PolicyKit: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Mon Feb 9 15:39:36 PST 2009
src/polkitbackend/polkitbackendlocalauthority.c | 28 +++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
New commits:
commit 094da5b77ec4d39668c714bceca608a98f55a2be
Author: David Zeuthen <davidz at redhat.com>
Date: Mon Feb 9 18:37:25 2009 -0500
add security checks for EnumerateAuthorizations
diff --git a/src/polkitbackend/polkitbackendlocalauthority.c b/src/polkitbackend/polkitbackendlocalauthority.c
index be09d37..1b62cd6 100644
--- a/src/polkitbackend/polkitbackendlocalauthority.c
+++ b/src/polkitbackend/polkitbackendlocalauthority.c
@@ -1144,9 +1144,12 @@ polkit_backend_local_authority_enumerate_authorizations (PolkitBackendAuthority
{
PolkitBackendLocalAuthority *local_authority;
PolkitBackendLocalAuthorityPrivate *priv;
+ PolkitIdentity *user_of_caller;
gchar *identity_str;
GList *list;
+ list = NULL;
+
local_authority = POLKIT_BACKEND_LOCAL_AUTHORITY (authority);
priv = POLKIT_BACKEND_LOCAL_AUTHORITY_GET_PRIVATE (local_authority);
@@ -1154,11 +1157,34 @@ polkit_backend_local_authority_enumerate_authorizations (PolkitBackendAuthority
g_debug ("enumerating authorizations for %s", identity_str);
- /* TODO: check if caller is authorized */
+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
+ caller,
+ error);
+ if (user_of_caller == NULL)
+ goto out;
+
+ /* special case: uid 0, root, is _always_ authorized */
+ if (polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_caller)) != 0)
+ {
+ if (!polkit_identity_equal (user_of_caller, identity))
+ {
+ /* in the future, use something like org.freedesktop.policykit1.localauthority.manage to allow this */
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Can't look at authorizations belonging to other users");
+ goto out;
+ }
+ }
+
list = get_authorizations_for_identity (local_authority, identity);
+ out:
+
g_free (identity_str);
+ if (user_of_caller != NULL)
+ g_object_unref (user_of_caller);
return list;
}
More information about the hal-commit
mailing list