chiark / gitweb /
logind: allow access to SetIdleHint() to owner of the session
authorLennart Poettering <lennart@poettering.net>
Wed, 29 Jun 2011 17:53:27 +0000 (19:53 +0200)
committerLennart Poettering <lennart@poettering.net>
Wed, 29 Jun 2011 17:53:27 +0000 (19:53 +0200)
src/logind-session-dbus.c
src/logind.h
src/org.freedesktop.login1.conf

index 2435a65..0ef6558 100644 (file)
@@ -302,6 +302,7 @@ static DBusHandlerResult session_message_dispatch(
 
         } else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Session", "SetIdleHint")) {
                 dbus_bool_t b;
+                unsigned long ul;
 
                 if (!dbus_message_get_args(
                                     message,
@@ -310,6 +311,13 @@ static DBusHandlerResult session_message_dispatch(
                                     DBUS_TYPE_INVALID))
                         return bus_send_error_reply(connection, message, &error, -EINVAL);
 
+                ul = dbus_bus_get_unix_user(connection, dbus_message_get_sender(message), &error);
+                if (ul == (unsigned long) -1)
+                        return bus_send_error_reply(connection, message, &error, -EIO);
+
+                if (ul != 0 && ul != s->user->uid)
+                        return bus_send_error_reply(connection, message, NULL, -EPERM);
+
                 session_set_idle_hint(s, b);
 
                 reply = dbus_message_new_method_return(message);
index 7e47bc3..10b7527 100644 (file)
@@ -36,7 +36,6 @@
  *
  * spawn user systemd
  * direct client API
- * verify access to SetIdleHint
  *
  * udev:
  * drop redundant udev_device_get_is_initialized() use as soon as libudev is fixed
index dc6a01c..c423ef5 100644 (file)
                        send_interface="org.freedesktop.login1.Session"
                        send_member="Activate"/>
 
+                <allow send_destination="org.freedesktop.login1"
+                       send_interface="org.freedesktop.login1.Session"
+                       send_member="SetIdleHint"/>
+
                 <allow receive_sender="org.freedesktop.login1"/>
         </policy>