summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/conn-tools/s6-ipcserver-access.c7
-rw-r--r--src/libs6/s6_accessrules_keycheck_uidgid.c22
2 files changed, 20 insertions, 9 deletions
diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c
index 21171fd..97f3204 100644
--- a/src/conn-tools/s6-ipcserver-access.c
+++ b/src/conn-tools/s6-ipcserver-access.c
@@ -14,7 +14,7 @@
#include <execline/config.h>
#include <s6/accessrules.h>
-#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -I ] [ -i rulesdir | -x rulesfile ] prog..."
+#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..."
static unsigned int verbosity = 1 ;
@@ -118,14 +118,13 @@ int main (int argc, char const *const *argv, char const *const *envp)
uid_t uid = 0 ;
gid_t gid = 0 ;
unsigned int rulestype = 0 ;
- int identity = 0 ;
int doenv = 1 ;
PROG = "s6-ipcserver-access" ;
{
subgetopt_t l = SUBGETOPT_ZERO ;
for (;;)
{
- int opt = subgetopt_r(argc, argv, "v:Eel:Ii:x:", &l) ;
+ int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ;
if (opt == -1) break ;
switch (opt)
{
@@ -133,7 +132,6 @@ int main (int argc, char const *const *argv, char const *const *envp)
case 'E' : doenv = 0 ; break ;
case 'e' : doenv = 1 ; break ;
case 'l' : localname = l.arg ; break ;
- case 'I' : identity = 1 ; break ;
case 'i' : rules = l.arg ; rulestype = 1 ; break ;
case 'x' : rules = l.arg ; rulestype = 2 ; break ;
default : dieusage() ;
@@ -162,7 +160,6 @@ int main (int argc, char const *const *argv, char const *const *envp)
if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ;
}
- if (identity && uid == geteuid() && gid == getegid()) goto accepted ;
if (check(&params, rules, rulestype, uid, gid)) goto accepted ;
if (verbosity >= 2) log_deny(getpid(), uid, gid) ;
diff --git a/src/libs6/s6_accessrules_keycheck_uidgid.c b/src/libs6/s6_accessrules_keycheck_uidgid.c
index 61a6229..573382c 100644
--- a/src/libs6/s6_accessrules_keycheck_uidgid.c
+++ b/src/libs6/s6_accessrules_keycheck_uidgid.c
@@ -1,16 +1,30 @@
/* ISC license. */
+#include <unistd.h>
+
#include <skalibs/uint64.h>
#include <skalibs/types.h>
#include <s6/accessrules.h>
s6_accessrules_result_t s6_accessrules_keycheck_uidgid (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1)
{
+ uidgid_t const *uidgid = key ;
char fmt[4 + UINT64_FMT] = "uid/" ;
- s6_accessrules_result_t r = (*check1)(fmt, 4 + uid_fmt(fmt+4, ((uidgid_t const *)key)->left), data, params) ;
+ s6_accessrules_result_t r ;
+ if (uidgid->left == geteuid())
+ {
+ r = (*check1)("uid/self", 8, data, params) ;
+ if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+ }
+ r = (*check1)(fmt, 4 + uid_fmt(fmt+4, uidgid->left), data, params) ;
if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+ if (uidgid->right == getegid())
+ {
+ r = (*check1)("gid/self", 8, data, params) ;
+ if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+ }
fmt[0] = 'g' ;
- r = (*check1)(fmt, 4 + gid_fmt(fmt+4, ((uidgid_t const *)key)->right), data, params) ;
- return (r != S6_ACCESSRULES_NOTFOUND) ? r :
- (*check1)("uid/default", 11, data, params) ;
+ r = (*check1)(fmt, 4 + gid_fmt(fmt+4, uidgid->right), data, params) ;
+ if (r != S6_ACCESSRULES_NOTFOUND) return r ;
+ return (*check1)("uid/default", 11, data, params) ;
}