diff options
author | Dan Williams <dcbw@redhat.com> | 2014-03-31 18:02:11 -0500 |
---|---|---|
committer | Dan Williams <dcbw@redhat.com> | 2014-03-31 18:02:11 -0500 |
commit | 1bf2ffb61e79d3eefc4d4b79a30f551fe2833666 (patch) | |
tree | 48c9126a9639a53e89bd1b21ec2c9a08eb9093d0 | |
parent | 4209f170dad319752580386e56bc51c412769220 (diff) | |
download | NetworkManager-1bf2ffb61e79d3eefc4d4b79a30f551fe2833666.tar.gz |
core: ensure activation does not disconnect private connections
If two users had the ability to control networking, and user1 started
a private connection which user2 cannot see, user2 could start their
own connection and disconnect user1's connection. This is not
consistent with device disconnection. A user who cannot see a
connection should not be able to start/stop it, even if they are
allowed to control networking in general.
-rw-r--r-- | src/nm-manager.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/nm-manager.c b/src/nm-manager.c index 48ce061a74..9d08b898e9 100644 --- a/src/nm-manager.c +++ b/src/nm-manager.c @@ -2669,6 +2669,31 @@ _internal_activate_device (NMManager *self, NMActiveConnection *active, GError * NM_DEVICE_STATE_DISCONNECTED, NM_DEVICE_STATE_REASON_NONE); } + } else { + NMConnection *existing_connection = NULL; + NMAuthSubject *subject; + char *error_desc = NULL; + + /* If the device is active and its connection is not visible to the + * user that's requesting this new activation, fail, since other users + * should not be allowed to implicitly deactivate private connections + * by activating a connection of their own. + */ + existing_connection = nm_device_get_connection (device); + subject = nm_active_connection_get_subject (active); + if (existing_connection && + !nm_auth_uid_in_acl (existing_connection, + nm_session_monitor_get (), + nm_auth_subject_get_uid (subject), + &error_desc)) { + g_set_error (error, + NM_MANAGER_ERROR, + NM_MANAGER_ERROR_PERMISSION_DENIED, + "Private connection already active on the device: %s", + error_desc); + g_free (error_desc); + return FALSE; + } } /* Final connection must be available on device */ |