morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

machined: in --user mode, restrict register access to our own UID, and that's it

Browse Source 
This is a follow-up for 119d332d9c and
ensures the check only is applied to the system instance of machined. It
doesn't really apply to the per-user instance, because we never want to
permit differently privileged clients access anyway.

(The process_is_owned_by_uid() call might fail if invoked unpriv, hence
there's value in not calling it if machined runs in --user mode, it's
what makes machined actually work)
This commit is contained in:
Lennart Poettering
2025-11-26 11:16:46 +01:00
committed by Yu Watanabe
parent 81e79ee499
commit 722dc73699
1 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/machine/machined-dbus.c
View File

@@ -270,12 +270,33 @@ static int machine_add_from_params(
return r;
/* Ensure an unprivileged user cannot claim any process they don't control as their own machine */
if (uid != 0) {
switch (manager->runtime_scope) {
case RUNTIME_SCOPE_SYSTEM:
/* In system mode root may register anything */
if (uid == 0)
break;
/* And non-root may only register things if they own the userns */
r = process_is_owned_by_uid(leader_pidref, uid);
if (r < 0)
return r;
if (r == 0)
return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Only root may register machines for other users");
if (r > 0)
break;
/* Nothing else may */
return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Only root may register machines for other users");
case RUNTIME_SCOPE_USER:
/* In user mode the user owning our instance may register anything. */
if (uid == getuid())
break;
/* Nothing else may */
return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Other users may not register machines with us, sorry.");
default:
assert_not_reached();
}
if (manager->runtime_scope != RUNTIME_SCOPE_USER) {