core: root clients do not need to be an a login session (rh #973068)

NetworkManager.spec

@@ -23,7 +23,7 @@ Name: NetworkManager
 Summary: Network connection manager and user applications
 Epoch: 1
 Version: 0.9.8.2
-Release: 1%{snapshot}%{?dist}
+Release: 2%{snapshot}%{?dist}
 Group: System Environment/Base
 License: GPLv2+
 URL: http://www.gnome.org/projects/NetworkManager/
@@ -31,6 +31,7 @@ URL: http://www.gnome.org/projects/NetworkManager/
 Source: %{name}-%{realversion}%{snapshot}.tar.xz
 Source1: NetworkManager.conf
 Patch1: explain-dns1-dns2.patch
+Patch2: root-session.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -159,6 +160,7 @@ NetworkManager functionality from applications that use glib.
 %setup -q -n NetworkManager-%{realversion}
 
 %patch1 -p1 -b .explain-dns1-dns2
+%patch2 -p1 -b .root-session
 
 %build
 
@@ -361,6 +363,9 @@ exit 0
 %{_datadir}/gtk-doc/html/libnm-util/*
 
 %changelog
+* Fri Jun 14 2013 Dan Winship <danw@redhat.com> - 0.9.8.2-2
+- core: root clients do not need to be an a login session (rh #973068)
+
 * Fri Jun  7 2013 Dan Williams <dcbw@redhat.com> - 0.9.8.2-1
 - Update to 0.9.8.2 release
 - core: fix crash when IPv6 times out on Wi-Fi (rh #970293)

root-session.patch

@@ -0,0 +1,115 @@
+diff --git a/src/nm-manager-auth.c b/src/nm-manager-auth.c
+index d797032..21192bd 100644
+--- a/src/nm-manager-auth.c
++++ b/src/nm-manager-auth.c
+@@ -541,6 +541,10 @@ nm_auth_uid_in_acl (NMConnection *connection,
+ 	g_return_val_if_fail (connection != NULL, FALSE);
+ 	g_return_val_if_fail (smon != NULL, FALSE);
+ 
++	/* Root gets a free pass */
++	if (0 == uid)
++		return TRUE;
++
+ 	s_con = nm_connection_get_setting_connection (connection);
+ 	g_assert (s_con);
+ 
+diff --git a/src/settings/nm-agent-manager.c b/src/settings/nm-agent-manager.c
+index d9199f5..531fabc 100644
+--- a/src/settings/nm-agent-manager.c
++++ b/src/settings/nm-agent-manager.c
+@@ -262,10 +262,11 @@ impl_agent_manager_register (NMAgentManager *self,
+ 		goto done;
+ 	}
+ 
+-	if (!nm_session_monitor_uid_has_session (priv->session_monitor,
+-                                             sender_uid,
+-                                             NULL,
+-                                             &local)) {
++	if (   0 != sender_uid
++	    && !nm_session_monitor_uid_has_session (priv->session_monitor,
++	                                            sender_uid,
++	                                            NULL,
++	                                            &local)) {
+ 		error = g_error_new_literal (NM_AGENT_MANAGER_ERROR,
+ 		                             NM_AGENT_MANAGER_ERROR_SESSION_NOT_FOUND,
+ 		                             local && local->message ? local->message : "Session not found");
+@@ -552,15 +553,12 @@ request_add_agent (Request *req,
+ 	 * or that the permissions is empty (ie, visible by everyone).
+ 	 */
+ 	agent_uid = nm_secret_agent_get_owner_uid (agent);
+-	if (0 != agent_uid) {
+-		if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) {
+-			nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)",
+-					    nm_secret_agent_get_description (agent),
+-					    req, req->setting_name);
+-			/* Connection not visible to this agent's user */
+-			return;
+-		}
+-		/* Caller is allowed to manipulate this connection */
++	if (!nm_auth_uid_in_acl (req->connection, session_monitor, agent_uid, NULL)) {
++		nm_log_dbg (LOGD_AGENTS, "(%s) agent ignored for secrets request %p/%s (not in ACL)",
++		            nm_secret_agent_get_description (agent),
++		            req, req->setting_name);
++		/* Connection not visible to this agent's user */
++		return;
+ 	}
+ 
+ 	/* If the request should filter agents by UID, do that now */
+diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
+index d341586..be349a0 100644
+--- a/src/settings/nm-settings-connection.c
++++ b/src/settings/nm-settings-connection.c
+@@ -959,15 +959,13 @@ check_user_in_acl (NMConnection *connection,
+ 	}
+ 
+ 	/* Make sure the UID can view this connection */
+-	if (0 != sender_uid) {
+-		if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) {
+-			g_set_error_literal (error,
+-			                     NM_SETTINGS_ERROR,
+-			                     NM_SETTINGS_ERROR_PERMISSION_DENIED,
+-			                     error_desc);
+-			g_free (error_desc);
+-			return FALSE;
+-		}
++	if (!nm_auth_uid_in_acl (connection, session_monitor, sender_uid, &error_desc)) {
++		g_set_error_literal (error,
++		                     NM_SETTINGS_ERROR,
++		                     NM_SETTINGS_ERROR_PERMISSION_DENIED,
++		                     error_desc);
++		g_free (error_desc);
++		return FALSE;
+ 	}
+ 
+ 	if (out_sender_uid)
+diff --git a/src/settings/nm-settings.c b/src/settings/nm-settings.c
+index 2cfda09..880592e 100644
+--- a/src/settings/nm-settings.c
++++ b/src/settings/nm-settings.c
+@@ -1162,18 +1162,14 @@ nm_settings_add_connection (NMSettings *self,
+ 	/* Ensure the caller's username exists in the connection's permissions,
+ 	 * or that the permissions is empty (ie, visible by everyone).
+ 	 */
+-	if (0 != caller_uid) {
+-		if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) {
+-			error = g_error_new_literal (NM_SETTINGS_ERROR,
+-			                             NM_SETTINGS_ERROR_NOT_PRIVILEGED,
+-			                             error_desc);
+-			g_free (error_desc);
+-			callback (self, NULL, error, context, user_data);
+-			g_error_free (error);
+-			return;
+-		}
+-
+-		/* Caller is allowed to add this connection */
++	if (!nm_auth_uid_in_acl (connection, priv->session_monitor, caller_uid, &error_desc)) {
++		error = g_error_new_literal (NM_SETTINGS_ERROR,
++		                             NM_SETTINGS_ERROR_PERMISSION_DENIED,
++		                             error_desc);
++		g_free (error_desc);
++		callback (self, NULL, error, context, user_data);
++		g_error_free (error);
++		return;
+ 	}
+ 
+ 	/* If the caller is the only user in the connection's permissions, then