Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • D dbus
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 249
    • Issues 249
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 32
    • Merge requests 32
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • dbus
  • dbus
  • Issues
  • #196

Closed
Open
Created Jan 16, 2018 by Bugzilla Migration User@bugzilla-migration

Expose group list from SO_PEERGROUPS in GetConnectionCredentials()

Submitted by Simon McVittie

Assigned to D-Bus Maintainers

Link to original bug (#104657)

Description

+++ This bug was initially created as a clone of Bug #103737 +++

Recent Linux kernels (4.13+) allow for getting a list of auxiliary groups of a socket peer in a race-free way using the SO_PEERGROUPS getsockopt option. Bug #103737 tracks the use of that option in dbus.

If anyone (maybe polkit?) cares about this information, we could add UnixGroupIDs (ARRAY of UINT32) to GetConnectionCredentials().

If we do, then I think its semantics should be that this field is only present when we can discover the other process' complete list of groups, such as on Linux 4.13+ with SO_PEERGROUPS. On platforms where we can only find the primary group ID (like older Linux with SO_PEERCRED) I don't think we should expose any group information at all, because that's needlessly confusing.

I also don't think the bus API should expose the group list that we get from getgrouplist(), to give callers that care about it a way to distinguish between true facts ("the peer definitely had exactly these groups at the time the connection was established") and conjecture ("the peer has uid 1000 so we think it probably has all the groups that uid 1000 would have if they logged in"). If the caller wants to use the same best-guess via getgrouplist() that older/non-Linux dbus-daemon does, then they can implement that themselves.

Version: git master

Depends on

  • Bug 103737
Assignee
Assign to
Time tracking