New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Homed update policy: user changing own settings #31153
base: main
Are you sure you want to change the base?
Conversation
I mapped out all the ways
|
Part of what we discussed with @poettering is changing
So all this said, what is the practical conclusion?
|
6ce7881
to
c739755
Compare
e3ae848
to
a65fd3d
Compare
a65fd3d
to
1c0aea3
Compare
btw, i'd split PRs up a lot more aggressively. If they can stand on their own reasonably I think single-commit PRs are great, too, even. Everything you already got in will make the remainder smaller, and the rebase mess will be reduced. |
src/basic/hashmap.c
Outdated
|
||
/* Reuse the array. */ | ||
FOREACH_ARRAY(e, entries, n) | ||
*e = (void*) (*e)->key; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I already reviewed this in another PR: the reuse of the array with a specific but different type is not OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This MR is stacked on top of #30840
Is there something specific I'm supposed to do so that you don't accidentally review the same things twice over?
698ebfc
to
529306a
Compare
529306a
to
6da095b
Compare
conceptually still looks good to me, added some more review points, but the most impotant thing is that the list of editable fields should be itsefl a field on the recrod, as discussed. |
6da095b
to
d3137bb
Compare
d3137bb
to
2de111d
Compare
Allows the system administrator to configure what fields the user is allowed to edit about themself, along with hard-coded defaults.
This allows an unprivileged user that is active at the console to change the fields that are in the selfModifiable allowlists (introduced in a previous commit) without authenticating as a system administrator. Administrators can disable this behavior per-user by setting the relevant selfModifiable allowlists, or system-wide by changing the policy of the org.freedesktop.home1.update-home-by-owner Polkit action.
2de111d
to
a182147
Compare
Important An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
is allowed to edit. | ||
|
||
`selfModifiablePrivileged` → Similar to `selfMoidifiableFields`, but it lists fields in | ||
the `privileged` section that the user is allowed to edit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why keep this separate from "regular" and "perMachine"? i mean, we'd be really stupid if we'd introduce fields in one section that would exist (or if existance then with different meaning) in the other. Hence I think it should be fine to throw them in the same bin here and keep one list of json fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moidfiable → Modifiable (here and above)
* user to give themselves some unfair advantage over other users on | ||
* a given system. | ||
*/ | ||
static const char *safe_fields[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
static const char *const safe_fields[] = {
} | ||
|
||
const char **user_record_self_modifiable_blobs(UserRecord *h) { | ||
static const char *safe_blobs[] = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as above
@@ -431,6 +435,10 @@ uint64_t user_record_capability_bounding_set(UserRecord *h); | |||
uint64_t user_record_capability_ambient_set(UserRecord *h); | |||
int user_record_languages(UserRecord *h, char ***ret); | |||
|
|||
const char **user_record_self_modifiable_fields(UserRecord *h); | |||
const char **user_record_self_modifiable_blobs(UserRecord *h); | |||
const char **user_record_self_modifiable_privileged(UserRecord *h); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please output them in the calls in user-record-show.c
@@ -423,7 +423,7 @@ int bus_home_update_record( | |||
Hashmap *blobs, | |||
uint64_t flags, | |||
sd_bus_error *error) { | |||
int r; | |||
int r, safe; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe rename "safe" → "relax_access"?
log_warning_errno(safe, "Failed to determine if changes to user record are safe, assuming not: %m"); | ||
safe = false; | ||
} else if (safe) { | ||
safe = bus_home_client_is_trusted(h, message); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this of course is slightly skewed here. Because if the client is root this will cause us to use the org.freedesktop.home1.update-home-by-owner PK action, which is of course strictly speaking weird because root is not really the "owner" of such accounts...
hence, either fix this (i.e. add a "bool strict" param to bus_home_client_is_trusted() or so? or at least add a comment explaining why the sloppiness here doesn't matter too much
looks good, just some minor things |
Rework of #30109 to deal with changes in #30840 and discussed changes to behavior
Depends on and includes #30840