I’m working on a DBus service using GDbus, and I need to know the Unix UID of the process calling a method. Is there a direct way of doing this? Or the only way of doing that is getting the sender DBus id (:1.XXX) and calling GetConnectionUnixUser() in the org.freedesktop.DBus well-known name?
You probably want to call g_unix_connection_receive_credentials initially to discard the starting nul byte, and then fall back to g_socket_get_credentials if that does not work.
I am not sure I understand the second question. It is not possible to call GetConnectionUnixUser here, you are doing this to implement that function inside the daemon.
g_unix_connection_receive_credentials() won’t work because I’m publishing an interface in the system bus, so the received credentials would be the ones of the system daemon, not the original sender.
The idea is to allow only one specific user to get access to a method; but since this user can be changed using another DBus method, I can’t use polkit or the DBus configuration files for the service (or, at least, I don’t think that I can, because those files are writable only by root, and, for several reasons, my service must run as another specific user, so it wouldn’t be able to modify the files on-the-fly).
As I said, currently I keep a proxy to org.freedesktop.DBus, and whenever the callback for the method is called, I do a synchronous call to org_freedesktop_dbus_call_get_connection_unix_user_sync() to get the UID and decide whether that user can or can’t execute that action.
Of course, if there is a better and more standard way of doing this…
It would be more standard to use polkit for per user access control decisions like this.
See also GssPeerManager in libgsystemservice, for tracking the lifetime of service peers: GssPeerManager: libgsystemservice Reference Manual
Yes, I know that using polkit should be "the right way"™, but the point is… is it possible to dynamically change the allowed users?
About GssPeerManager, looks good, but it only returns the path to the executable, but not WHO is running it, which is what I need. I think that I’ll send a patch to allow to get more info.
Sorry, I misunderstood. When you say “dbus daemon” I think of that as referring to another implementation of dbus-daemon. What you are working on would just be called a dbus service.
Sorry 
I’m building a daemon for a dbus service 
Without knowing what your full use case is, I can’t say for sure.
One way of doing it with polkit would be to use group membership as the authenticator, rather than matching against a particular user. Another way would be to update the polkit rules at runtime (polkit will notice changes to the set of rules files).
I’ll happily review such a patch for libgsystemservice, thanks
I sent two patches for it.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.