GitLab

Otherwise, a trivial executable that includes <act/act.h>, built with
$(pkg-config --cflags --libs accountsservice), will fail to compile
when we cannot include headers like <glib-object.h>.
Signed-off-by: Simon McVittie <smcv@debian.org>

And set is-loaded accordingly. This causes properties to be invalidated
on the client side and then get re-fetched when the daemon comes back.

#55

This introduces one small functional change: if any of the groups in
`EXTRA_ADMIN_GROUPS` can’t be resolved using `getgrnam()`, an error will
now be thrown. Previously, it would be ignored.

Other than that, this introduces no functional changes and is just
intended as a code cleanup.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Filter out the `extra_admin_groups` from the group list when a user is
no longer an admin.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

The correct way to tell `g_option_context_new()` not to print any
information after the options is to pass `NULL`. Passing the empty
string results in a call to `gettext ("")`, which returns the
translation’s header.

This fixes the output of `accounts-daemon --help`.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Bad news for Geoffrey Ingram Taylor.

See: #57

We don't want this code running except on Red Hat systems, where we can
maintain it in a downstream patch if need be.

The heuristic has been wrong before (e.g. as in #57) and is not useful
on upstream systems where 1000 is the presumed minimum uid for human
users.

Many, many user accounts use / as their home directory. If deleting
these accounts with accountsservice, we should just ignore requests to
delete the home dir, rather than trash the user's computer.

Fixes #57

Because real name is stored in the GECOS field of /etc/passwd, which is delimited
by commas that cannot be escaped, the user's full name must not contain a comma.

Fixes #83

See: #83

When we return FALSE, we're not saying "failure," we're actually
saying "unhandled." So in accounts-user-generated.c (generated by
gdbus-codegen), _accounts_user_skeleton_handle_method_call() will
call g_dbus_method_invocation_return_error(), which assumes
ownership, sends a D-Bus error to the peer, and unrefs the
GDBusMethodInvocation. Problem is, we've already done all of that
and doing so twice is unexpected and bad.

Spotted by Ray Strode in !51.

Fixes #86

This tidies up the code a bit, and (critically) exposes a concrete
structure for `ActUser` and `ActUserClass`. Previously these were
dangling typedefs, which meant the compiler had no idea they derived
from `GObject`, and hence would give warnings about strict aliasing when
(for example) calling:
```
g_set_object (&my_user, user);
```
where `my_user` and `user` were both `ActUser*`.

This shouldn’t introduce any API or ABI changes, as the library
basically exposed no API in this area before. The autoptr cleanup
function is now defined by `G_DECLARE_FINAL_TYPE`.

libaccountsservice already depends on GLib 2.63, so no dependency bump
is needed.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

ConsoleKit is very much dead and replaced by logind or elogind.

We don't use transifex anymore, so the file can be generated when
needed instead of stored in version control.

Closes: #30

In particular, make it clear what format a locale is in, and what the
empty string and NULL values mean. I’ve guessed what they mean based on
what code which uses libaccountsservice does.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

This regressed in 4b3fdd19.

Currently we always use the flag
POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION when checking if
a subject is authorized for an action, meaning that we cause polkit to
create an interactive dialog box. However since GLib 2.46, there has
been a flag G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION which
indicates if the caller is prepared to have the user authenticate (e.g.
it's a user-facing program not a daemon). So, check for this flag in
daemon_local_check_auth().

The impetus for this patch is that in the Endles fork of
gnome-control-center we use the library malcontent, and call
mct_manager_get_app_filter() even when we don't have permission to
actually read the user's app filter, since it shouldn't cause a dialog
without MCT_GET_APP_FILTER_FLAGS_INTERACTIVE being passed to it. However
because accountsservice doesn't respect
G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, polkit attempts to
create an auth dialog anyway (and hits an error but that's a separate
gnome-shell bug).

In libaccountsservice, we use code generated by gdbus-codegen to call
D-Bus methods implemented by the daemon, and that generated code
unconditionally uses G_DBUS_CALL_FLAGS_NONE, which would mean that users
of libaccountsservice can't use interactive auth. The solution is to
bump our GLib requirement to 2.63.5 (2.64 hasn't been released yet) and
pass --glib-min-required 2.64 to gdbus-codegen, which causes the
generated code to have two more arguments for each method call: one for
GDBusCallFlags and one for a timeout value.

For now we always use G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
in libaccountsservice, to maintain compatibility. It might make sense to
add API in the future so that users of the library can specify if they
want to allow interactive auth.

This commit also makes us use
G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION for method calls
implemented by ConsoleKit, even though presumably no problems are caused
by the current behavior of using G_DBUS_CALL_FLAGS_NONE. In theory
ConsoleKit could check for
G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION one day (although
in practice I think it's deprecated and inactive), and I think the whole
of libaccountsservice should assume interactive auth is allowed until we
have API to distinguish the no-interactive-auth case.

Meson gives the warning:

WARNING: Project specifies a minimum meson_version '>= 0.46.0' but uses features which were added in newer versions:
 * 0.50.0: {'install arg in configure_file'}

The previous code would abort the write if it didn't exist.

We're using meson now.

Since D-Bus 1.9.18 configuration files installed by third-party should
go in $(datadir)/dbus-1/system.d.  The old location is for sysadmin
overrides.  Also check that we have recent enough D-Bus to use the new
location.

https://lists.freedesktop.org/archives/dbus/2015-July/016746.html

The login-history property of user objects can be quite large.
If wtmp is changed frequently, that can lead to memory fragmentation
in clients.

Furthermore, most clients never check login-history, so it's
wasted memory and wasted cpu.

This commit disables change notification for that property.  If
a client really needs to get updates, they can manually refresh
their cache when appropriate.

Tighten up the sandboxing of the daemon, paying particular attention to
file system access. Further work could be done to make the daemon run as
a non-root user (User=/Group=/DynamicUser=), drop capabilities
(CapabilityBoundingSet=) and restrict system calls (SystemCallFilter=).

This is a reasonable starting point, though. It has been tested with
adding, modifying and deleting users, and reading/writing user extension
data. Testing was done on a Fedora and a Debian-based system.

The useradd/userdel/usermod subprocesses require a lot of permissions
which the accounts-service daemon itself doesn’t. In future, it might
make sense to run them in a separate privilege-escalated sandbox, and
further restrict the permissions of the accounts-service daemon itself.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

!22

This will be used in a following commit.
Signed-off-by: Philip Withnall <withnall@endlessm.com>

At the moment we skip cache files for system users.  That
doesn't make much sense; if there's a cache file we should
be using it.

This commit changes the code to read cache files, even for
system users, and so lets root have a non-default session.

Closes: #65

When /etc/passwd, /etc/shadow or /etc/group are changed outside of
AccountsService, the cache reload is delayed by 500 ms so subsequent
changes to these files are process seen together and AccountsService has
a consistent view of the data (since after one of these files is changed
the others may change too).

If ListCachedUsers is called in this 500 ms window,
finish_list_cached_users will be executed before reload_users_timeout
has been dispatched, since its added to the mainloop as an idler and at
point there is nothing preventing it from being executed. This makes
finish_list_cached_users only be attached to the mainloop after
reload_users_timeout has been dispatched.

This bug was introduced by commit 4e3fad33 when the 500 ms delay was
implemented.

Closes: #71