From: Yunmi Ha Date: Sun, 3 Jul 2016 23:53:19 +0000 (+0900) Subject: Add security usertype X-Git-Tag: accepted/tizen/common/20160704.150018^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=19de5761b401c8f6ea61ed2fb539868890f05a56;p=platform%2Fupstream%2Fgumd.git Add security usertype For security-container user, add new usertype. This usertype has indivisual uid range, and can't listup to any normal user. Change-Id: Ib48aa4715439639bb879732d943f2444fb1362e1 Signed-off-by: Yunmi Ha --- diff --git a/data/tizen/etc/gumd/gumd-tizen-common.conf b/data/tizen/etc/gumd/gumd-tizen-common.conf index e7324dc..5cf7d39 100644 --- a/data/tizen/etc/gumd/gumd-tizen-common.conf +++ b/data/tizen/etc/gumd/gumd-tizen-common.conf @@ -58,6 +58,7 @@ DEFAULT_ADMIN_GROUPS=audio,video,display # Path to user shell executable. Default value is '/bin/bash' #SHELL=/bin/bash +SEC_SHELL=/sbin/nologin # Path to skeleton folder. When new users are created, contents of the skel # folder is copied to user home directory. Default value is '/etc/skel' @@ -82,6 +83,14 @@ SYS_UID_MIN=100 # is: 999 SYS_UID_MAX=499 +# Minimum value for the automatic uid selection for security user. Default +# value is: 60001 +SEC_UID_MIN=60001 + +# Maximum value for the automatic uid selection for security user. Default value +# is: 60100 +SEC_UID_MAX=60100 + # Minimum value for the automatic gid selection. Default value is: 1000 GID_MIN=5001 diff --git a/include/gum/common/gum-config-general.h b/include/gum/common/gum-config-general.h index 7a8f3f2..b000f72 100644 --- a/include/gum/common/gum-config-general.h +++ b/include/gum/common/gum-config-general.h @@ -146,6 +146,14 @@ "/SHELL" /** + * GUM_CONFIG_GENERAL_SEC_SHELL: + * + * Path to security user shell executable. Default value is '/bin/bash' + */ +#define GUM_CONFIG_GENERAL_SEC_SHELL GUM_CONFIG_GENERAL \ + "/SEC_SHELL" + +/** * GUM_CONFIG_GENERAL_SKEL_DIR: * * Path to skeleton folder. When new users are created, contents of the skel @@ -200,6 +208,22 @@ "/SYS_UID_MAX" /** + * GUM_CONFIG_GENERAL_SEC_UID_MIN: + * + * Minimum value for the automatic uid selection. Default value is: 60001 + */ +#define GUM_CONFIG_GENERAL_SEC_UID_MIN GUM_CONFIG_GENERAL \ + "/SEC_UID_MIN" + +/** + * GUM_CONFIG_GENERAL_SEC_UID_MAX: + * + * Maximum value for the automatic uid selection. Default value is: 60100 + */ +#define GUM_CONFIG_GENERAL_SEC_UID_MAX GUM_CONFIG_GENERAL \ + "/SEC_UID_MAX" + +/** * GUM_CONFIG_GENERAL_GID_MIN: * * Minimum value for the automatic gid selection. Default value is: 2000 diff --git a/include/gum/common/gum-user-types.h b/include/gum/common/gum-user-types.h index 1b6bde7..d574c35 100644 --- a/include/gum/common/gum-user-types.h +++ b/include/gum/common/gum-user-types.h @@ -68,7 +68,7 @@ G_BEGIN_DECLS * * Defines total number of types of the users. */ -#define GUM_USERTYPE_COUNT 5 +#define GUM_USERTYPE_COUNT 6 /** * GUM_USERTYPE_MAX_VALUE: @@ -82,7 +82,8 @@ typedef enum { GUM_USERTYPE_SYSTEM = 0x01, GUM_USERTYPE_ADMIN = 0x02, GUM_USERTYPE_GUEST = 0x04, - GUM_USERTYPE_NORMAL = 0x08 + GUM_USERTYPE_NORMAL = 0x08, + GUM_USERTYPE_SECURITY = 0x10 } GumUserType; const gchar * diff --git a/src/common/gum-config.c b/src/common/gum-config.c index c604ffd..7ef69f3 100755 --- a/src/common/gum-config.c +++ b/src/common/gum-config.c @@ -113,6 +113,9 @@ G_DEFINE_TYPE (GumConfig, gum_config, G_TYPE_OBJECT); #define UID_MAX 60000 #define SYS_UID_MIN 100 #define SYS_UID_MAX 999 +#define SEC_UID_MIN 60001 +#define SEC_UID_MAX 60100 + #define GID_MIN 1000 #define GID_MAX 60000 #define SYS_GID_MIN 100 @@ -369,6 +372,8 @@ _load_config ( g_strcmp0 (GUM_CONFIG_GENERAL_UID_MAX, key) == 0 || g_strcmp0 (GUM_CONFIG_GENERAL_SYS_UID_MIN, key) == 0 || g_strcmp0 (GUM_CONFIG_GENERAL_SYS_UID_MAX, key) == 0 || + g_strcmp0 (GUM_CONFIG_GENERAL_SEC_UID_MIN, key) == 0 || + g_strcmp0 (GUM_CONFIG_GENERAL_SEC_UID_MAX, key) == 0 || g_strcmp0 (GUM_CONFIG_GENERAL_GID_MIN, key) == 0 || g_strcmp0 (GUM_CONFIG_GENERAL_GID_MAX, key) == 0 || g_strcmp0 (GUM_CONFIG_GENERAL_SYS_GID_MIN, key) == 0 || @@ -639,12 +644,15 @@ _gum_config_initialize ( } gum_config_set_string (self, GUM_CONFIG_GENERAL_SHELL, GUM_SHELL); + gum_config_set_string (self, GUM_CONFIG_GENERAL_SEC_SHELL, GUM_SHELL); gum_config_set_string (self, GUM_CONFIG_GENERAL_SKEL_DIR, GUM_SKEL_DIR); gum_config_set_uint (self, GUM_CONFIG_GENERAL_UID_MIN, UID_MIN); gum_config_set_uint (self, GUM_CONFIG_GENERAL_UID_MAX, UID_MAX); gum_config_set_uint (self, GUM_CONFIG_GENERAL_SYS_UID_MIN, SYS_UID_MIN); gum_config_set_uint (self, GUM_CONFIG_GENERAL_SYS_UID_MAX, SYS_UID_MAX); + gum_config_set_uint (self, GUM_CONFIG_GENERAL_SEC_UID_MIN, SEC_UID_MIN); + gum_config_set_uint (self, GUM_CONFIG_GENERAL_SEC_UID_MAX, SEC_UID_MAX); gum_config_set_uint (self, GUM_CONFIG_GENERAL_GID_MIN, GID_MIN); gum_config_set_uint (self, GUM_CONFIG_GENERAL_GID_MAX, GID_MAX); diff --git a/src/common/gum-user-types.c b/src/common/gum-user-types.c index b60a064..bd91679 100644 --- a/src/common/gum-user-types.c +++ b/src/common/gum-user-types.c @@ -48,7 +48,8 @@ GumUserTypeString user_type_strings[GUM_USERTYPE_COUNT] = { {GUM_USERTYPE_SYSTEM, "system"}, {GUM_USERTYPE_ADMIN, "admin"}, {GUM_USERTYPE_GUEST, "guest"}, - {GUM_USERTYPE_NORMAL, "normal"} + {GUM_USERTYPE_NORMAL, "normal"}, + {GUM_USERTYPE_SECURITY, "security"} }; gint16 diff --git a/src/daemon/core/gumd-daemon-user.c b/src/daemon/core/gumd-daemon-user.c index b22b912..6258fcb 100644 --- a/src/daemon/core/gumd-daemon-user.c +++ b/src/daemon/core/gumd-daemon-user.c @@ -785,6 +785,9 @@ _get_default_uid_range ( if (ut == GUM_USERTYPE_SYSTEM) *min = (uid_t) gum_config_get_uint (config, GUM_CONFIG_GENERAL_SYS_UID_MIN, GUM_USER_INVALID_UID); + else if (ut == GUM_USERTYPE_SECURITY) + *min = (uid_t) gum_config_get_uint (config, + GUM_CONFIG_GENERAL_SEC_UID_MIN, GUM_USER_INVALID_UID); else *min = (uid_t) gum_config_get_uint (config, GUM_CONFIG_GENERAL_UID_MIN, GUM_USER_INVALID_UID); @@ -792,6 +795,9 @@ _get_default_uid_range ( if (ut == GUM_USERTYPE_SYSTEM) *max = (uid_t) gum_config_get_uint (config, GUM_CONFIG_GENERAL_SYS_UID_MAX, GUM_USER_INVALID_UID); + else if (ut == GUM_USERTYPE_SECURITY) + *max = (uid_t) gum_config_get_uint (config, + GUM_CONFIG_GENERAL_SEC_UID_MAX, GUM_USER_INVALID_UID); else *max = (uid_t) gum_config_get_uint (config, GUM_CONFIG_GENERAL_UID_MAX, GUM_USER_INVALID_UID); @@ -1683,6 +1689,7 @@ gumd_daemon_user_add ( uid_t *uid, GError **error) { + GumUserType usertype = GUM_USERTYPE_NONE; DBG (""); /* reset uid if set @@ -1701,14 +1708,21 @@ gumd_daemon_user_add ( *** copy skel files and set permissions * unlock db */ - if (_get_usertype_from_gecos (self->priv->pw) == GUM_USERTYPE_NONE) { + usertype = _get_usertype_from_gecos (self->priv->pw); + if (usertype == GUM_USERTYPE_NONE) { GUM_RETURN_WITH_ERROR (GUM_ERROR_USER_INVALID_USER_TYPE, "Invalid user type", error, FALSE); } if (!self->priv->pw->pw_shell) { - _set_shell_property (self, gum_config_get_string (self->priv->config, + if (usertype == GUM_USERTYPE_SECURITY) { + _set_shell_property (self, gum_config_get_string (self->priv->config, + GUM_CONFIG_GENERAL_SEC_SHELL)); + } + else { + _set_shell_property (self, gum_config_get_string (self->priv->config, GUM_CONFIG_GENERAL_SHELL)); + } } if (!gum_lock_pwdf_lock ()) {