[TOFU]:
Be careful I already deleted the sysconfig and manpage -a stuff.
You will get some conflicts, sorry about that.
But, yes go ahead, speak with Holger, he's also keen on throwing things
out.
Thomas
Stefan Seyfried wrote:
> Hi,
>
> i am on the train and had nothing to do, so here it is:
> rip out the resmgr/group/etc access control.
> This may help getting this going, i'll probably not commit it since it
> is incomplete (e.g. checkPermissions() probably should go away completely).
> But a little bit of the long boring stuff is done ;-)
>
> Thomas, i hope this helps getting rid of the socket stuff.
> If you want me to commit it (hey, it compiles and i can run it! ;-) drop
> me a note and i'll do it.
>
>
> ------------------------------------------------------------------------
>
> diff -rup /tmp/powersave/powersave-0.10.6/config_files/common
> ./config_files/common
> --- /tmp/powersave/powersave-0.10.6/config_files/common 2005-07-22
> 11:46:07.000000000 +0200
> +++ ./config_files/common 2005-08-05 20:33:30.000000000 +0200
> @@ -71,10 +71,12 @@ NOTIFY_METHOD=""
> ## Default: "ac battery button fan processor thermal"
> ## ServiceRestart: powersaved
> #
> -# The powersaved startscript will load all necessary modules for acpi. If
> some of
> +# The acpid startscript will load all necessary modules for acpi. If some of
> # these modules cause trouble, you may remove it from this variable. You may
> # add the modules asus_acpi or toshiba_acpi if your computer is an Asus or a
> # Toshiba. Seperate several modules by space.
> +# If this variable is empty, the default is used. If you want to disable
> +# module loading, enter "NONE".
> #
> ACPI_MODULES=""
>
> @@ -159,16 +161,6 @@ START_ACPID=""
> SECURITY=""
>
> ## Path: System/Powermanagement/Powersave/General
> -## Type: string
> -## Default "powersave"
> -#
> -# If the daemon is started with group security policy (powersave -a param)
> -# you can specify the system group that is allowed to connect to the daemon
> -# by default the resource mangager (resmgr) policy is used and this
> -# variable is ignored
> -PM_GROUP=""
> -
> -## Path: System/Powermanagement/Powersave/General
> ## Type: integer(1:100)
> ## Default "0"
> #
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/clientConnection.cpp
> ./daemon/clientConnection.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/clientConnection.cpp
> 2005-08-02 18:52:10.000000000 +0200
> +++ ./daemon/clientConnection.cpp 2005-08-05 20:23:26.000000000 +0200
> @@ -24,9 +24,6 @@ clientConnection::clientConnection(PM_ST
>
> // allocate memory for the socketoperations
> sockOp = new (socketOpts);
> -
> - // set the user management in reference to the configuration
> - sockOp->setUserManagement(config->user_management,
> config->current_scheme->PM_GROUP);
> }
>
>
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/config_pm.cpp
> ./daemon/config_pm.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/config_pm.cpp 2005-08-05
> 10:28:26.000000000 +0200
> +++ ./daemon/config_pm.cpp 2005-08-05 20:34:05.000000000 +0200
> @@ -32,7 +32,6 @@ PS_Config::PS_Config(){
>
> ENABLE_THERMAL_MANAGEMENT = OFF;
>
> - PM_GROUP = "powersave";
> USER_STANDBY_DISABLED = 1;
> USER_SUSPEND2DISK_DISABLED = 0;
> USER_SUSPEND2RAM_DISABLED = 1;
> @@ -180,10 +179,6 @@ void PS_Config::assignConfigEntries(){
> CPU_IDLE_LIMIT = checkValue(CPU_IDLE_LIMIT, "CPU_IDLE_LIMIT", 0, 100);
> POWER_BUTTON_DELAY = checkValue(POWER_BUTTON_DELAY, "POWERBTN_DELAY",
> 0);
>
> - s = data["PM_GROUP"];
> - if (s != "")
> - PM_GROUP = s.c_str();
> -
> FORCE_BATTERY_POLLING = checkYes(FORCE_BATTERY_POLLING,
> "FORCE_BATTERY_POLLING");
> USER_SUSPEND2DISK_DISABLED = checkYes(USER_SUSPEND2DISK_DISABLED,
> "DISABLE_USER_SUSPEND2DISK");
> USER_SUSPEND2RAM_DISABLED = checkYes(USER_SUSPEND2RAM_DISABLED,
> "DISABLE_USER_SUSPEND2RAM");
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/config_pm.h
> ./daemon/config_pm.h
> --- /tmp/powersave/powersave-0.10.6/daemon/config_pm.h 2005-07-08
> 22:11:19.000000000 +0200
> +++ ./daemon/config_pm.h 2005-08-05 20:34:23.000000000 +0200
> @@ -29,8 +29,6 @@ enum CPUFREQ_CONTROL_MODE{CPUFREQ_USERSP
>
> enum THERMAL_MANAGEMENT_DELIGATION { OFF, KERNEL };
>
> -enum ACCESS_MODE { ACCESS_ALL=1, ACCESS_RESMGR, ACCESS_GROUP, ACCESS_ROOT };
> -
> class Event;
> class GeneralConfig;
>
> @@ -78,8 +76,6 @@ class PS_Config{
> * the idle event is thrown */
> int CPU_IDLE_LIMIT;
>
> - string PM_GROUP;
> -
> /** @brief should niced processes count for cpufreq calculatiob, too? */
> int CONSIDER_NICE;
>
> @@ -199,9 +195,6 @@ class GeneralConfig: public PS_Config {
> string config_dir;
> int disable_CPU_freq;
> int no_of_schemes;
> - /** @brief this is given by parameter */
> - static ACCESS_MODE user_management;
> -
>
> GeneralConfig();
> virtual ~GeneralConfig();
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/general_config.cpp
> ./daemon/general_config.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/general_config.cpp 2005-07-05
> 15:57:23.000000000 +0200
> +++ ./daemon/general_config.cpp 2005-08-05 20:32:28.000000000 +0200
> @@ -4,8 +4,6 @@
> #include <dirent.h>
>
>
> -ACCESS_MODE GeneralConfig::user_management = ACCESS_ROOT;
> -
> void PS_Config::strtointErr(char *str, int line, const char *file){
> pDebug(DBG_ERR, "Could not convert string to int; given string: '%s' in"
> " line %d; config file: %s\n", str, line, file);
> @@ -302,24 +300,10 @@ int GeneralConfig::setActiveSchemeByPowe
>
> ostream& operator<<(ostream& os, const GeneralConfig &gc){
> string ret;
> - string access_m = "";
> int x;
>
> - if (gc.user_management == ACCESS_ROOT)
> - access_m = "root";
> - else if (gc.user_management == ACCESS_GROUP)
> - access_m = "group";
> - else if (gc.user_management == ACCESS_RESMGR)
> - access_m = "managed by resmgr";
> - else if (gc.user_management == ACCESS_ALL)
> - access_m = "all";
> - else
> - access_m = "undefined";
> -
> os << endl << endl
> << "GENERAL CONFIGURATIONS:";
> - os << endl << "Users that are allowed to connect through socket:
> " << access_m;
> - os << (gc.user_management == ACCESS_GROUP ? gc.PM_GROUP : "");
> os << endl << "Force CPU frequency scaling to be disabled: " <<
> (gc.disable_CPU_freq == 1 ? "yes" : "no");
> os << endl << "gc.AC_SCHEME: " << ((gc.AC_scheme == NULL) ? "Not
> available" : gc.AC_scheme->SCHEME_NAME);
> os << endl << "gc.BATTERY_SCHEME: " << ((gc.Battery_scheme ==
> NULL) ? "Not available" : gc.Battery_scheme->SCHEME_NAME);
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/powersaved.cpp
> ./daemon/powersaved.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/powersaved.cpp 2005-08-05
> 11:50:12.000000000 +0200
> +++ ./daemon/powersaved.cpp 2005-08-05 20:22:36.000000000 +0200
> @@ -126,9 +126,6 @@ int PM_Interface::rereadConfig(){
>
> config->current_scheme->CONSIDER_NICE);
> }
> }
> - /* maybe group that is allowed to access has changed, set it in socket
> class */
> - if (config->user_management == ACCESS_GROUP)
> - server_socket.setUserManagement(config->user_management,
> config->current_scheme->PM_GROUP);
> return ret;
> }
>
> @@ -241,8 +238,6 @@ PM_Interface::PM_Interface(GeneralConfig
> pDebug (DBG_ERR, "Cannot create cpufreq objects");
> }
> }
> -
> - server_socket.setUserManagement(config->user_management,
> config->current_scheme->PM_GROUP);
>
> // allocate memory for event management object
> eM = new EventManagement();
> @@ -1101,7 +1096,7 @@ void get_args(int argc, char** argv, Gen
> {NULL, 0, 0, 0},
> };
> while (1){
> - int i = getopt_long(argc, argv, "v:c:s:a:x:f:ndh", opts,
> &option_index);
> + int i = getopt_long(argc, argv, "v:c:s:x:f:ndh", opts,
> &option_index);
> if (i == -1){
> break;
> }
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/scheme_config.cpp
> ./daemon/scheme_config.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/scheme_config.cpp 2005-07-08
> 22:11:19.000000000 +0200
> +++ ./daemon/scheme_config.cpp 2005-08-05 20:35:07.000000000 +0200
> @@ -26,7 +26,6 @@ SchemeConfig::SchemeConfig(string file_n
>
> ENABLE_THERMAL_MANAGEMENT = gc.ENABLE_THERMAL_MANAGEMENT;
>
> - PM_GROUP = gc.PM_GROUP;
> USER_STANDBY_DISABLED = gc.USER_STANDBY_DISABLED;
> USER_SUSPEND2DISK_DISABLED = gc.USER_SUSPEND2DISK_DISABLED;
> USER_SUSPEND2RAM_DISABLED = gc.USER_SUSPEND2RAM_DISABLED;
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/server_socket.cpp
> ./daemon/server_socket.cpp
> --- /tmp/powersave/powersave-0.10.6/daemon/server_socket.cpp 2005-06-26
> 12:27:35.000000000 +0200
> +++ ./daemon/server_socket.cpp 2005-08-05 20:29:22.000000000 +0200
> @@ -19,14 +19,12 @@
>
> ServerSocket::ServerSocket(){
>
> - user_management = ACCESS_ROOT;
> accepted_sockfd = -1;
> socket_fd = -1;
> }
>
> ServerSocket::~ServerSocket(){
>
> - user_management = ACCESS_ROOT;
> if (socket_fd != -1)
> closeSocket();
> }
> @@ -88,18 +86,11 @@ int ServerSocket::checkPermission(){
>
> struct sockaddr_un client_address;
> socklen_t client_len;
> - int result, k;
> - group *groupinfo = NULL;
> -
> + int result;
>
> struct ucred cred;
> struct passwd *pwd = NULL;
> socklen_t len = sizeof(cred);
> -#ifdef HAVE_LIBRESMGR
> - char *p;
> - char **sessions = NULL;
> - char **sessions_free = NULL;
> -#endif
>
> client_len = sizeof(client_address);
> // should never hang ...
> @@ -108,80 +99,15 @@ int ServerSocket::checkPermission(){
> pDebug(DBG_DIAG, "Server threw error after accept: %s\n",
> strerror(errno));
> return -1;
> }
> - if ( user_management == ACCESS_ALL ){
> + if ( getsockopt(accepted_sockfd, SOL_SOCKET, SO_PEERCRED, &cred, &len)
> < 0 ){
> + pDebug(DBG_DIAG, "getsockopt failed");
> + return -1;
> }
> - else {
> - if ( getsockopt(accepted_sockfd, SOL_SOCKET, SO_PEERCRED,
> &cred, &len) < 0 ){
> - pDebug(DBG_DIAG, "getsockopt failed");
> - return -1;
> - }
> - if ((pwd = getpwuid(cred.uid)) == NULL || !pwd->pw_name)
> - goto no_rights;
> + if ((pwd = getpwuid(cred.uid)) == NULL || !pwd->pw_name)
> + goto no_rights;
>
> - if ( user_management == ACCESS_RESMGR ){
> -#ifdef HAVE_LIBRESMGR
> - // only need resmgr if no root user tries to connect
> - if ( cred.uid ){
> - sessions = rsm_list_sessions();
> - sessions_free = sessions;
> - if ( !sessions || !*sessions )
> - goto no_rights;
> - int okay = 0;
> - pwd = getpwuid(cred.uid);
> - for ( ; sessions && *sessions; sessions++ ){
> - p = strstr( *sessions, " " );
> - if ( p && *(p+1) && !strcmp( p+1,
> pwd->pw_name ) ){
> - okay = 1;
> - break;
> - }
> - }
> - if (sessions_free){
> - for (k=0; sessions_free[k]; k++)
> - free(sessions_free[k]);
> - free(sessions_free);
> - }
> - if ( !okay ){
> - pDebug(DBG_DIAG, "user %s has no resmgr
> session"
> - " and is not allowed to
> connect.",
> - pwd->pw_name);
> - goto no_rights;
> - }
> - }
> -#else
> - pDebug (DBG_ERR, "Binary has no resmgr support compiled
> in, fall back"
> - "to root user management");
> - user_management = ACCESS_ROOT;
> -#endif
> - }
> - /* is a member of the powersave group connecting ?*/
> - else if ( user_management == ACCESS_GROUP ) {
> - groupinfo = getgrnam(pm_group.c_str());
> - if (cred.uid && (groupinfo == NULL || groupinfo->gr_mem
> == NULL)){
> - pDebug(DBG_DIAG, "Could not find group: %s that
> is "
> - "allowed to use PM. Only root will be
> allowed to connect to daemon."
> - , pm_group.c_str());
> - goto no_rights;
> - }
> - if (cred.uid){
> - for ( k=0; *(groupinfo->gr_mem+k); k++){
> - int m =
> min(strlen(*(groupinfo->gr_mem+k)), strlen(pm_group.c_str()));
> - if (!strncmp(*(groupinfo->gr_mem+k),
> pwd->pw_name, m)){
> - pDebug(DBG_DIAG, "%s is a
> member of group %s - allowed to connect",
> - pwd->pw_name,
> pm_group.c_str());
> - break;
> - }
> - else
> - continue;
> - }
> - if (!*(groupinfo->gr_mem+k))
> - goto no_rights;
> - }
> - }
> - else if ( user_management == ACCESS_ROOT ){
> - if (cred.uid)
> - goto no_rights;
> - }
> - }
> + if (cred.uid)
> + goto no_rights;
> return 1;
>
> no_rights:
> @@ -364,13 +290,6 @@ void ServerSocket::closeSocket(){
> close(socket_fd);
> }
>
> -void ServerSocket::setUserManagement(ACCESS_MODE um, string group){
> -
> - pm_group = group;
> - user_management = um;
> -
> -}
> -
> // reads one 'line' from a filedescriptor and returns it. The 'line' has to
> be
> // terminated with \0
>
> diff -rup /tmp/powersave/powersave-0.10.6/daemon/server_socket.h
> ./daemon/server_socket.h
> --- /tmp/powersave/powersave-0.10.6/daemon/server_socket.h 2004-11-17
> 12:44:28.000000000 +0100
> +++ ./daemon/server_socket.h 2005-08-05 20:24:35.000000000 +0200
> @@ -12,7 +12,6 @@ class ServerSocket {
> private:
> int socket_fd;
> int accepted_sockfd;
> - ACCESS_MODE user_management;
> string pm_group;
>
> public:
> @@ -26,7 +25,6 @@ class ServerSocket {
> int sendIntReply(int reply);
> int sendLongReply(int64_t reply);
> int sendSchemesReply (GeneralConfig *configs);
> - void setUserManagement(ACCESS_MODE um, string pm_group);
> int getAcceptedSockFD();
> //reads one line from a filedescription and returns it. The line has to
> be terminated with \n
> char *readLine(int fd);
> Only in ./docs/autodocs: CVS
> Only in ./docs: CVS
> diff -rup /tmp/powersave/powersave-0.10.6/docs/README.user_management
> ./docs/README.user_management
> --- /tmp/powersave/powersave-0.10.6/docs/README.user_management
> 2005-07-04 18:33:57.000000000 +0200
> +++ ./docs/README.user_management 2005-08-05 20:36:53.000000000 +0200
> @@ -1,35 +1,2 @@
> -There are 4 types the daemon might allow user's to
> -connect to the daemon (e.g. with powersave/kpowersave):
> -
> -
> -ALL:
> -Everybody is allowed to connect to the daemon
> -
> -RESMGR:
> -The daemon asks the resmgr who is allowed to
> -obtain PM related info or control.
> -
> -GROUP:
> -You can specify a system group in common config file
> -and add users to this group that are allowed to
> -communicate with the daemon
> -
> -ROOT:
> -The superuser is always allowed to connect.
> -If the -a parameter is missing at all, when invoking
> -the powersaved, only root is allowed to connect.
> -
> -Also see the manpage of powersaved (param: -a).
> -You can change the security settings in the
> -/etc/sysconfig/powerave/common file by modifing the
> -variable:
> -SECURITY
> -and if you have chosen group you can specify the group
> -that is allowed to connect to the daemon through the
> -variable:
> -PM_GROUP
> -This will tell the init script to always use this settings
> -at boot time.
> -
> -Note that for the resmgr setting support has to be compiled
> -in and the resource manager package needs to be installed.
> +Access control is now handled via DBus, have a look at
> +/etc/dbus-1/system.d/powersave.conf.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> powersave-devel mailing list
> [email protected]
> http://forge.novell.com/mailman/listinfo/powersave-devel
_______________________________________________
powersave-devel mailing list
[email protected]
http://forge.novell.com/mailman/listinfo/powersave-devel
