1. 04 May, 2020 1 commit
  2. 01 May, 2020 2 commits
  3. 27 Apr, 2020 2 commits
  4. 12 Mar, 2020 2 commits
  5. 04 Mar, 2020 1 commit
  6. 28 Feb, 2020 2 commits
  7. 27 Feb, 2020 2 commits
    • Michael Catanzaro's avatar
      user: fix double-unref of GDBusMethodInvocation throughout · 771eb671
      Michael Catanzaro authored
      When we return FALSE, we're not saying "failure," we're actually
      saying "unhandled." So in accounts-user-generated.c (generated by
      gdbus-codegen), _accounts_user_skeleton_handle_method_call() will
      call g_dbus_method_invocation_return_error(), which assumes
      ownership, sends a D-Bus error to the peer, and unrefs the
      GDBusMethodInvocation. Problem is, we've already done all of that
      and doing so twice is unexpected and bad.
      
      Spotted by Ray Strode in !51.
      
      Fixes #86
      771eb671
    • Michael Catanzaro's avatar
      user: fix indentation error · f8d77183
      Michael Catanzaro authored
      f8d77183
  8. 24 Feb, 2020 5 commits
  9. 18 Feb, 2020 1 commit
  10. 11 Feb, 2020 1 commit
  11. 07 Feb, 2020 1 commit
    • Matthew Leeds's avatar
      Check GDBusMessage for INTERACTIVE_AUTHORIZATION flag · d5847d8d
      Matthew Leeds authored
      Currently we always use the flag
      POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION when checking if
      a subject is authorized for an action, meaning that we cause polkit to
      create an interactive dialog box. However since GLib 2.46, there has
      been a flag G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION which
      indicates if the caller is prepared to have the user authenticate (e.g.
      it's a user-facing program not a daemon). So, check for this flag in
      daemon_local_check_auth().
      
      The impetus for this patch is that in the Endles fork of
      gnome-control-center we use the library malcontent, and call
      mct_manager_get_app_filter() even when we don't have permission to
      actually read the user's app filter, since it shouldn't cause a dialog
      without MCT_GET_APP_FILTER_FLAGS_INTERACTIVE being passed to it. However
      because accountsservice doesn't respect
      G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION, polkit attempts to
      create an auth dialog anyway (and hits an error but that's a separate
      gnome-shell bug).
      
      In libaccountsservice, we use code generated by gdbus-codegen to call
      D-Bus methods implemented by the daemon, and that generated code
      unconditionally uses G_DBUS_CALL_FLAGS_NONE, which would mean that users
      of libaccountsservice can't use interactive auth. The solution is to
      bump our GLib requirement to 2.63.5 (2.64 hasn't been released yet) and
      pass --glib-min-required 2.64 to gdbus-codegen, which causes the
      generated code to have two more arguments for each method call: one for
      GDBusCallFlags and one for a timeout value.
      
      For now we always use G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
      in libaccountsservice, to maintain compatibility. It might make sense to
      add API in the future so that users of the library can specify if they
      want to allow interactive auth.
      
      This commit also makes us use
      G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION for method calls
      implemented by ConsoleKit, even though presumably no problems are caused
      by the current behavior of using G_DBUS_CALL_FLAGS_NONE. In theory
      ConsoleKit could check for
      G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION one day (although
      in practice I think it's deprecated and inactive), and I think the whole
      of libaccountsservice should assume interactive auth is allowed until we
      have API to distinguish the no-interactive-auth case.
      d5847d8d
  12. 16 Sep, 2019 1 commit
  13. 13 Sep, 2019 1 commit
  14. 06 Sep, 2019 1 commit
    • Robert Ancell's avatar
      build: Bump minimum version of meson required · 2e9ee995
      Robert Ancell authored
      Meson gives the warning:
      
      WARNING: Project specifies a minimum meson_version '>= 0.46.0' but uses features which were added in newer versions:
       * 0.50.0: {'install arg in configure_file'}
      2e9ee995
  15. 04 Sep, 2019 1 commit
  16. 25 Aug, 2019 1 commit
  17. 24 Aug, 2019 1 commit
  18. 13 Aug, 2019 2 commits
  19. 01 Aug, 2019 1 commit
  20. 09 May, 2019 1 commit
    • Ray Strode's avatar
      data: don't send change updates for login-history · 64b11314
      Ray Strode authored
      The login-history property of user objects can be quite large.
      If wtmp is changed frequently, that can lead to memory fragmentation
      in clients.
      
      Furthermore, most clients never check login-history, so it's
      wasted memory and wasted cpu.
      
      This commit disables change notification for that property.  If
      a client really needs to get updates, they can manually refresh
      their cache when appropriate.
      64b11314
  21. 07 May, 2019 2 commits
    • Philip Withnall's avatar
      data: Tighten up systemd sandboxing of accounts-daemon.service · 0e712e93
      Philip Withnall authored
      Tighten up the sandboxing of the daemon, paying particular attention to
      file system access. Further work could be done to make the daemon run as
      a non-root user (User=/Group=/DynamicUser=), drop capabilities
      (CapabilityBoundingSet=) and restrict system calls (SystemCallFilter=).
      
      This is a reasonable starting point, though. It has been tested with
      adding, modifying and deleting users, and reading/writing user extension
      data. Testing was done on a Fedora and a Debian-based system.
      
      The useradd/userdel/usermod subprocesses require a lot of permissions
      which the accounts-service daemon itself doesn’t. In future, it might
      make sense to run them in a separate privilege-escalated sandbox, and
      further restrict the permissions of the accounts-service daemon itself.
      Signed-off-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
      
      !22
      0e712e93
    • Philip Withnall's avatar
      build: Expose chosen path_wtmp value as a variable · 152b845b
      Philip Withnall authored
      This will be used in a following commit.
      Signed-off-by: Philip Withnall's avatarPhilip Withnall <withnall@endlessm.com>
      152b845b
  22. 29 Apr, 2019 1 commit
    • Ray Strode's avatar
      daemon: ensure cache files for system users are processed · d8b77951
      Ray Strode authored
      At the moment we skip cache files for system users.  That
      doesn't make much sense; if there's a cache file we should
      be using it.
      
      This commit changes the code to read cache files, even for
      system users, and so lets root have a non-default session.
      
      Closes: #65
      d8b77951
  23. 23 Apr, 2019 2 commits
  24. 17 Apr, 2019 1 commit
    • João Paulo Rechi Vita's avatar
      daemon: Wait for reload before servicing list_cached_users · e88a50bd
      João Paulo Rechi Vita authored
      When /etc/passwd, /etc/shadow or /etc/group are changed outside of
      AccountsService, the cache reload is delayed by 500 ms so subsequent
      changes to these files are process seen together and AccountsService has
      a consistent view of the data (since after one of these files is changed
      the others may change too).
      
      If ListCachedUsers is called in this 500 ms window,
      finish_list_cached_users will be executed before reload_users_timeout
      has been dispatched, since its added to the mainloop as an idler and at
      point there is nothing preventing it from being executed. This makes
      finish_list_cached_users only be attached to the mainloop after
      reload_users_timeout has been dispatched.
      
      This bug was introduced by commit 4e3fad33 when the 500 ms delay was
      implemented.
      
      Closes: #71
      e88a50bd
  25. 09 Apr, 2019 1 commit
  26. 08 Apr, 2019 1 commit
  27. 20 Mar, 2019 1 commit
  28. 15 Mar, 2019 1 commit