diff options
author | Dan Williams <dcbw@redhat.com> | 2014-08-27 13:52:59 -0500 |
---|---|---|
committer | Dan Williams <dcbw@redhat.com> | 2015-01-29 10:11:14 -0600 |
commit | 40147ced36df12e5e44d01a1ae1c843b98d4d34d (patch) | |
tree | 9a5bbc8367f0ea5d8de8ea46ca8d9dcf562030b0 | |
parent | 06c0fbc437411b92fbf9a6b9f566580207d0df9f (diff) | |
download | NetworkManager-dcbw/session.tar.gz |
sessions: don't require a session for most operationsdcbw/session
Sessions don't imply any kind of security, but were sometimes
artificially limiting what operations non-session clients (like those
spawned from scripts or other services) could do. The correct
way to restrict this stuff is through PolicyKit and connection
permissions, which *are* security. Sessions are only used for
handling secret agents and for determining whether to autoconnect
restricted connections.
-rw-r--r-- | src/nm-auth-utils.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/src/nm-auth-utils.c b/src/nm-auth-utils.c index fa50a7bd79..bd5622a60d 100644 --- a/src/nm-auth-utils.c +++ b/src/nm-auth-utils.c @@ -439,13 +439,6 @@ nm_auth_is_subject_in_acl (NMConnection *connection, if (0 == uid) return TRUE; - /* Reject the request if the request comes from no session at all */ - if (!nm_session_monitor_session_exists (uid, FALSE)) { - if (out_error_desc) - *out_error_desc = g_strdup_printf ("No session found for uid %lu", uid); - return FALSE; - } - if (!nm_session_monitor_uid_to_user (uid, &user)) { if (out_error_desc) *out_error_desc = g_strdup_printf ("Could not determine username for uid %lu", uid); @@ -460,7 +453,11 @@ nm_auth_is_subject_in_acl (NMConnection *connection, return TRUE; } - /* Match the username returned by the session check to a user in the ACL */ + /* Visible/usable by all users */ + if (nm_setting_connection_get_num_permissions (s_con) == 0) + return TRUE; + + /* Match the username to a user in the ACL */ if (!nm_setting_connection_permissions_user_allowed (s_con, user)) { if (out_error_desc) *out_error_desc = g_strdup_printf ("uid %lu has no permission to perform this operation", uid); @@ -470,4 +467,3 @@ nm_auth_is_subject_in_acl (NMConnection *connection, return TRUE; } - |