@@ -77,7 +77,7 @@ impl HelperSocketClient { |
| 77 | 77 | cookie: &str, |
| 78 | 78 | prompts: &mut P, |
| 79 | 79 | ) -> Result<HelperOutcome> { |
| 80 | | - let username_label = sanitize_control_line(username); |
| 80 | + let username_line = sanitize_control_line(username); |
| 81 | 81 | let cookie_line = sanitize_control_line(cookie); |
| 82 | 82 | let mut stream = UnixStream::connect(&self.socket_path).with_context(|| { |
| 83 | 83 | format!( |
@@ -87,17 +87,17 @@ impl HelperSocketClient { |
| 87 | 87 | })?; |
| 88 | 88 | let cookie_preview: String = cookie_line.chars().take(16).collect(); |
| 89 | 89 | tracing::debug!( |
| 90 | | - username = %username_label, |
| 90 | + username = %username_line, |
| 91 | 91 | cookie_len = cookie_line.len(), |
| 92 | 92 | cookie_preview = %cookie_preview, |
| 93 | 93 | socket = %self.socket_path.display(), |
| 94 | | - protocol = "socket-activated-cookie-only", |
| 94 | + protocol = "socket-activated-username-cookie", |
| 95 | 95 | "Connected to polkit helper socket" |
| 96 | 96 | ); |
| 97 | | - if username_label.len() != username.len() || cookie_line.len() != cookie.len() { |
| 97 | + if username_line.len() != username.len() || cookie_line.len() != cookie.len() { |
| 98 | 98 | tracing::debug!( |
| 99 | 99 | original_username_len = username.len(), |
| 100 | | - normalized_username_len = username_label.len(), |
| 100 | + normalized_username_len = username_line.len(), |
| 101 | 101 | original_cookie_len = cookie.len(), |
| 102 | 102 | normalized_cookie_len = cookie_line.len(), |
| 103 | 103 | "Normalized helper auth control lines before send" |
@@ -108,8 +108,9 @@ impl HelperSocketClient { |
| 108 | 108 | .context("failed to clone helper socket stream")?; |
| 109 | 109 | let mut reader = BufReader::new(read_stream); |
| 110 | 110 | |
| 111 | | - // socket-activated polkit helper resolves identity from peer credentials. |
| 112 | | - // It expects only the cookie line from the agent protocol stream. |
| 111 | + // polkit 127 socket-activated helper reads two control lines: |
| 112 | + // username first, then cookie. |
| 113 | + write_line(&mut stream, &username_line).context("failed to send helper username")?; |
| 113 | 114 | write_line(&mut stream, &cookie_line).context("failed to send helper cookie")?; |
| 114 | 115 | |
| 115 | 116 | loop { |
@@ -397,6 +398,8 @@ mod tests { |
| 397 | 398 | let read_stream = stream.try_clone().expect("clone"); |
| 398 | 399 | let mut reader = BufReader::new(read_stream); |
| 399 | 400 | |
| 401 | + let mut username = String::new(); |
| 402 | + reader.read_line(&mut username).expect("read username"); |
| 400 | 403 | let mut cookie = String::new(); |
| 401 | 404 | reader.read_line(&mut cookie).expect("read cookie"); |
| 402 | 405 | |
@@ -410,6 +413,7 @@ mod tests { |
| 410 | 413 | |
| 411 | 414 | { |
| 412 | 415 | let mut lines = transcript_for_thread.lock().expect("lock transcript"); |
| 416 | + lines.push(username.trim().to_string()); |
| 413 | 417 | lines.push(cookie.trim().to_string()); |
| 414 | 418 | lines.push(secret.trim().to_string()); |
| 415 | 419 | } |
@@ -433,7 +437,7 @@ mod tests { |
| 433 | 437 | server.join().expect("server join"); |
| 434 | 438 | |
| 435 | 439 | let lines = transcript.lock().expect("lock transcript"); |
| 436 | | - assert_eq!(lines.as_slice(), ["cookie-123", "correct horse"]); |
| 440 | + assert_eq!(lines.as_slice(), ["alice", "cookie-123", "correct horse"]); |
| 437 | 441 | |
| 438 | 442 | let _ = std::fs::remove_file(&socket_path); |
| 439 | 443 | } |
@@ -448,6 +452,8 @@ mod tests { |
| 448 | 452 | let read_stream = stream.try_clone().expect("clone"); |
| 449 | 453 | let mut reader = BufReader::new(read_stream); |
| 450 | 454 | |
| 455 | + let mut username = String::new(); |
| 456 | + reader.read_line(&mut username).expect("read username"); |
| 451 | 457 | let mut cookie = String::new(); |
| 452 | 458 | reader.read_line(&mut cookie).expect("read cookie"); |
| 453 | 459 | |