diff options
| author | Aleksander Morgado <aleksander@lanedo.com> | 2013-08-30 11:57:12 +0200 |
|---|---|---|
| committer | Aleksander Morgado <aleksander@lanedo.com> | 2013-09-05 15:39:01 +0200 |
| commit | eee734faba3808615a85c13bc9d5104bf958efa3 (patch) | |
| tree | cbaf497b72388eaa73cc6a53b1f06c4be3dd167f | |
| parent | 5093553f1dbe2b5aaed915a480ead27e8075ec58 (diff) | |
| download | libqmi-eee734faba3808615a85c13bc9d5104bf958efa3.tar.gz | |
libqmi-glib,qmi-proxy: only allow clients running as root
Check the uid of the remote user; and only allow connections if the user is
root. Also, make sure that only the root user can actually create the qmi-proxy
daemon.
Looking at the user id to see whether it will have privileges to open the
/dev/cdc-wdm port port is probably not the best option; but the cleanest and
easiest way for now, given that the qmi-proxy is launched on-demand and not
always running.
| -rw-r--r-- | src/libqmi-glib/qmi-proxy.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/libqmi-glib/qmi-proxy.c b/src/libqmi-glib/qmi-proxy.c index 933dca0c..f9567463 100644 --- a/src/libqmi-glib/qmi-proxy.c +++ b/src/libqmi-glib/qmi-proxy.c @@ -603,9 +603,32 @@ incoming_cb (GSocketService *service, QmiProxy *self) { Client *client; + GCredentials *credentials; + GError *error = NULL; + uid_t uid; g_debug ("client connection open..."); + credentials = g_socket_get_credentials (g_socket_connection_get_socket (connection), &error); + if (!credentials) { + g_warning ("Client not allowed: Error getting socket credentials: %s", error->message); + g_error_free (error); + return; + } + + uid = g_credentials_get_unix_user (credentials, &error); + g_object_unref (credentials); + if (error) { + g_warning ("Client not allowed: Error getting unix user id: %s", error->message); + g_error_free (error); + return; + } + + if (uid != 0) { + g_warning ("Client not allowed: Not enough privileges"); + return; + } + /* Create client */ client = g_slice_new0 (Client); client->proxy = self; @@ -681,6 +704,15 @@ qmi_proxy_new (GError **error) { QmiProxy *self; + /* Only root can run the qmi-proxy */ + if (getuid () != 0) { + g_set_error (error, + QMI_CORE_ERROR, + QMI_CORE_ERROR_FAILED, + "Not enough privileges"); + return NULL; + } + self = g_object_new (QMI_TYPE_PROXY, NULL); if (!setup_socket_service (self, error)) g_clear_object (&self); |