diff options
author | Simon McVittie <smcv@collabora.com> | 2019-06-05 13:36:52 +0100 |
---|---|---|
committer | Ondrej Holy <oholy@redhat.com> | 2019-06-06 13:12:48 +0200 |
commit | 756edf6692aa245faedc9573bf88bfe78af3ead3 (patch) | |
tree | 695e19030a7c813867fee683b94b3b061ce52b9e | |
parent | e3808a1b4042761055b1d975333a8243d67b8bfe (diff) | |
download | gvfs-756edf6692aa245faedc9573bf88bfe78af3ead3.tar.gz |
gvfsdaemon: Only accept EXTERNAL authentication
EXTERNAL is the mechanism recommended in the D-Bus Specification for
all platforms where it is supported (including Linux, *BSD, Solaris
and Hurd), and is the only mechanism allowed by the session or system
dbus-daemon in their default configurations. It is considerably simpler
than DBUS_COOKIE_SHA1 and relies on fewer assumptions.
Signed-off-by: Simon McVittie <smcv@collabora.com>
-rw-r--r-- | daemon/gvfsdaemon.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c index be148a7b..0946f419 100644 --- a/daemon/gvfsdaemon.c +++ b/daemon/gvfsdaemon.c @@ -240,6 +240,22 @@ name_vanished_handler (GDBusConnection *connection, } /* + * Authentication observer signal handler that rejects all authentication + * mechanisms except for EXTERNAL (credentials-passing), which is the + * recommended authentication mechanism for AF_UNIX sockets. + */ +static gboolean +allow_mechanism_cb (GDBusAuthObserver *observer, + const gchar *mechanism, + G_GNUC_UNUSED gpointer user_data) +{ + if (g_strcmp0 (mechanism, "EXTERNAL") == 0) + return TRUE; + + return FALSE; +} + +/* * Authentication observer signal handler that authorizes connections * from the same uid as this process. This matches the behaviour of a * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction @@ -298,6 +314,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon) daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL); g_assert (daemon->conn != NULL); daemon->auth_observer = g_dbus_auth_observer_new (); + g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL); g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL); daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new (); |