diff options
author | Ray Strode <rstrode@redhat.com> | 2021-09-09 09:40:49 -0400 |
---|---|---|
committer | Ray Strode <rstrode@redhat.com> | 2021-09-10 16:03:24 -0400 |
commit | 6b72e84dc0f4dad72e3d4831088d11968adc232c (patch) | |
tree | ccc9a1ea6c4f0dd73c82e74fbe80bfc955ca8744 | |
parent | e718b762f9ba2d334c6800b5637ef10d908a1ff5 (diff) | |
download | accountsservice-allow-overriding-system-account.tar.gz |
main: Allow cache files to be marked immutableallow-overriding-system-account
At the moment, at start up we unconditionally reset permission of all
cache files in /var/lib/AccountsService/users. If the mode of the files
can't be reset, accountsservice fails to start.
But there's a situation where we should proceed anyway: If the
mode is already correct, and the file is read-only, there is no reason
to refuse to proceed.
This commit changes the code to explicitly validate the permissions of
the file before failing.
-rw-r--r-- | src/main.c | 29 |
1 files changed, 25 insertions, 4 deletions
@@ -43,6 +43,8 @@ ensure_directory (const char *path, gint mode, GError **error) { + GStatBuf stat_buffer = { 0 }; + if (g_mkdir_with_parents (path, mode) < 0) { g_set_error (error, G_FILE_ERROR, @@ -52,15 +54,28 @@ ensure_directory (const char *path, return FALSE; } - if (g_chmod (path, mode) < 0) { + g_chmod (path, mode); + + if (g_stat (path, &stat_buffer) < 0) { + g_clear_error (error); + g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno), - "Failed to change permissions of directory %s: %m", + "Failed to validate permissions of directory %s: %m", path); return FALSE; } + if ((stat_buffer.st_mode & ~S_IFMT) != mode) { + g_set_error (error, + G_FILE_ERROR, + g_file_error_from_errno (errno), + "Directory %s has wrong mode %o; it should be %o", + path, stat_buffer.st_mode, mode); + return FALSE; + } + return TRUE; } @@ -78,12 +93,19 @@ ensure_file_permissions (const char *dir_path, return FALSE; while ((filename = g_dir_read_name (dir)) != NULL) { + GStatBuf stat_buffer = { 0 }; + gchar *file_path = g_build_filename (dir_path, filename, NULL); g_debug ("Changing permission of %s to %04o", file_path, file_mode); - if (g_chmod (file_path, file_mode) < 0) + g_chmod (file_path, file_mode); + + if (g_stat (file_path, &stat_buffer) < 0) errsv = errno; + if ((stat_buffer.st_mode & ~S_IFMT) != file_mode) + errsv = EACCES; + g_free (file_path); } @@ -125,7 +147,6 @@ on_bus_acquired (GDBusConnection *connection, g_main_loop_quit (loop); return; } - openlog ("accounts-daemon", LOG_PID, LOG_DAEMON); syslog (LOG_INFO, "started daemon version %s", VERSION); closelog (); |