diff options
author | Thomas Haller <thaller@redhat.com> | 2018-03-15 13:53:23 +0100 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2018-03-15 14:00:13 +0100 |
commit | 26e0886f45766831391fd389c7efbf0becbbcf02 (patch) | |
tree | b8c42c8ad2473b120ae2355a702a46f902e33b3a | |
parent | 059d34a27f4c9c54acdc3bdb1c99fbcd782b57b0 (diff) | |
download | NetworkManager-th/dbus-auth-external-bgo793116.tar.gz |
dbus: disable all but EXTERNAL D-Bus authentication for private socketsth/dbus-auth-external-bgo793116
We use a private D-Bus socket for example for DHCP clients to report back
at unix:path=/var/run/NetworkManager/private-dhcp.
By default, gdbus will enable the authentication mechanisms EXTERNAL
and DBUS_COOKIE_SHA1. However, DBUS_COOKIE_SHA1 requires a /root/.dbus-keyrings
directory, which is not available to NetworkManager as it is started with
ProtectHome=read-only. And writing to /root would be a bad idea anyway.
This leads to a warning
NetworkManager[10962]: Error adding entry to keyring: Error creating directory “/root/.dbus-keyrings”: Read-only file system
Disable all but the EXTERNAL mechanism.
See-also: https://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms
https://bugzilla.gnome.org/show_bug.cgi?id=793116
-rw-r--r-- | src/nm-dbus-manager.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/nm-dbus-manager.c b/src/nm-dbus-manager.c index 82a9b75f0c..e0977b1fc9 100644 --- a/src/nm-dbus-manager.c +++ b/src/nm-dbus-manager.c @@ -305,6 +305,14 @@ private_server_authorize (GDBusAuthObserver *observer, return g_credentials_get_unix_user (credentials, NULL) == 0; } +static gboolean +private_server_allow_mechanism (GDBusAuthObserver *observer, + const char *mechanism, + gpointer user_data) +{ + return NM_IN_STRSET (mechanism, "EXTERNAL"); +} + static void private_server_free (gpointer ptr) { @@ -362,6 +370,8 @@ nm_dbus_manager_private_server_register (NMDBusManager *self, auth_observer = g_dbus_auth_observer_new (); g_signal_connect (auth_observer, "authorize-authenticated-peer", G_CALLBACK (private_server_authorize), NULL); + g_signal_connect (auth_observer, "allow-mechanism", + G_CALLBACK (private_server_allow_mechanism), NULL); server = g_dbus_server_new_sync (address, G_DBUS_SERVER_FLAGS_NONE, guid, |