Commit a76d5aed authored by Ivan Savin's avatar Ivan Savin
Browse files

Added the ability to add user_of_subject to user_identities list

if user_of_subject is a member of the group with administrator
rights but it is not in /etc/groups.

(If a privileged group is assigned through the NSS.)
parent d05a1677
Pipeline #279808 passed with stage
in 3 minutes and 44 seconds
......@@ -2285,6 +2285,72 @@ get_users_in_net_group (PolkitIdentity *group,
return ret;
}
/*If the user is a member of the group with administrator rights
*but he is not in /etc/groups, then add him to the list.
*/
static void
addition_to_user_identities_user_of_subject (PolkitIdentity *user_of_subject,
GList *user_identities,
GList *unix_groups)
{
GList *l;
for (l = user_identities; l != NULL; l = l->next)
{
PolkitIdentity *identity = POLKIT_IDENTITY (l->data);
if (polkit_identity_equal(user_of_subject, identity))
{
/* user_of_subject is already in the list */
return;
}
}
/* Check if the user_of_subject is a member of groups with the required privileges. */
if (unix_groups == NULL)
{
return;
}
uid_t uid = polkit_unix_user_get_uid (POLKIT_UNIX_USER (user_of_subject));
struct passwd *passwd = getpwuid (uid);
if (passwd == NULL)
{
return;
}
gid_t gids[512];
int num_gids = 512;
if (getgrouplist (passwd->pw_name,
passwd->pw_gid,
gids,
&num_gids) >= 0)
{
gint n;
for (n = 0; n < num_gids; n++)
{
for (l = unix_groups; l != NULL; l = l->next)
{
PolkitIdentity *identity = POLKIT_IDENTITY (l->data);
if (POLKIT_IS_UNIX_GROUP (identity))
{
gid_t gid = polkit_unix_group_get_gid (POLKIT_UNIX_GROUP (identity));
if (gid == gids[n])
{
/* Add user_of_subject to the list */
user_identities = g_list_append (user_identities, g_object_ref (user_of_subject));
return;
}
}
} // for # 2
} // for # 1
} // getgrouplist
}
/* ---------------------------------------------------------------------------------------------------- */
static void
......@@ -2310,6 +2376,7 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
GList *user_identities = NULL;
GVariantBuilder identities_builder;
GVariant *parameters;
GList * unix_groups = NULL;
get_localized_data_for_challenge (authority,
caller,
......@@ -2367,6 +2434,7 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
}
else if (POLKIT_IS_UNIX_GROUP (identity))
{
unix_groups = g_list_append (unix_groups, g_object_ref (identity));
user_identities = g_list_concat (user_identities, get_users_in_group (identity, FALSE));
}
else if (POLKIT_IS_UNIX_NETGROUP (identity))
......@@ -2379,6 +2447,9 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
}
}
addition_to_user_identities_user_of_subject (user_of_subject, user_identities, unix_groups);
g_list_free_full (unix_groups, g_object_unref);
/* Fall back to uid 0 if no users are available (rhbz #834494) */
if (user_identities == NULL)
user_identities = g_list_prepend (NULL, polkit_unix_user_new (0));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment