110 lines
3.4 KiB
Diff
110 lines
3.4 KiB
Diff
diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
|
|
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 2010-01-06 17:57:30.722388282 -0800
|
|
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-01-06 18:20:59.713397530 -0800
|
|
@@ -50,6 +50,7 @@
|
|
*/
|
|
|
|
#ifdef XP_UNIX
|
|
+#include <unistd.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/types.h>
|
|
|
|
@@ -108,12 +109,26 @@ getSystemDB(void) {
|
|
return PORT_Strdup(NSS_DEFAULT_SYSTEM);
|
|
}
|
|
|
|
+static PRBool
|
|
+userIsRoot()
|
|
+{
|
|
+ /* this works for linux and all unixes that we know off
|
|
+ though it isn't stated as such in POSIX documentation */
|
|
+ return getuid() == 0;
|
|
+}
|
|
+
|
|
+static PRBool
|
|
+userCanModifySystemDB()
|
|
+{
|
|
+ return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
|
|
+}
|
|
+
|
|
#else
|
|
#ifdef XP_WIN
|
|
static char *
|
|
getUserDB(void)
|
|
{
|
|
- /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
|
|
+ /* use the registry to find the user's NSS_DIR. if no entry exists, create
|
|
* one in the users Appdir location */
|
|
return NULL;
|
|
}
|
|
@@ -121,13 +136,28 @@ getUserDB(void)
|
|
static char *
|
|
getSystemDB(void)
|
|
{
|
|
- /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
|
|
+ /* use the registry to find the system's NSS_DIR. if no entry exists, create
|
|
* one based on the windows system data area */
|
|
return NULL;
|
|
}
|
|
|
|
+static PRBool
|
|
+userIsRoot()
|
|
+{
|
|
+ /* use the registry to find if the user is the system administrator. */
|
|
+ return PR_FALSE;
|
|
+}
|
|
+
|
|
+static PRBool
|
|
+userCanModifySystemDB()
|
|
+{
|
|
+ /* use the registry to find if the user has administrative privilege
|
|
+ * to modify the system's nss database. */
|
|
+ return PR_FALSE;
|
|
+}
|
|
+
|
|
#else
|
|
-#error "Need to write getUserDB and get SystemDB functions"
|
|
+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
|
|
#endif
|
|
#endif
|
|
|
|
@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_
|
|
if (userdb && !strcmp(filename, userdb))
|
|
filename = NULL;
|
|
|
|
- if (userdb != NULL) {
|
|
+ /* Don't open root's user DB */
|
|
+ if (userdb != NULL && !userIsRoot()) {
|
|
/* return a list of databases to open. First the user Database */
|
|
module_list[next++] = PR_smprintf(
|
|
"library= "
|
|
@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_
|
|
userdb, stripped_parameters);
|
|
}
|
|
|
|
- if (filename && 0 /* This doesn't actually work. If we register
|
|
+ if (filename && !userIsRoot() && 0
|
|
+ /* This doesn't actually work. If we register
|
|
both this and the sysdb (in either order)
|
|
then only one of them actually shows up */) {
|
|
module_list[next++] = PR_smprintf(
|
|
@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_
|
|
"NSS=\"%sflags=internal\"",filename, filename, nssflags);
|
|
}
|
|
|
|
- /* now the system database (always read only) */
|
|
+ /* now the system database (always read only unless it's root) */
|
|
if (sysdb) {
|
|
- module_list[next++] = PR_smprintf(
|
|
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
|
|
+ module_list[next++] = PR_smprintf(
|
|
"library= "
|
|
"module=\"NSS system database\" "
|
|
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
|
|
- "NSS=\"%sflags=internal,critical\"",sysdb, nssflags);
|
|
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
|
|
+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
|
|
}
|
|
|
|
/* that was the last module */
|