Skip to content

Commit

Permalink
auth: Optionally not send UID with external auth
Browse files Browse the repository at this point in the history
Due to mismatch between UID in a user-namespace
and out-of-band credential acquired by server
on another user-namespace refrain from sending UID
with external authentication by default
to keep compatibility still fallback to sending UID
if it fails

godbus#345
  • Loading branch information
😎Mostafa Emami committed May 13, 2023
1 parent 6cc540d commit abf1de5
Showing 1 changed file with 97 additions and 0 deletions.
97 changes: 97 additions & 0 deletions conn_unix_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
//go:build !freebsd
// +build !freebsd

package dbus

import (
"bufio"
"io/ioutil"
"os"
"os/exec"
"syscall"
"testing"gi
)

// tests whether AUTH EXTERNAL is successful connecting to
// a server in a different user-namespace
// if AUTH EXTERNAL sends the UID of the client
// it will clash with out-of-band credentials derived by server
// from underlying UDS and authentication will be rejected
func TestConnectToDifferentUserNamespace(t *testing.T) {
addr, process := startDaemonInDifferentUserNamespace(t)
defer func() { _ = process.Kill() }()
conn, err := Connect(addr)
if err != nil {
t.Fatal(err)
}
if err = conn.Close(); err != nil {
t.Fatal(err)
}
if conn.Connected() {
t.Fatal("Should be closed")
}
}


// starts a dbus-daemon instance in a new user-namespace
// and returns its address string and underlying process.
func startDaemonInDifferentUserNamespace(t *testing.T) (string, *os.Process) {
config := `<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>unix:path=/tmp/test.socket</listen>
<auth>EXTERNAL</auth>
<apparmor mode="disabled"/>
<policy context='default'>
<allow send_destination='*' eavesdrop='true'/>
<allow eavesdrop='true'/>
<allow user='*'/>
</policy>
</busconfig>
`
cfg, err := ioutil.TempFile("", "")
if err != nil {
t.Fatal(err)
}
defer os.Remove(cfg.Name())
if _, err = cfg.Write([]byte(config)); err != nil {
t.Fatal(err)
}

cmd := exec.Command("dbus-daemon", "--nofork", "--print-address", "--config-file", cfg.Name())

cmd.SysProcAttr = &syscall.SysProcAttr{
Cloneflags: syscall.CLONE_NEWPID | syscall.CLONE_NEWUSER,
UidMappings: []syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getuid(),
Size: 1,
},
},
GidMappings: []syscall.SysProcIDMap{
{
ContainerID: 0,
HostID: os.Getgid(),
Size: 1,
},
},
}

cmd.Stderr = os.Stderr
out, err := cmd.StdoutPipe()
if err != nil {
t.Fatal(err)
}
if err := cmd.Start(); err != nil {
t.Fatal(err)
}
r := bufio.NewReader(out)
l, _, err := r.ReadLine()
if err != nil {
_ = cmd.Process.Kill()
t.Fatal(err)
}
return string(l), cmd.Process
}

0 comments on commit abf1de5

Please sign in to comment.