEVICEFILE or --user=UID expected\n\n");