[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
277/376: nix-daemon: Get peer credentials on Mac OS X
|
From: |
Ludovic Court�s |
|
Subject: |
277/376: nix-daemon: Get peer credentials on Mac OS X |
|
Date: |
Wed, 28 Jan 2015 22:05:36 +0000 |
civodul pushed a commit to tag 1.8
in repository guix.
commit 526811c87a53009686b35f323b43022d0de50cc2
Author: Eelco Dolstra <address@hidden>
Date: Fri Oct 31 10:08:59 2014 +0100
nix-daemon: Get peer credentials on Mac OS X
This makes allowed-users and trusted-users work on Mac OS X.
---
src/nix-daemon/nix-daemon.cc | 71 ++++++++++++++++++++++++++++++-----------
1 files changed, 52 insertions(+), 19 deletions(-)
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc
index 09064fd..d973e57 100644
--- a/src/nix-daemon/nix-daemon.cc
+++ b/src/nix-daemon/nix-daemon.cc
@@ -22,6 +22,10 @@
#include <pwd.h>
#include <grp.h>
+#if __APPLE__ || __FreeBSD__
+#include <sys/ucred.h>
+#endif
+
using namespace nix;
@@ -649,6 +653,44 @@ bool matchUser(const string & user, const string & group,
const Strings & users)
}
+struct PeerInfo
+{
+ bool pidKnown;
+ pid_t pid;
+ bool uidKnown;
+ uid_t uid;
+ bool gidKnown;
+ gid_t gid;
+};
+
+
+/* Get the identity of the caller, if possible. */
+static PeerInfo getPeerInfo(int remote)
+{
+ PeerInfo peer = { false, 0, false, 0, false, 0 };
+
+#if defined(SO_PEERCRED)
+
+ ucred cred;
+ socklen_t credLen = sizeof(cred);
+ if (getsockopt(remote, SOL_SOCKET, SO_PEERCRED, &cred, &credLen) == -1)
+ throw SysError("getting peer credentials");
+ peer = { true, cred.pid, true, cred.uid, true, cred.gid };
+
+#elif defined(LOCAL_PEERCRED)
+
+ xucred cred;
+ socklen_t credLen = sizeof(cred);
+ if (getsockopt(remote, SOL_LOCAL, LOCAL_PEERCRED, &cred, &credLen) == -1)
+ throw SysError("getting peer credentials");
+ peer = { false, 0, true, cred.cr_uid, false, 0 };
+
+#endif
+
+ return peer;
+}
+
+
#define SD_LISTEN_FDS_START 3
@@ -735,22 +777,13 @@ static void daemonLoop(char * * argv)
closeOnExec(remote);
bool trusted = false;
- pid_t clientPid = -1;
-
-#if defined(SO_PEERCRED)
- /* Get the identity of the caller, if possible. */
- ucred cred;
- socklen_t credLen = sizeof(cred);
- if (getsockopt(remote, SOL_SOCKET, SO_PEERCRED, &cred, &credLen)
== -1)
- throw SysError("getting peer credentials");
+ PeerInfo peer = getPeerInfo(remote);
- clientPid = cred.pid;
+ struct passwd * pw = peer.uidKnown ? getpwuid(peer.uid) : 0;
+ string user = pw ? pw->pw_name : int2String(peer.uid);
- struct passwd * pw = getpwuid(cred.uid);
- string user = pw ? pw->pw_name : int2String(cred.uid);
-
- struct group * gr = getgrgid(cred.gid);
- string group = gr ? gr->gr_name : int2String(cred.gid);
+ struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
+ string group = gr ? gr->gr_name : int2String(peer.gid);
Strings trustedUsers = settings.get("trusted-users",
Strings({"root"}));
Strings allowedUsers = settings.get("allowed-users",
Strings({"*"}));
@@ -761,9 +794,9 @@ static void daemonLoop(char * * argv)
if (!trusted && !matchUser(user, group, allowedUsers))
throw Error(format("user ‘%1%’ is not allowed to connect to
the Nix daemon") % user);
- printMsg(lvlInfo, format((string) "accepted connection from pid
%1%, user %2%"
- + (trusted ? " (trusted)" : "")) % clientPid % user);
-#endif
+ printMsg(lvlInfo, format((string) "accepted connection from pid
%1%, user %2%" + (trusted ? " (trusted)" : ""))
+ % (peer.pidKnown ? int2String(peer.pid) : "<unknown>")
+ % (peer.uidKnown ? user : "<unknown>"));
/* Fork a child to handle the connection. */
startProcess([&]() {
@@ -777,8 +810,8 @@ static void daemonLoop(char * * argv)
setSigChldAction(false);
/* For debugging, stuff the pid into argv[1]. */
- if (clientPid != -1 && argv[1]) {
- string processName = int2String(clientPid);
+ if (peer.pidKnown && argv[1]) {
+ string processName = int2String(peer.pid);
strncpy(argv[1], processName.c_str(), strlen(argv[1]));
}
- 257/376: Revert "binary download: Use $NIX_CURL_FLAGS", (continued)
- 257/376: Revert "binary download: Use $NIX_CURL_FLAGS", Ludovic Court�s, 2015/01/28
- 266/376: doc: fixed nix-instantiate --find-file, Ludovic Court�s, 2015/01/28
- 282/376: download-from-binary-cache.pl: Fix flushing of stderr, Ludovic Court�s, 2015/01/28
- 256/376: Merge pull request #372 from wmertens/patch-4, Ludovic Court�s, 2015/01/28
- 280/376: Typo, Ludovic Court�s, 2015/01/28
- 281/376: nix-store --gc: Don't warn about missing manifests directory, Ludovic Court�s, 2015/01/28
- 161/376: Restructuring the Nix manual, Ludovic Court�s, 2015/01/28
- 271/376: Revert "Revert "Temporarily disable darwin builds while hydra's darwin is borked"", Ludovic Court�s, 2015/01/28
- 299/376: Remove Hydra scheduling priorities, Ludovic Court�s, 2015/01/28
- 285/376: Make ~DerivationGoal more reliable, Ludovic Court�s, 2015/01/28
- 277/376: nix-daemon: Get peer credentials on Mac OS X,
Ludovic Court�s <=
- 286/376: build-remote.pl.in: Add some more trace messages, Ludovic Court�s, 2015/01/28
- 288/376: Add functors (callable attribute sets)., Ludovic Court�s, 2015/01/28
- 236/376: nix-env: Add regular expression support in selectors, Ludovic Court�s, 2015/01/28
- 261/376: Improve printing of ASTs, Ludovic Court�s, 2015/01/28
- 269/376: Update release notes, Ludovic Court�s, 2015/01/28