Skip to content

Commit

Permalink
auth: Optionally not send UID with external auth
Browse files Browse the repository at this point in the history
Due to mismatch between UID in a user-namespace
and out-of-band credential acquired by server
on another user-namespace refrain from sending UID
with external authentication by default
to keep compatibility still fallback to sending UID
if it fails

godbus#345
  • Loading branch information
😎Mostafa Emami committed Jan 2, 2023
1 parent a852926 commit 63020a7
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 0 deletions.
82 changes: 82 additions & 0 deletions conn_test.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
package dbus

import (
"bufio"
"context"
"encoding/binary"
"fmt"
"io"
"io/ioutil"
"log"
"os"
"os/exec"
"sync"
"syscall"
"testing"
"time"
)
Expand Down Expand Up @@ -78,6 +82,21 @@ func TestConnectSystemBus(t *testing.T) {
}
}

func TestConnectToDifferentUserNamespace(t *testing.T) {
addr, process := startDaemonInDifferentUserNamespace(t)
defer func() { _ = process.Kill() }()
conn, err := Connect(addr)
if err != nil {
t.Fatal(err)
}
if err = conn.Close(); err != nil {
t.Fatal(err)
}
if conn.Connected() {
t.Fatal("Should be closed")
}
}

func TestSend(t *testing.T) {
bus, err := ConnectSessionBus()
if err != nil {
Expand Down Expand Up @@ -826,3 +845,66 @@ func TestTimeoutContextClosesConnection(t *testing.T) {
t.Errorf("expected connection to be closed, but got: %v", err)
}
}

// startDaemon starts a dbus-daemon instance
// and returns its address string and underlying process.
func startDaemonInDifferentUserNamespace(t *testing.T) (string, *os.Process) {
config := `<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>unix:path=/tmp/test.socket</listen>
<auth>EXTERNAL</auth>
<apparmor mode="disabled"/>
<policy context='default'>
<allow send_destination='*' eavesdrop='true'/>
<allow eavesdrop='true'/>
<allow user='*'/>
</policy>
</busconfig>
`
cfg, err := ioutil.TempFile("", "")
if err != nil {
t.Fatal(err)
}
defer os.Remove(cfg.Name())
if _, err = cfg.Write([]byte(config)); err != nil {
t.Fatal(err)
}

cmd := exec.Command("dbus-daemon", "--nofork", "--print-address", "--config-file", cfg.Name())

cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
UidMappings: []syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getuid(),
Size: 1,
},
},
GidMappings: []syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getgid(),
Size: 1,
},
},
}

cmd.Stderr = os.Stderr
out, err := cmd.StdoutPipe()
if err != nil {
t.Fatal(err)
}
if err := cmd.Start(); err != nil {
t.Fatal(err)
}
r := bufio.NewReader(out)
l, _, err := r.ReadLine()
if err != nil {
_ = cmd.Process.Kill()
t.Fatal(err)
}
return string(l), cmd.Process
}
Empty file added test
Empty file.

0 comments on commit 63020a7

Please sign in to comment.