bus-proxy: drop priviliges if we can
Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
This commit is contained in:
parent
72543b361d
commit
6a010ac9e5
|
@ -2033,6 +2033,7 @@ systemd_bus_proxyd_SOURCES = \
|
|||
src/bus-proxyd/bus-proxyd.c
|
||||
|
||||
systemd_bus_proxyd_LDADD = \
|
||||
libsystemd-capability.la \
|
||||
libsystemd-internal.la \
|
||||
libsystemd-shared.la
|
||||
|
||||
|
|
|
@ -44,9 +44,11 @@
|
|||
#include "build.h"
|
||||
#include "strv.h"
|
||||
#include "def.h"
|
||||
#include "capability.h"
|
||||
|
||||
static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH;
|
||||
static char *arg_command_line_buffer = NULL;
|
||||
static bool arg_drop_privileges = false;
|
||||
|
||||
static int help(void) {
|
||||
|
||||
|
@ -54,6 +56,7 @@ static int help(void) {
|
|||
"Connect STDIO or a socket to a given bus address.\n\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
" --drop-privileges Drop privileges\n"
|
||||
" --address=ADDRESS Connect to the bus specified by ADDRESS\n"
|
||||
" (default: " DEFAULT_SYSTEM_BUS_PATH ")\n",
|
||||
program_invocation_short_name);
|
||||
|
@ -66,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
enum {
|
||||
ARG_VERSION = 0x100,
|
||||
ARG_ADDRESS,
|
||||
ARG_DROP_PRIVILEGES,
|
||||
};
|
||||
|
||||
static const struct option options[] = {
|
||||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "version", no_argument, NULL, ARG_VERSION },
|
||||
{ "address", required_argument, NULL, ARG_ADDRESS },
|
||||
{ NULL, 0, NULL, 0 }
|
||||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "version", no_argument, NULL, ARG_VERSION },
|
||||
{ "address", required_argument, NULL, ARG_ADDRESS },
|
||||
{ "drop-privileges", no_argument, NULL, ARG_DROP_PRIVILEGES },
|
||||
{ NULL, 0, NULL, 0 },
|
||||
};
|
||||
|
||||
int c;
|
||||
|
@ -97,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
arg_address = optarg;
|
||||
break;
|
||||
|
||||
case ARG_DROP_PRIVILEGES:
|
||||
arg_drop_privileges = true;
|
||||
break;
|
||||
|
||||
case '?':
|
||||
return -EINVAL;
|
||||
|
||||
|
@ -440,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) {
|
|||
return false;
|
||||
}
|
||||
|
||||
|
||||
static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
|
||||
int r;
|
||||
|
||||
|
@ -1065,6 +1073,22 @@ int main(int argc, char *argv[]) {
|
|||
getpeersec(in_fd, &peersec);
|
||||
}
|
||||
|
||||
if (arg_drop_privileges) {
|
||||
const char *user = "systemd-bus-proxy";
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
|
||||
r = get_user_creds(&user, &uid, &gid, NULL, NULL);
|
||||
if (r < 0) {
|
||||
log_error("Cannot resolve user name %s: %s", user, strerror(-r));
|
||||
goto finish;
|
||||
}
|
||||
|
||||
r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
r = sd_bus_new(&a);
|
||||
if (r < 0) {
|
||||
log_error("Failed to allocate bus: %s", strerror(-r));
|
||||
|
|
|
@ -85,9 +85,9 @@ unsigned long cap_last_cap(void) {
|
|||
}
|
||||
|
||||
int capability_bounding_set_drop(uint64_t drop, bool right_now) {
|
||||
unsigned long i;
|
||||
_cleanup_cap_free_ cap_t after_cap = NULL, temp_cap = NULL;
|
||||
_cleanup_cap_free_ cap_t after_cap = NULL;
|
||||
cap_flag_value_t fv;
|
||||
unsigned long i;
|
||||
int r;
|
||||
|
||||
/* If we are run as PID 1 we will lack CAP_SETPCAP by default
|
||||
|
@ -103,6 +103,7 @@ int capability_bounding_set_drop(uint64_t drop, bool right_now) {
|
|||
return -errno;
|
||||
|
||||
if (fv != CAP_SET) {
|
||||
_cleanup_cap_free_ cap_t temp_cap = NULL;
|
||||
static const cap_value_t v = CAP_SETPCAP;
|
||||
|
||||
temp_cap = cap_dup(after_cap);
|
||||
|
@ -217,8 +218,6 @@ int capability_bounding_set_drop_usermode(uint64_t drop) {
|
|||
int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
|
||||
|
||||
_cleanup_cap_free_ cap_t d = NULL;
|
||||
cap_value_t bits[sizeof(keep_capabilities)*8];
|
||||
unsigned i, j = 0;
|
||||
int r;
|
||||
|
||||
/* Unfortunately we cannot leave privilege dropping to PID 1
|
||||
|
@ -265,6 +264,9 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
|
|||
return log_oom();
|
||||
|
||||
if (keep_capabilities) {
|
||||
cap_value_t bits[sizeof(keep_capabilities)*8];
|
||||
unsigned i, j = 0;
|
||||
|
||||
for (i = 0; i < sizeof(keep_capabilities)*8; i++)
|
||||
if (keep_capabilities & (1ULL << i))
|
||||
bits[j++] = i;
|
||||
|
|
|
@ -12,9 +12,11 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
|
|||
# The first argument will be replaced by the service by information on
|
||||
# the process requesting the proxy, we need a placeholder to keep the
|
||||
# space available for this.
|
||||
ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||||
ExecStart=@rootlibexecdir@/systemd-bus-proxyd --drop-privileges xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||||
NotifyAccess=main
|
||||
CapabilityBoundingSet=CAP_IPC_OWNER
|
||||
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
PrivateNetwork=yes
|
||||
ReadOnlySystem=yes
|
||||
ProtectedHome=yes
|
||||
|
|
Loading…
Reference in New Issue