Hello community, here is the log from the commit of package snapper for openSUSE:Factory checked in at 2014-08-03 15:36:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/snapper (Old) and /work/SRC/openSUSE:Factory/.snapper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "snapper" Changes: -------- --- /work/SRC/openSUSE:Factory/snapper/snapper.changes 2014-07-28 06:31:08.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.snapper.new/snapper.changes 2014-08-03 15:36:33.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Jul 31 15:38:16 CEST 2014 - aschn...@suse.de + +- also handle primary group of user when checking permissions + (see gh#openSUSE/snapper#100) +- show id of user if username cannot be detected + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ snapper-0.2.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/client/misc.cc new/snapper-0.2.3/client/misc.cc --- old/snapper-0.2.3/client/misc.cc 2014-04-11 12:50:13.000000000 +0200 +++ new/snapper-0.2.3/client/misc.cc 2014-08-01 10:12:17.000000000 +0200 @@ -196,3 +196,16 @@ return configdata; } + + +string +username(uid_t uid) +{ + string username; + gid_t gid; + + if (!get_uid_username_gid(uid, username, gid)) + return sformat("unknown (%d)", uid); + + return username; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/client/misc.h new/snapper-0.2.3/client/misc.h --- old/snapper-0.2.3/client/misc.h 2014-04-11 12:50:13.000000000 +0200 +++ new/snapper-0.2.3/client/misc.h 2014-08-01 10:12:17.000000000 +0200 @@ -47,3 +47,5 @@ map<string, string> read_configdata(const list<string>& l, const map<string, string>& old = map<string, string>()); +string +username(uid_t uid); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/server/Client.cc new/snapper-0.2.3/server/Client.cc --- old/snapper-0.2.3/server/Client.cc 2014-06-23 09:25:37.000000000 +0200 +++ new/snapper-0.2.3/server/Client.cc 2014-08-01 09:54:24.000000000 +0200 @@ -382,12 +382,33 @@ const MetaSnapper& meta_snapper) const { unsigned long uid = conn.get_unix_userid(msg); + + // Check if the uid of the dbus-user is root. if (uid == 0) return; - if (find(meta_snapper.uids.begin(), meta_snapper.uids.end(), uid) != meta_snapper.uids.end()) + // Check if the uid of the dbus-user is included in the allowed uids. + if (contains(meta_snapper.uids, uid)) return; + string username; + gid_t gid; + + if (get_uid_username_gid(uid, username, gid)) + { + // Check if the primary gid of the dbus-user is included in the allowed gids. + if (contains(meta_snapper.gids, gid)) + return; + + vector<gid_t> gids = getgrouplist(username.c_str(), gid); + + // Check if any (primary or secondary) gid of the dbus-user is included in the allowed + // gids. + for (vector<gid_t>::const_iterator it = gids.begin(); it != gids.end(); ++it) + if (contains(meta_snapper.gids, *it)) + return; + } + throw Permissions(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/server/MetaSnapper.cc new/snapper-0.2.3/server/MetaSnapper.cc --- old/snapper-0.2.3/server/MetaSnapper.cc 2014-01-29 16:48:30.000000000 +0100 +++ new/snapper-0.2.3/server/MetaSnapper.cc 2014-08-01 09:54:24.000000000 +0200 @@ -147,19 +147,24 @@ } } + sort(uids.begin(), uids.end()); + uids.erase(unique(uids.begin(), uids.end()), uids.end()); + + gids.clear(); + vector<string> groups; if (config_info.getValue(KEY_ALLOW_GROUPS, groups)) { for (vector<string>::const_iterator it = groups.begin(); it != groups.end(); ++it) { - vector<uid_t> tmp; - if (get_group_uids(it->c_str(), tmp)) - uids.insert(uids.end(), tmp.begin(), tmp.end()); + gid_t tmp; + if (get_group_gid(it->c_str(), tmp)) + gids.push_back(tmp); } } - sort(uids.begin(), uids.end()); - uids.erase(unique(uids.begin(), uids.end()), uids.end()); + sort(gids.begin(), gids.end()); + gids.erase(unique(gids.begin(), gids.end()), gids.end()); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/server/MetaSnapper.h new/snapper-0.2.3/server/MetaSnapper.h --- old/snapper-0.2.3/server/MetaSnapper.h 2014-01-29 16:48:30.000000000 +0100 +++ new/snapper-0.2.3/server/MetaSnapper.h 2014-08-01 09:54:24.000000000 +0200 @@ -95,6 +95,7 @@ void setConfigInfo(const map<string, string>& raw); vector<uid_t> uids; + vector<gid_t> gids; Snapper* getSnapper(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/snapper/AppUtil.cc new/snapper-0.2.3/snapper/AppUtil.cc --- old/snapper-0.2.3/snapper/AppUtil.cc 2014-06-04 12:23:25.000000000 +0200 +++ new/snapper-0.2.3/snapper/AppUtil.cc 2014-08-01 10:12:17.000000000 +0200 @@ -262,8 +262,8 @@ } - string - username(uid_t uid) + bool + get_uid_username_gid(uid_t uid, string& username, gid_t& gid) { struct passwd pwd; struct passwd* result; @@ -272,11 +272,14 @@ char buf[bufsize]; if (getpwuid_r(uid, &pwd, buf, bufsize, &result) != 0 || result != &pwd) - return "unknown"; + return false; memset(pwd.pw_passwd, 0, strlen(pwd.pw_passwd)); - return pwd.pw_name; + username = pwd.pw_name; + gid = pwd.pw_gid; + + return true; } @@ -304,7 +307,7 @@ bool - get_group_uids(const char* groupname, vector<uid_t>& uids) + get_group_gid(const char* groupname, gid_t& gid) { struct group grp; struct group* result; @@ -320,39 +323,30 @@ memset(grp.gr_passwd, 0, strlen(grp.gr_passwd)); - uids.clear(); - - for (char** p = grp.gr_mem; *p != NULL; ++p) - { - uid_t uid; - if (get_user_uid(*p, uid)) - uids.push_back(uid); - } + gid = grp.gr_gid; return true; } - bool - get_group_gid(const char* groupname, gid_t& gid) + vector<gid_t> + getgrouplist(const char* username, gid_t gid) { - struct group grp; - struct group* result; - - long bufsize = sysconf(_SC_GETGR_R_SIZE_MAX); - char buf[bufsize]; + int n = 16; + gid_t* buf = (gid_t*) malloc(sizeof(gid_t) * n); - if (getgrnam_r(groupname, &grp, buf, bufsize, &result) != 0 || result != &grp) + if (::getgrouplist(username, gid, buf, &n) == -1) { - y2war("couldn't find groupname '" << groupname << "'"); - return false; + buf = (gid_t*) realloc(buf, sizeof(gid_t) * n); + ::getgrouplist(username, gid, buf, &n); } - memset(grp.gr_passwd, 0, strlen(grp.gr_passwd)); + vector<gid_t> gids(&buf[0], &buf[n]); + sort(gids.begin(), gids.end()); - gid = grp.gr_gid; + free(buf); - return true; + return gids; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/snapper-0.2.3/snapper/AppUtil.h new/snapper-0.2.3/snapper/AppUtil.h --- old/snapper-0.2.3/snapper/AppUtil.h 2014-06-04 12:23:25.000000000 +0200 +++ new/snapper-0.2.3/snapper/AppUtil.h 2014-08-01 10:12:17.000000000 +0200 @@ -85,11 +85,10 @@ string datetime(time_t time, bool utc, bool classic); time_t scan_datetime(const string& str, bool utc); - string username(uid_t uid); - + bool get_uid_username_gid(uid_t uid, string& username, gid_t& gid); bool get_user_uid(const char* username, uid_t& uid); bool get_group_gid(const char* groupname, gid_t& gid); - bool get_group_uids(const char* groupname, vector<uid_t>& uids); + vector<gid_t> getgrouplist(const char* username, gid_t gid); class StopWatch -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org