Sorry for wrote many topics in small amount of time.
I am searching how policykit expropriate the terminal? When I am trying to write to or read form terminal with running program, my program is blocked. I think that remove some signals may help (TTYOUT/TTYIN), but I am not sure. Also, this solution looks odd.
I also need to ensure no other programs will read from terminal or write to it, when my program is running.
How to achieve this?
Done:
int term = open(term_device_path, O_RDWR);
if (-1 == term) {
perror("Unable to open terminal device");
exit(1);
}
if (-1 == flock(term, LOCK_EX)) {
perror("Unable to lock terminal");
exit(1);
}
signal(SIGTTOU, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
dup2(term, 0);
dup2(term, 1);
dup2(term, 2);
Explain what you do. What is using the terminal, how you start your program etc.
This is how POSIX tty driver behavior is defined.
That is what happens by default, you mentioned it yourself in the previous sentence:
I started my program by fork. It read controlling terminal of process, who send dbus message, using /proc/$pid/state, where pid is the pid of sender.
I need to disable ability of other programs to read/write on this terminal, because some sensitive data could be written to tty.
I set cap_sys_admin=ep by setcap program on my executable.
Currently it nearly works, but after I press enter of forcibly blocked (expropriate) terminal, it exits to login program. Before get lock on this terminal, bash was working on it (and dbus-send).
I change some parts of my child process code and it now looks this:
if (NULL != term_device_path) {
close(0);
close(1);
close(2);
setsid();
int term = open(term_device_path, O_RDWR);
if (-1 == term) {
perror("Unable to open terminal device");
close(hang_pipe[0]);
exit(1);
}
dup2(term, 0);
dup2(term, 1);
dup2(term, 2);
if (-1 == ioctl(term, TIOCSCTTY, 1)) {
perror("Unable to set controlling terminal");
close(hang_pipe[0]);
close(term);
exit(1);
}
puts("OKI");
setenv("XDG_SESSION_TYPE", "tty", 1);
if (-1 == flock(term, LOCK_EX)) {
perror("Unable to lock terminal");
close(hang_pipe[0]);
close(term);
exit(1);
}
signal(SIGTTOU, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
puts("WORKING");
}
execl("/usr/bin/securehome-sessionhelper", "/usr/bin/securehome-sessionhelper", 0);
I use udev to get path of terminal device: https://stackoverflow.com/questions/13982713/how-to-get-a-device-file-name-using-major-and-minor-number .
dev_t term_dev;
pid_t new_process;
term_dev = makedev(major, minor);
struct udev *udev = udev_new();
struct udev_device *device = udev_device_new_from_devnum(udev, 'c', term_dev);
const char *term_device_path = udev_device_get_devnode(device);
Which process does fork?
And now we suddenly have D-Bus …
Sorry, I hope some mindreader here will be able to help. Or explain the whole picture so that others can also understand it.
Reading the title (and the rest of the description), I see a typical case of http://www.catb.org/~esr/faqs/smart-questions.html#goal
The goal is:
I am developing FUSE filesystem, which will prevents to change important files or create new files in important location in user home directory. For example, someone could wrote ~/bin/sudo file and add executable bit. This program would call /bin/sudo with parameters given in command prompt and next for example: sudo rm -rf --no-preserve-root / . It also will protect ~/.profile, autostart, browser extensions directory, etc.
It will wrote everything into directory only it have access and will be mounted into ~/bin (for example). I still does not known, how to protect single files, such like ~/.profile. I thinking around mount --bind. It will mount each protected directory on login. Everything works, but it should also work on other user session (for example: console session) and I do not known if it has data to work in GUI, because it starts before other session programs.
So I decided to prempt console, so only it can read what user decide.
It will work similar to UAC. I decide to simply shown question dialogs instead of use list of allowed/disallowed actions like MAC, because of it is hard to recognize if action was performed by user - some programs have scripting capabilities, etc.
Because FUSE FS can read context and pid, I decide to send it to system dbus daemon, who will ran program asking if this action is allowed. The question will be displayed on:
I though about using policykit, but policykit dialogs probably cannot be simply modified to allow to set additional rights and select it will be remember for session or permanent.
Everything worked, but I realize it does not work, when program works on other session than GUI session. Also, It does still must be ran by hand, so If it will be ran on login, I must also have way to spawn process inside some session. It sill cannot protect single files.
Another use case is (for example) preventing from read browser cookies and other data.
This won’t work. Terminal may be in full screen mode and writing to it will have unpredictable results. You will need to ensure the known state before you can actually ask user anything, but that will screw up terminal for the program that was using it because it will be unaware of the modified screen content.
To do what you want you really need an intermediary agent between terminal and user programs that will accept connections from your FUSE filesystem and interact with the user without disturbing the program(s) running on the same terminal.
UAC overlays the current desktop with SAC desktop. That is not something that is generally possible on a terminal without help of some extra program that keeps track of the current terminal content and can save/restore it.
So I need something like screen? Should I Create master/slave part of pty and ran shell in it?
Additional to look at PolicyKit, I will also take a look at dialog and midnight commander, because these programs seems to store terminal content and restore it.
Yes, that is what I mean.
That is alternate screen. Yes, it is possible to switch between them and pkttyagent also supports it, but there are only two alternate buffers and you have no idea whether they are not already used by the currently running application. Your program can run at any time and terminal can be in any state when it happens.