Source0: %{name}-%{version}.tar.gz
Source1: security-server.manifest
Source2: libsecurity-server-client.manifest
+Source3: security-server.service
BuildRequires: cmake
BuildRequires: zip
BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(icu-i18n)
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(xmlsec1)
+Requires(preun): systemd
+Requires(post): systemd
+Requires(postun): systemd
%description
Security server and utilities
install -D %{SOURCE1} %{buildroot}%{_datadir}/security-server.manifest
install -D %{SOURCE2} %{buildroot}%{_datadir}/libsecurity-server-client.manifest
-%clean
-rm -rf %{buildroot}
+mkdir -p %{buildroot}%{_libdir}/systemd/system/multi-user.target.wants
+install -m 0644 %{SOURCE3} %{buildroot}%{_libdir}/systemd/system/security-server.service
+ln -s ../security-server.service %{buildroot}%{_libdir}/systemd/system/multi-user.target.wants/security-server.service
+
+%preun
+if [ $1 == 0 ]; then
+ systemctl stop security-server.service
+fi
%post
+systemctl daemon-reload
+if [ $1 == 1 ]; then
+ systemctl restart security-server.service
+fi
mkdir -p /etc/rc.d/rc3.d
mkdir -p /etc/rc.d/rc5.d
ln -s /etc/rc.d/init.d/security-serverd /etc/rc.d/rc3.d/S10security-server
echo "[WRT] wrt-security postinst done ..."
%postun
-rm -f /etc/rc.d/rc3.d/S10security-server
-rm -f /etc/rc.d/rc5.d/S10security-server
+systemctl daemon-reload
%post -n libsecurity-server-client -p /sbin/ldconfig
%files -n security-server
%manifest %{_datadir}/security-server.manifest
%defattr(-,root,root,-)
+%{_libdir}/systemd/system/multi-user.target.wants/security-server.service
+%{_libdir}/systemd/system/security-server.service
/usr/share/security-server/mw-list
%attr(755,root,root) /etc/rc.d/init.d/security-serverd
#/etc/rc.d/rc3.d/S10security-server
#include <sys/types.h>
#include <sys/smack.h>
#include <fcntl.h>
+#include <pwd.h>
#include <sys/un.h>
#include <errno.h>
#include <unistd.h>
}
/* Authenticate the application is middleware daemon
- * The middleware must run as root and the cmd line must be pre listed */
+ * The middleware must run as root (or middleware user) and the cmd line must be
+ * pre listed for authentication to succeed */
int authenticate_client_middleware(int sockfd, int *pid)
{
int retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
struct ucred cr;
unsigned int cl = sizeof(cr);
char *cmdline = NULL;
+ struct passwd pw, *ppw;
+ size_t buf_size;
+ char *buf;
+ static uid_t middleware_uid = 0;
*pid = 0;
goto error;
}
- /* All middlewares will run as root */
- if(cr.uid != 0)
+ if (!middleware_uid)
+ {
+ buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (buf_size == -1)
+ buf_size = 1024;
+
+ buf = malloc(buf_size);
+
+ /* This test isn't essential, skip it in case of error */
+ if (buf) {
+ if (getpwnam_r(SECURITY_SERVER_MIDDLEWARE_USER, &pw, buf, buf_size, &ppw) == 0 && ppw)
+ middleware_uid = pw.pw_uid;
+
+ free(buf);
+ }
+ }
+
+ /* Middleware services need to run as root or middleware/app user */
+ if(cr.uid != 0 && cr.uid != middleware_uid)
{
retval = SECURITY_SERVER_ERROR_AUTHENTICATION_FAILED;
SEC_SVR_DBG("Non root process has called API: %d", cr.uid);