Skip to content

auth: Do not send UID with external auth#346

Merged
guelfey merged 1 commit intogodbus:masterfrom
idleroamer:authext
May 22, 2023
Merged

auth: Do not send UID with external auth#346
guelfey merged 1 commit intogodbus:masterfrom
idleroamer:authext

Conversation

@idleroamer
Copy link
Contributor

Due to mismatch between UID in a user-namespace and out-of-band credential acquired by server
on another user-namespace refrain from sending UID with authentication message

#345

@idleroamer idleroamer force-pushed the authext branch 3 times, most recently from ded90ae to a0a35c0 Compare December 4, 2022 19:56
@guelfey
Copy link
Member

guelfey commented Dec 17, 2022

Thanks. I agree that this is probably better as a default behavior, but wouldn't want to break the API for this (although probably there are not many users that use AuthExternal directly). Could you add this as a separate Auth implementation (which is then used in Conn.Auth as the new default first method)?

Copy link
Member

@guelfey guelfey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also please check out the linter error

@idleroamer idleroamer force-pushed the authext branch 4 times, most recently from e026873 to b3bac88 Compare January 2, 2023 19:41
@idleroamer
Copy link
Contributor Author

Somehow I tested with older godbus version, this already fixed in master as part of
#264

nevertheless I added a test-case, can't hurt

@idleroamer idleroamer force-pushed the authext branch 4 times, most recently from 4d45f30 to f95a472 Compare January 2, 2023 19:49
@guelfey
Copy link
Member

guelfey commented Apr 9, 2023

Thanks - could you scope the test to only be compiled on Linux? It doesn't work on FreeBSD for obvious reasons and thus would break the build there

@idleroamer idleroamer force-pushed the authext branch 5 times, most recently from c3e67b9 to b8baec9 Compare May 13, 2023 14:56
@idleroamer
Copy link
Contributor Author

@guelfey Thanks for the review, test is conditionalized

@@ -0,0 +1,96 @@
//go:build !freebsd
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a using a Linux-only syscall - we also have other non-Linux platforms besides FreeBSD that are supported (e.g. Darwin), please adjust accordingly

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, adjusted accordingly, please recheck.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can just add linux as a build tag 😄 but I only now just noticed that you already put this in a file with a _linux suffix, which implicitly adds the corresponding build tag, so just removing the comments should be fine

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the input, speaking using sledgehammer to crack a nut :)

@idleroamer idleroamer force-pushed the authext branch 3 times, most recently from 5e9aa2a to 8513e01 Compare May 22, 2023 06:11
Due to mismatch between UID in a user-namespace
and out-of-band credential acquired by server
on another user-namespace refrain from sending UID
with external authentication by default
to keep compatibility still fallback to sending UID
if it fails

godbus#345
@guelfey
Copy link
Member

guelfey commented May 22, 2023

Thanks!

@guelfey guelfey merged commit 7623695 into godbus:master May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants