summaryrefslogtreecommitdiff
path: root/src/login/logind-dbus.c
AgeCommit message (Collapse)Author
2015-02-18logind: open up most bus calls for unpriviliged processes, using PolicyKitLennart Poettering
Also, allow clients to alter their own objects without any further priviliges. i.e. this allows clients to kill and lock their own sessions without involving PK.
2015-02-03util: rework strappenda(), and rename it strjoina()Lennart Poettering
After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-02-02remove unused variablesThomas Hindoe Paaboel Andersen
2015-01-18bus: use EUID over UID and fix unix-credsDavid Herrmann
Whenever a process performs an action on an object, the kernel uses the EUID of the process to do permission checks and to apply on any newly created objects. The UID of a process is only used if someone *ELSE* acts on the process. That is, the UID of a process defines who owns the process, the EUID defines what privileges are used by this process when performing an action. Process limits, on the other hand, are always applied to the real UID, not the effective UID. This is, because a process has a user object linked, which always corresponds to its UID. A process never has a user object linked for its EUID. Thus, accounting (and limits) is always done on the real UID. This commit fixes all sd-bus users to use the EUID when performing privilege checks and alike. Furthermore, it fixes unix-creds to be parsed as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone using UID (eg., to do user-accounting) has to fall back to the EUID as UDS does not transmit the UID.
2015-01-09logind: unify how we cast between uid_t and pointers for hashmap keysLennart Poettering
2015-01-09logind: when a bus call is done on a session, user or seat, optionally ↵Lennart Poettering
determine them from the caller credentials More specifically, if an operation is requested on a session with an empty name, the caller's session is used. If an operation is requested on a seat with an empty name, the seat of the caller's session is used. Finally, if an operation on the user with UID -1 is requested, the user of the client's session is used (and not the UID of the client!).
2014-12-29machined: ignore spurious errorLennart Poettering
2014-12-28tmpfiles: add new line type 'v' for creating btrfs subvolumesLennart Poettering
2014-12-25logind: remove spurious include of <sys/capability.h>Filipe Brandenburger
They do not use any functions from libcap directly. The CAP_* constants in use through these files come from "missing.h" which will import <linux/capability.h> and complement it with CAP_* constants not defined by the current kernel headers. The "missing.h" header is imported through "util.h" which gets imported in "logind.h". Tested that "systemd-logind" builds cleanly and works after this change.
2014-12-11treewide: correct spacing near eol in code commentsTorstein Husebø
2014-12-10sd-bus: move common errors src/shared/bus-errors.h → ↵Lennart Poettering
src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28log: fix order of log_unit_struct() to match other logging callsLennart Poettering
Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.
2014-10-23mac: rename apis with mac_{selinux/smack}_ prefixWaLyong Cho
2014-08-26logind: add HandleLidSwitchDocked= option to logind.conf + documentationBen Wolsieffer
https://bugs.freedesktop.org/show_bug.cgi?id=82485
2014-08-18bus-util: simplify bus_verify_polkit_async() a bitLennart Poettering
First, let's drop the "bus" argument, we can determine it from the message anyway. Secondly, determine the right callback/userdata pair automatically from what is currently is being dispatched. This should simplify things a lot for us, since it makes it unnecessary to pass pointers through the original handlers through all functions when we process messages, which might require authentication.
2014-08-15sd-bus: add API to check if a client has privilegesLennart Poettering
This is a generalization of the vtable privilege check we already have, but exported, and hence useful when preparing for a polkit change. This will deal with the complexity that on dbus1 one cannot trust the capability field we retrieve via the bus, since it is read via /proc/$$/stat (and thus might be out-of-date) rather than directly from the message (like on kdbus) or bus connection (as for uid creds on dbus1). Also, port over all code to this new API.
2014-05-15Remove unnecessary casts in printfsZbigniew Jędrzejewski-Szmek
No functional change expected :)
2014-03-24sd-event: rework API to support CLOCK_REALTIME_ALARM and ↵Lennart Poettering
CLOCK_BOOTTIME_ALARM, too
2014-03-11logind: move lid switch handling from logind-main to logind-coreKay Sievers
../src/login/logind-dbus.c:1352: error: undefined reference to 'manager_set_lid_switch_ignore' collect2: error: ld returned 1 exit status make[2]: *** [test-login-tables]
2014-03-11logind: add a debug message in case the session already existsDjalal Harouni
If the session already exists then the only way to log it is to set the debug option of pam_systemd. There are no debug messages in the login service that permits to log if the session already exists. So just add it, and while we are it add the "uid" field to the debug message that indicates that the session was created.
2014-03-10logind: fix policykit checksZbigniew Jędrzejewski-Szmek
2014-03-03logind: ignore lid switch events for 30s after each suspend and 3min after ↵Lennart Poettering
startup This is needed to give USB docking stations and suchlike time to settle, so that a display connected to an USB docking station can actually act as a lid swith inhibitor correctly. With this change we should have somewhat reliable docking station support in place.
2014-02-20api: in constructor function calls, always put the returned object pointer ↵Lennart Poettering
first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.
2014-02-11logind: ignore PropertiesChanged signals for jobsZbigniew Jędrzejewski-Szmek
Otherwise we get a (harmless) message like: systemd-logind[30845]: Failed to process message [type=signal sender=:1.36 path=/org/freedesktop/systemd1/job/4674 interface=org.freedesktop.DBus.Properties member=PropertiesChanged signature=sa{sv}as]: Invalid argument
2014-02-11logind: always kill session when termination is requestedZbigniew Jędrzejewski-Szmek
KillUserProcesses=yes/no should be ignored when termination is explicitly requested.
2014-02-07remove unused variablesThomas Hindoe Paaboel Andersen
2014-02-07core: when an already abandoned unit gets abandoned again generate a clean errorLennart Poettering
2014-02-07logind: order all scopes after both systemd-logind.service andLennart Poettering
systemd-user-sessions.service This way at shutdown we can be sure that the sessions go away before the network.
2014-02-07logind: add function session_jobs_reply() to unify the create replyDjalal Harouni
The session_send_create_reply() function which notifies clients about session creation is used for both session and user units. Unify the shared code in a new function session_jobs_reply(). The session_save() will be called unconditionally on sessions since it does not make sense to only call it if '!session->started', this will also allow to update the session state as soon as possible.
2014-02-07logind: given that we can now relatively safely shutdown sessions copesLennart Poettering
without working cgroup empty notifications there's no need to set the stop timeout of sessions scopes low
2014-02-07logind: rework session shutdown logicLennart Poettering
Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-05man: introduce new "Desktop" property for sessionsLennart Poettering
This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-01-09logind: wait for the user service to finish startup before completing login ↵Lennart Poettering
attempt
2013-12-28bus: fix a couple of format string mistakesLennart Poettering
2013-12-22bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST ↵Lennart Poettering
where appropriate
2013-12-18core,logind: libudev usage modernizationsLennart Poettering
Always use cleanup logic and don't eat up errors returned by libudev
2013-12-10bus: introduce "trusted" bus concept and encode access control in object vtablesLennart Poettering
Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.
2013-11-28bus: add new sd_bus_creds object to encapsulate process credentialsLennart Poettering
This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.
2013-11-28logind: remove unused session->closing fieldDavid Herrmann
This field is always false, drop it. If you want a reliable way to get session state, call session_get_state(). Testing for any flags directly doesn't work currently so don't pretend it would.
2013-11-28logind: require VTs on seat0 and forbid elsewhereDavid Herrmann
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try attaching it to seat0. For seats without VTs, we do the exact opposite: we forbid VTs. There can be odd situations if the session-files contain invalid combinations. However, we try to keep sessions alive and restore state as good as possible.
2013-11-28logind: make VT numbers unsignedDavid Herrmann
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so we don't need negative numbers at all. Note that most code already assumes it's unsigned so in case there's a negative vtnr, our code may, under special circumstances, silently break. So this patch makes sure all sources of vtnrs verify the validity. Also note that the dbus api already uses unsigned ints.
2013-11-27logind: log which process is delaying suspend and not closing locksLennart Poettering
2013-11-26pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is ↵Lennart Poettering
not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-21logind,machined,run: properly invoke StartTransientUnit() bus callLennart Poettering
2013-11-21bus: rework message handlers to always take an error argumentLennart Poettering
Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.
2013-11-21bus: let's simplify things by getting rid of unnecessary bus parametersLennart Poettering
2013-11-20core: convert PID 1 to libsystemd-busLennart Poettering
This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-12bus: rename sd_bus_send_with_reply_and_block() to sd_bus_call()Lennart Poettering
The call is one of the most important ones we expose, where we place major emphasis on. We should make sure to give it a short, memorable name.
2013-11-05logind: automatically determine client side PID if GetSessionByPID() is ↵Lennart Poettering
called with a PID == 0