X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fbus-proxyd%2Fbus-proxyd.c;h=98b2ffd7d1c33230e59da322359c45d44bec40f1;hb=e06b6479a5dc471412f3a00f4a3d6bd5edb8904c;hp=c5f9f002feb58ae21b64cefb3a714494e9403654;hpb=dc780ecf10c6ca2794c5d1bfe61ca48ef350381f;p=elogind.git diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c index c5f9f002f..98b2ffd7d 100644 --- a/src/bus-proxyd/bus-proxyd.c +++ b/src/bus-proxyd/bus-proxyd.c @@ -40,12 +40,15 @@ #include "bus-internal.h" #include "bus-message.h" #include "bus-util.h" +#include "bus-internal.h" #include "build.h" #include "strv.h" #include "def.h" +#include "capability.h" static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH; static char *arg_command_line_buffer = NULL; +static bool arg_drop_privileges = false; static int help(void) { @@ -53,6 +56,7 @@ static int help(void) { "Connect STDIO or a socket to a given bus address.\n\n" " -h --help Show this help\n" " --version Show package version\n" + " --drop-privileges Drop privileges\n" " --address=ADDRESS Connect to the bus specified by ADDRESS\n" " (default: " DEFAULT_SYSTEM_BUS_PATH ")\n", program_invocation_short_name); @@ -65,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_ADDRESS, + ARG_DROP_PRIVILEGES, }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "address", required_argument, NULL, ARG_ADDRESS }, - { NULL, 0, NULL, 0 } + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "address", required_argument, NULL, ARG_ADDRESS }, + { "drop-privileges", no_argument, NULL, ARG_DROP_PRIVILEGES }, + { NULL, 0, NULL, 0 }, }; int c; @@ -96,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) { arg_address = optarg; break; + case ARG_DROP_PRIVILEGES: + arg_drop_privileges = true; + break; + case '?': return -EINVAL; @@ -439,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) { return false; } - static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { int r; @@ -551,7 +560,7 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { if (r < 0) return synthetic_reply_method_errno(m, r, NULL); - r = sd_bus_add_match(a, match, NULL, NULL); + r = sd_bus_add_match(a, NULL, match, NULL, NULL); if (r < 0) return synthetic_reply_method_errno(m, r, NULL); @@ -564,7 +573,9 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { if (r < 0) return synthetic_reply_method_errno(m, r, NULL); - r = sd_bus_remove_match(a, match, NULL, NULL); + r = bus_remove_match_by_string(a, match, NULL, NULL); + if (r == 0) + return synthetic_reply_method_error(m, &SD_BUS_ERROR_MAKE_CONST(SD_BUS_ERROR_MATCH_RULE_NOT_FOUND, "Match rule not found")); if (r < 0) return synthetic_reply_method_errno(m, r, NULL); @@ -739,9 +750,10 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) { r = sd_bus_release_name(a, name); if (r < 0) { if (r == -ESRCH) - synthetic_reply_method_return(m, "u", BUS_NAME_NON_EXISTENT); + return synthetic_reply_method_return(m, "u", BUS_NAME_NON_EXISTENT); if (r == -EADDRINUSE) - synthetic_reply_method_return(m, "u", BUS_NAME_NOT_OWNER); + return synthetic_reply_method_return(m, "u", BUS_NAME_NOT_OWNER); + return synthetic_reply_method_errno(m, r, NULL); } @@ -1061,6 +1073,22 @@ int main(int argc, char *argv[]) { getpeersec(in_fd, &peersec); } + if (arg_drop_privileges) { + const char *user = "systemd-bus-proxy"; + uid_t uid; + gid_t gid; + + r = get_user_creds(&user, &uid, &gid, NULL, NULL); + if (r < 0) { + log_error("Cannot resolve user name %s: %s", user, strerror(-r)); + goto finish; + } + + r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER); + if (r < 0) + goto finish; + } + r = sd_bus_new(&a); if (r < 0) { log_error("Failed to allocate bus: %s", strerror(-r)); @@ -1177,7 +1205,7 @@ int main(int argc, char *argv[]) { goto finish; } - r = sd_bus_add_match(a, match, NULL, NULL); + r = sd_bus_add_match(a, NULL, match, NULL, NULL); if (r < 0) { log_error("Failed to add match for NameLost: %s", strerror(-r)); goto finish; @@ -1198,7 +1226,7 @@ int main(int argc, char *argv[]) { goto finish; } - r = sd_bus_add_match(a, match, NULL, NULL); + r = sd_bus_add_match(a, NULL, match, NULL, NULL); if (r < 0) { log_error("Failed to add match for NameAcquired: %s", strerror(-r)); goto finish;