Commit Graph

44 Commits

Author SHA1 Message Date
Philip Withnall
4f7c6e1ec8 gdbusauthmechanismsha1: Don’t create keyring dir when running as setuid
Continue to allow overriding the keyring dir, but don’t automatically
create it when running as root.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Coverity CID: #1432485
2020-11-02 12:23:50 +00:00
Simon McVittie
92183fb703 gdbusauthmechanismsha1: Use the same timeouts as libdbus
For interoperability with libdbus, we want to use compatible timeouts.
In particular, this fixes a spurious failure of the `gdbus-server-auth`
test caused by libdbus and gdbus choosing to expire the key (cookie) at
different times, as diagnosed by Thiago Macieira. Previously, the libdbus
client would decline to use keys older than 7 minutes, but the GDBus
server would not generate a new key until the old key was 10 minutes old.

For completeness, also adjust the other arbitrary timeouts in the
DBUS_COOKIE_SHA1 mechanism to be the same as in libdbus. To make it
easier to align with libdbus, create internal macros with the same names
and values used in dbus-keyring.c.

* maximum time a key can be in the future due to clock skew between
  systems sharing a home directory
  - spec says "a reasonable time in the future"
  - was 1 day
  - now 5 minutes
  - MAX_TIME_TRAVEL_SECONDS

* time to generate a new key if the newest is older
  - spec says "If no recent keys remain, the server may generate a new
    key", but that isn't practical, because in reality we need a grace
    period during which an old key will not be used for new authentication
    attempts but old authentication attempts can continue (in practice both
    libdbus and GDBus implemented this logic)
  - was 10 minutes
  - now 5 minutes
  - NEW_KEY_TIMEOUT_SECONDS

* time to discard old keys
  - spec says "the timeout can be fairly short"
  - was 15 minutes
  - now 7 minutes
  - EXPIRE_KEYS_TIMEOUT_SECONDS

* time allowed for a client using an old key to authenticate, before
  that key gets deleted
  - was at least 5 minutes
  - now at least 2 minutes
  - at least (EXPIRE_KEYS_TIMEOUT_SECONDS - NEW_KEY_TIMEOUT_SECONDS)

Based on a merge request by Philip Withnall.

Fixes: #2164
Thanks: Philip Withnall
Thanks: Thiago Macieira
Signed-off-by: Simon McVittie <smcv@collabora.com>
2020-09-07 11:29:06 +01:00
Philip Withnall
3b6460b94c glib: Use g_file_set_contents_full() throughout GLib and GIO
Where applicable. Where the current use of `g_file_set_contents()` seems
the most appropriate, leave that in place.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1302
2020-07-26 21:37:46 +01:00
Philip Withnall
662771464a gdbusauthmechanismsha1: Reduce syscalls from ensure_keyring_directory()
There’s no need to call `access()` and then `stat()` on the keyring
directory to check that it exists, is a directory, and has the right
permissions. Just call `stat()`.

This eliminates one potential TOCTTOU race in this code.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1954
2020-05-05 16:07:32 +01:00
Philip Withnall
ed81cbc9b5 gdbusauthmechanismsha1: Fix race in keyring_acquire_lock()
There was a time-of-check-to-time-of-use (TOCTTOU) race in the keyring
lock code, where it would check the existence of the lock file using
`access()`, then proceed to call `open(O_CREAT | O_EXCL)` to try and
create the lock file once `access()` showed that it didn’t exist.

The problem is that, because this is happening in a shared directory
(`~/.dbus-keyrings`), another process could quite legitimately create
the lock file in the meantime.

Instead, unconditionally call `open()` and ignore errors from it (which
will be returned if the lock file already exists) until it succeeds (or
the code times out).

This eliminates the TOCTTOU race, and simplifies the timeout behaviour
so there aren’t two loops (check for existence, try to create)
happening. It brings this code in line with what dbus.git does (see
`_dbus_keyring_lock()`).

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1954
2020-05-05 16:07:32 +01:00
Philip Withnall
d6bab03150 gdbusauthmechanismsha1: Fix keyring lock file permissions
Why should it have the sticky bit set? dbus.git sets permissions 0600;
so should GLib.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-05-05 16:07:32 +01:00
Philip Withnall
f4dc46db45 gdbusauthmechanismsha1: Fix return type in precondition guards
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2020-05-05 16:07:32 +01:00
Philip Withnall
9df8d76c97 gdbusauthmechanismsha1: Create .dbus-keyrings directory recursively
If the directory is overridden, for example when running tests, the
parent directory of `.dbus-keyrings` (i.e. the fake `$HOME` directory)
might not exist. Create it automatically.

This should realistically not have an effect on non-test code.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
ef3eec8a28 gdbusauthmechanismsha1: Remove unnecessary g_warning() calls
These can be hit in the tests (if multiple tests run in parallel are
racing for `~/.dbus-keyrings/org_gtk_gdbus_general.lock` for a prolonged
period) and will cause spurious test failures due to the use of
`G_DEBUG=fatal-warnings`.

Instead, allow the error messages to be inspected programmatically.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
92e059280f glib: Don’t use time(NULL) to get current time
Use either g_get_real_time() or g_date_time_new_now_local(). This means
we don’t need to worry about time_t being 32b in future (the year 2038
problem), and it makes the need for error handling a bit more explicit.
Improve the error handling in several cases.

Based on a patch by Niels De Graef
(https://gitlab.gnome.org/GNOME/glib/merge_requests/142).

Signed-off-by: Philip Withnall <withnall@endlessm.com>

https://gitlab.gnome.org/GNOME/glib/issues/1402
2018-07-09 13:28:02 +02:00
Gaurav
593eeff55e Fix a warning reported by static analyser tool:
Assignment of a signed value which has type 'time_t' to a variable of a bigger integer type 'guint64'
2018-05-31 08:25:31 +00:00
Christoph Reiter
97c28f7fe1 ci: fix warnings and enable --werror for the mingw build
Fix various warnings regarding unused variables, duplicated
branches etc by adjusting the ifdeffery and some missing casts.

gnulib triggers -Wduplicated-branches in one of the copied files,
disable as that just makes updating the code harder.

The warning indicating missing features are made none fatal through
pragmas. They still show but don't abort the build.

https://bugzilla.gnome.org/show_bug.cgi?id=793729
2018-04-25 17:23:50 +02:00
Руслан Ижбулатов
aab83f7475 gdbus: make hexencode() a shared function to avoid duplication
https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Руслан Ижбулатов
cc7ab04b33 gdbus: do not initialize gsize variables with -1
Use 0 instead, since gsize is unsigned.

https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Руслан Ижбулатов
f7c0ff773e gdbus: actually return string length from hexdecode()
https://bugzilla.gnome.org/show_bug.cgi?id=794170
2018-03-13 12:09:01 +00:00
Philip Withnall
c26aab36db gio: Fix a minor indentation problem
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: nobody
2017-12-04 10:38:01 +00:00
Philip Withnall
e644bfa37e gio: Add some casts for printf() formatting statbufs on Solaris
Apparently Solaris defines statbuf fields as long when Linux doesn’t, in
some cases. Cast down to the type expected by the printf() format
placeholder.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

https://bugzilla.gnome.org/show_bug.cgi?id=749652
2017-11-28 14:17:09 +00:00
Daniel Macks
b8f9c08a09 Avoid setting unused variables (-Wself-assign)
Setting a variable and then assigning it to itself avoids
-Wunused-but-set-variable but this specific trick is now caught by
-Wself-assign. Instead, actually use the value or don't bother
assigning it at all:

gdbusauthmechanismsha1.c: #ifdef a var decl to match its actual use use
gdbusauthmechanismsha1.c: call g_ascii_strtoll() in void context

https://bugzilla.gnome.org/show_bug.cgi?id=745723
2017-09-11 22:18:42 +01:00
Daniel Macks
190f64a0fb Avoid setting unused variables (-Wself-assign)
Setting a variable and then assigning it to itself avoids
-Wunused-but-set-variable but this specific trick is now caught by
-Wself-assign. Instead, actually use the value or don't bother
assigning it at all:

gdbusauth.c: call g_data_input_stream_read_byte() in void context
gdbusauthmechanismsha1.c: value is actually used
gdbusmessage.c: use consistent preprocessor-token protection
gthreadedresolver.c: skip over bytes in data blob
httpd.c: do something useful with the value

https://bugzilla.gnome.org/show_bug.cgi?id=745723
2017-09-11 22:14:18 +01:00
Philip Withnall
5cddde1fb2 Consistently save errno immediately after the operation setting it
Prevent the situation where errno is set by function A, then function B
is called (which is typically _(), but could be anything else) and it
overwrites errno, then errno is checked by the caller.

errno is a horrific API, and we need to be careful to save its value as
soon as a function call (which might set it) returns. i.e. Follow the
pattern:
  int errsv, ret;
  ret = some_call_which_might_set_errno ();
  errsv = errno;

  if (ret < 0)
    puts (strerror (errsv));

This patch implements that pattern throughout GLib. There might be a few
places in the test code which still use errno directly. They should be
ported as necessary. It doesn’t modify all the call sites like this:
  if (some_call_which_might_set_errno () && errno == ESOMETHING)
since the refactoring involved is probably more harmful than beneficial
there. It does, however, refactor other call sites regardless of whether
they were originally buggy.

https://bugzilla.gnome.org/show_bug.cgi?id=785577
2017-08-03 10:21:13 +01:00
Philip Withnall
18f8b77c04 gio: Use g_strerror() instead of strerror()
This marginally improves thread safety, and marginally improves
consistency.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

https://bugzilla.gnome.org/show_bug.cgi?id=733821
2017-06-21 11:20:29 +01:00
Sébastien Wilmet
3bf4a720c3 gio/: LGPLv2+ -> LGPLv2.1+
Sub-directories inside gio/ already processed in a previous commit:
- fam/
- gdbus-2.0/ (which contains only codegen/)
- gvdb/
- inotify/
- tests/
- win32/
- xdgmime/

Other sub-directories inside gio/:
- completion/: no license headers
- kqueue/: not LGPL, BSD-style license

https://bugzilla.gnome.org/show_bug.cgi?id=776504
2017-05-29 19:53:34 +02:00
Piotr Drąg
10c490cdfe Use Unicode in translatable strings
See https://developer.gnome.org/hig/stable/typography.html

https://bugzilla.gnome.org/show_bug.cgi?id=772221
2016-10-12 21:30:42 +02:00
Daniel Mustieles
078dbda148 Updated FSF's address 2014-01-31 14:31:55 +01:00
Chun-wei Fan
a997cfe90f gio/gdbusauthmechanismsha1.c: Move G_OS_* checks down
The G_OS_* checks are only valid if the GLib headers have been previously
included, so that io.h can be included properly on Windows
2013-11-26 13:16:15 +08:00
Dan Winship
158dde0507 Replace #ifdef HAVE_UNISTD_H checks with #ifdef G_OS_UNIX
In Windows development environments that have it, <unistd.h> is mostly
just a wrapper around several other native headers (in particular,
<io.h>, which contains read(), close(), etc, and <process.h>, which
contains getpid()). But given that some Windows dev environments don't
have <unistd.h>, everything that uses those functions on Windows
already needed to include the correct Windows header as well, and so
there is never any point to including <unistd.h> on Windows.

Also, remove some <unistd.h> includes (and a few others) that were
unnecessary even on unix.

https://bugzilla.gnome.org/show_bug.cgi?id=710519
2013-11-20 09:25:39 -05:00
Emmanuele Bassi
54cc43630d Rename the generated private data getter function
As it turns out, we have examples of internal functions called
type_name_get_private() in the wild (especially among older libraries),
so we need to use a name for the per-instance private data getter
function that hopefully won't conflict with anything.
2013-06-24 15:43:04 +01:00
Emmanuele Bassi
32747def4b gio: Use the new private instance data declaration
Use the newly added macros, and remove the explicit calls to
g_type_class_add_private().

https://bugzilla.gnome.org/show_bug.cgi?id=700035
2013-06-24 14:18:01 +01:00
Dan Winship
4b94c0831e Use 'dumb quotes' rather than `really dumb quotes'
Back in the far-off twentieth century, it was normal on unix
workstations for U+0060 GRAVE ACCENT to be drawn as "‛" and for U+0027
APOSTROPHE to be drawn as "’". This led to the convention of using
them as poor-man's ‛smart quotes’ in ASCII-only text.

However, "'" is now universally drawn as a vertical line, and "`" at a
45-degree angle, making them an `odd couple' when used together.

Unfortunately, there are lots of very old strings in glib, and also
lots of new strings in which people have kept up the old tradition,
perhaps entirely unaware that it used to not look stupid.

Fix this by just using 'dumb quotes' everywhere.

https://bugzilla.gnome.org/show_bug.cgi?id=700746
2013-05-21 11:23:22 -03:00
Henrique Dante de Almeida
c219181cb2 Add G_GNUC_PRINTF on all functions with format strings
This allows compilation with clang without errors, even when
-Wformat-nonliteral is active (as long as there are no real cases of
non literal formatting).

https://bugzilla.gnome.org/show_bug.cgi?id=691608
2013-01-13 12:32:40 -05:00
Federico Mena Quintero
571185f0f6 bgo#640212 - Replace "error stating file" with friendlier messages
Non-technical users won't know that "stating" refers to stat(2), so we
just use "error when getting information" now.

Signed-off-by: Federico Mena Quintero <federico@gnome.org>
2011-09-08 09:11:56 -05:00
Colin Walters
01602e1695 Fix some compiler warnings from gcc 4.6 2011-04-15 15:51:25 -04:00
David Zeuthen
0729260141 Silence a bunch of -Wunused-but-set-variable warnings
Signed-off-by: David Zeuthen <davidz@redhat.com>
2011-04-08 15:44:25 -04:00
Emmanuele Bassi
19972a1b57 build: Quench the compiler's thirst for warnings 2010-09-04 18:24:50 +01:00
Philip Withnall
ea9f5f0251 Change "lock-file" to "lock file" in translatable strings
Helps: bgo#628193
2010-08-29 00:38:06 +01:00
Matthias Clasen
5f1490e94a Fix sparse warnings
These were listed in bug 623955
2010-07-10 17:21:32 -04:00
Ryan Lortie
5b946e0504 gio/: fully remove gioalias hacks 2010-07-07 19:53:22 -04:00
Tor Lillqvist
efb1a054b0 Fix build with the Microsoft compiler
Correct a few gccisms and C99isms. Ensure the Windows-specific gio
source files are listed in the generated gio VS project file.
2010-06-22 12:22:46 +03:00
David Zeuthen
366b3ffcde Bug 619142 – Build fixes
- Fix various #include issues

 - Change #error to #warning for the EXTERNAL authentication mechanism.
   It is not clear if this should work on Win32 at all.

 - Call close() before unlink() for the SHA1 keyring

 - Change #error to #warning so we don't forget to do
   permission checking of the .dbus-keyrings directory

 - Use Win32 SID for the SHA1 auth mech

 - Apparently we can't use word 'interface' as an identifier

 - Implement a _g_dbus_win32_get_user_sid() function. For now it's
   private. Don't know if it should be public somewhere. Maybe in
   a future GCredentials support for Win32? I don't know.

 - GFileDescriptorBased is not available on Win32. So avoid using
   it in GLocalFile stuff. Now, Win32 still uses GLocalFile + friends
   (which works with file descriptors) so expose a private function
   to get the fd for an OutputStream so things still work.

 - Fixup gio.symbols

 - Fixup tests/gdbus-peer.c so it builds

With this, at least things compile and the gdbus-peer.exe test case
passes. Which is a great start. I've tested this by cross-compiling on
a x86_64 Fedora 13 host using mingw32 and running the code on a 32-bit
Windows 7 box.

https://bugzilla.gnome.org/show_bug.cgi?id=619142

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-20 10:53:08 -04:00
Matthias Clasen
1d22b64843 Cleanups
Sort #includes a bit better, and don't include platform-specific
headers in gio.h.
2010-05-14 08:38:07 -04:00
Matthias Clasen
0cf467c2ca Update copyright years to include 2010 2010-05-09 13:14:55 -04:00
David Zeuthen
46ce134d51 GDBus: Add new symbols to gio.symbols 2010-05-06 17:31:51 -04:00
David Zeuthen
fb1b4599a0 GDBus: Fix up i18n 2010-05-06 16:34:23 -04:00
David Zeuthen
d0a14469d0 Initial GDBus code-drop from GDBus-standalone repo
Things compile and the test-suite passes. Still need to hook up
gio.symbols and docs. There are still a bunch of TODOs left in the
sources that needs to be addressed.

Signed-off-by: David Zeuthen <davidz@redhat.com>
2010-05-06 14:21:32 -04:00