From: Felix Fietkau <nbd@nbd.name>
Date: Tue, 14 Oct 2025 10:01:31 +0000 (+0000)
Subject: ubusd: acl: compare uid/gid instead of user/group strings
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=d95837b1b1432475ecaa78383b9357b260cbb863;p=project%2Fubus.git

ubusd: acl: compare uid/gid instead of user/group strings

Faster comparison, and preparation for checking multiple groups.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/ubusd.h b/ubusd.h
index 1913c66..05af434 100644
--- a/ubusd.h
+++ b/ubusd.h
@@ -52,8 +52,8 @@ struct ubus_client {
 	struct uloop_fd sock;
 	struct blob_buf b;
 
-	uid_t uid;
-	gid_t gid;
+	int uid;
+	int gid;
 	char *user;
 	char *group;
 
diff --git a/ubusd_acl.c b/ubusd_acl.c
index 352c581..b975580 100644
--- a/ubusd_acl.c
+++ b/ubusd_acl.c
@@ -46,6 +46,8 @@ struct ubusd_acl_obj {
 
 	const char *user;
 	const char *group;
+	int uid;
+	int gid;
 
 	struct blob_attr *methods;
 	struct blob_attr *tags;
@@ -61,6 +63,8 @@ struct ubusd_acl_file {
 
 	const char *user;
 	const char *group;
+	int uid;
+	int gid;
 
 	struct blob_attr *blob;
 	struct list_head acl;
@@ -77,10 +81,10 @@ static struct ubus_object *acl_obj;
 static int
 ubusd_acl_match_cred(struct ubus_client *cl, struct ubusd_acl_obj *obj)
 {
-	if (obj->user && !strcmp(cl->user, obj->user))
+	if (obj->uid != -1 && cl->uid == obj->uid)
 		return 0;
 
-	if (obj->group && !strcmp(cl->group, obj->group))
+	if (obj->gid != -1 && cl->gid == obj->gid)
 		return 0;
 
 	return -1;
@@ -256,6 +260,8 @@ ubusd_acl_alloc_obj(struct ubusd_acl_file *file, const char *obj)
 	o->partial = partial;
 	o->user = file->user;
 	o->group = file->group;
+	o->uid = file->uid;
+	o->gid = file->gid;
 	o->avl.key = memcpy(k, obj, len);
 
 	list_add(&o->list, &file->acl);
@@ -282,7 +288,7 @@ ubusd_acl_add_access(struct ubusd_acl_file *file, struct blob_attr *obj)
 	o->tags = tb[ACL_ACCESS_TAGS];
 	o->priv = tb[ACL_ACCESS_PRIV];
 
-	if (file->user || file->group)
+	if (file->uid > 0 || file->gid > 0)
 		file->ok = 1;
 }
 
@@ -348,12 +354,30 @@ ubusd_acl_file_add(struct ubusd_acl_file *file)
 	blobmsg_parse(acl_policy, __ACL_MAX, tb, blob_data(file->blob),
 		      blob_len(file->blob));
 
-	if (tb[ACL_USER])
+	file->uid = -1;
+	file->gid = -1;
+
+	if (tb[ACL_USER]) {
+		struct passwd *pwd;
+
 		file->user = blobmsg_get_string(tb[ACL_USER]);
-	else if (tb[ACL_GROUP])
+		pwd = getpwnam(file->user);
+		if (pwd)
+			file->uid = pwd->pw_uid;
+		else
+			file->uid = 0;
+	} else if (tb[ACL_GROUP]) {
+		struct group *grp;
+
 		file->group = blobmsg_get_string(tb[ACL_GROUP]);
-	else
+		grp = getgrnam(file->group);
+		if (grp)
+			file->gid = grp->gr_gid;
+		else
+			file->gid = 0;
+	} else {
 		return;
+	}
 
 	if (tb[ACL_ACCESS])
 		blobmsg_for_each_attr(cur, tb[ACL_ACCESS], rem)