diff options
author | Marti Raudsepp <marti@juffo.org> | 2020-07-23 19:17:38 +0300 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-08-03 10:03:13 +0200 |
commit | 09364a8043a2f9b698e49a172094d658ae289ac6 (patch) | |
tree | 8d3e89d77bc2556195973d7cf5ff43255860778b /src/machine/machine-dbus.c | |
parent | 653ca0d913d2d14d234b26c7b5914de75b60e1c0 (diff) | |
download | systemd-09364a8043a2f9b698e49a172094d658ae289ac6.tar.gz |
machine: Pass machine, user, program values to polkit on OpenMachineShell
This allows more granular access control in PolicyKit rules, similar to
/etc/sudoers, for polkit actions:
* org.freedesktop.machine1.host-shell
* org.freedesktop.machine1.shell
Example configuration, place in /etc/polkit-1/rules.d/
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.machine1.host-shell"
&& subject.user == "my-user"
&& action.lookup("user") == "target-user") {
return polkit.Result.YES;
}
});
Diffstat (limited to 'src/machine/machine-dbus.c')
-rw-r--r-- | src/machine/machine-dbus.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index 73ef5949bf..a3c97d8d8f 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -585,7 +585,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu r = sd_bus_message_read(message, "ss", &user, &path); if (r < 0) return r; - user = empty_to_null(user); + user = isempty(user) ? "root" : user; r = sd_bus_message_read_strv(message, &args_wire); if (r < 0) return r; @@ -604,7 +604,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu r = asprintf(&args[2], "shell=$(getent passwd %s 2>/dev/null | { IFS=: read _ _ _ _ _ _ x; echo \"$x\"; })\n"\ "exec \"${shell:-/bin/sh}\" -l", /* -l is means --login */ - isempty(user) ? "root" : user); + user); if (r < 0) { args[2] = NULL; return -ENOMEM; @@ -628,11 +628,18 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu if (!strv_env_is_valid(env)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); + const char *details[] = { + "machine", m->name, + "user", user, + "program", path, + NULL + }; + r = bus_verify_polkit_async( message, CAP_SYS_ADMIN, m->class == MACHINE_HOST ? "org.freedesktop.machine1.host-shell" : "org.freedesktop.machine1.shell", - NULL, + details, false, UID_INVALID, &m->manager->polkit_registry, @@ -677,7 +684,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu if (r < 0) return r; - description = strjoina("Shell for User ", isempty(user) ? "root" : user); + description = strjoina("Shell for User ", user); r = sd_bus_message_append(tm, "(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)", "Description", "s", description, @@ -695,7 +702,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu if (r < 0) return r; - r = sd_bus_message_append(tm, "(sv)", "User", "s", isempty(user) ? "root" : user); + r = sd_bus_message_append(tm, "(sv)", "User", "s", user); if (r < 0) return r; |