[systemd-commits] Makefile.am src/bus-proxyd src/shared units/systemd-bus-proxyd at .service.in
Lennart Poettering
lennart at kemper.freedesktop.org
Wed Jun 4 02:15:06 PDT 2014
Makefile.am | 1 +
src/bus-proxyd/bus-proxyd.c | 34 +++++++++++++++++++++++++++++-----
src/shared/capability.c | 10 ++++++----
units/systemd-bus-proxyd at .service.in | 6 ++++--
4 files changed, 40 insertions(+), 11 deletions(-)
New commits:
commit 6a010ac9e5aa585637b4b79df92f8ca5537faf71
Author: Lennart Poettering <lennart at poettering.net>
Date: Wed Jun 4 09:55:40 2014 +0200
bus-proxy: drop priviliges if we can
Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
diff --git a/Makefile.am b/Makefile.am
index de42424..d778b31 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2033,6 +2033,7 @@ systemd_bus_proxyd_SOURCES = \
src/bus-proxyd/bus-proxyd.c
systemd_bus_proxyd_LDADD = \
+ libsystemd-capability.la \
libsystemd-internal.la \
libsystemd-shared.la
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index e095d61..98b2ffd 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -44,9 +44,11 @@
#include "build.h"
#include "strv.h"
#include "def.h"
+#include "capability.h"
static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH;
static char *arg_command_line_buffer = NULL;
+static bool arg_drop_privileges = false;
static int help(void) {
@@ -54,6 +56,7 @@ static int help(void) {
"Connect STDIO or a socket to a given bus address.\n\n"
" -h --help Show this help\n"
" --version Show package version\n"
+ " --drop-privileges Drop privileges\n"
" --address=ADDRESS Connect to the bus specified by ADDRESS\n"
" (default: " DEFAULT_SYSTEM_BUS_PATH ")\n",
program_invocation_short_name);
@@ -66,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_ADDRESS,
+ ARG_DROP_PRIVILEGES,
};
static const struct option options[] = {
- { "help", no_argument, NULL, 'h' },
- { "version", no_argument, NULL, ARG_VERSION },
- { "address", required_argument, NULL, ARG_ADDRESS },
- { NULL, 0, NULL, 0 }
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "address", required_argument, NULL, ARG_ADDRESS },
+ { "drop-privileges", no_argument, NULL, ARG_DROP_PRIVILEGES },
+ { NULL, 0, NULL, 0 },
};
int c;
@@ -97,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_address = optarg;
break;
+ case ARG_DROP_PRIVILEGES:
+ arg_drop_privileges = true;
+ break;
+
case '?':
return -EINVAL;
@@ -440,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) {
return false;
}
-
static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
int r;
@@ -1065,6 +1073,22 @@ int main(int argc, char *argv[]) {
getpeersec(in_fd, &peersec);
}
+ if (arg_drop_privileges) {
+ const char *user = "systemd-bus-proxy";
+ uid_t uid;
+ gid_t gid;
+
+ r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+ if (r < 0) {
+ log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+ goto finish;
+ }
+
+ r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER);
+ if (r < 0)
+ goto finish;
+ }
+
r = sd_bus_new(&a);
if (r < 0) {
log_error("Failed to allocate bus: %s", strerror(-r));
diff --git a/src/shared/capability.c b/src/shared/capability.c
index 439aac7..d2b9013 100644
--- a/src/shared/capability.c
+++ b/src/shared/capability.c
@@ -85,9 +85,9 @@ unsigned long cap_last_cap(void) {
}
int capability_bounding_set_drop(uint64_t drop, bool right_now) {
- unsigned long i;
- _cleanup_cap_free_ cap_t after_cap = NULL, temp_cap = NULL;
+ _cleanup_cap_free_ cap_t after_cap = NULL;
cap_flag_value_t fv;
+ unsigned long i;
int r;
/* If we are run as PID 1 we will lack CAP_SETPCAP by default
@@ -103,6 +103,7 @@ int capability_bounding_set_drop(uint64_t drop, bool right_now) {
return -errno;
if (fv != CAP_SET) {
+ _cleanup_cap_free_ cap_t temp_cap = NULL;
static const cap_value_t v = CAP_SETPCAP;
temp_cap = cap_dup(after_cap);
@@ -217,8 +218,6 @@ int capability_bounding_set_drop_usermode(uint64_t drop) {
int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
_cleanup_cap_free_ cap_t d = NULL;
- cap_value_t bits[sizeof(keep_capabilities)*8];
- unsigned i, j = 0;
int r;
/* Unfortunately we cannot leave privilege dropping to PID 1
@@ -265,6 +264,9 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
return log_oom();
if (keep_capabilities) {
+ cap_value_t bits[sizeof(keep_capabilities)*8];
+ unsigned i, j = 0;
+
for (i = 0; i < sizeof(keep_capabilities)*8; i++)
if (keep_capabilities & (1ULL << i))
bits[j++] = i;
diff --git a/units/systemd-bus-proxyd at .service.in b/units/systemd-bus-proxyd at .service.in
index fafd4ce..3dc2cd9 100644
--- a/units/systemd-bus-proxyd at .service.in
+++ b/units/systemd-bus-proxyd at .service.in
@@ -12,9 +12,11 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
# The first argument will be replaced by the service by information on
# the process requesting the proxy, we need a placeholder to keep the
# space available for this.
-ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
NotifyAccess=main
-CapabilityBoundingSet=CAP_IPC_OWNER
+CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
+ReadOnlySystem=yes
+ProtectedHome=yes
More information about the systemd-commits
mailing list