Avoiding getpwnam() by default
Aleksander Morgado
aleksander at aleksander.es
Tue Dec 30 04:53:22 PST 2014
On Tue, Dec 30, 2014 at 10:08 AM, Aleksander Morgado
<aleksander at aleksander.es> wrote:
> The recently introduced check for MBIM username ends up using
> getpwnam() by default always (same in libqmi). This method triggers a
> read in the /etc/passwd file, which gets detected by SELinux enabled
> systems:
>
> SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.
>
> ***** Plugin catchall
> (100. confidence) suggests **************************
>
> If you believe that bash
> should be allowed read access on the passwd file by default.
> Then you should report this as a bug.
> You can generate a local
> policy module to allow this access.
> Do
> allow this access for now
> by executing:
> # grep mbim-proxy
> /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> What do you think of updating the logic in the __mbim_user_allowed()
> method to not call getpwnam() if the user didn't use the
> --enable-mbim-username option?
>
> Instead of defining MBIM_USERNAME to "root" when the
> --enable-mbim-username isn't used, I would leave it undefined
> completely, so that we can do #ifndef MBIM_USERNAME in the code, and
> just check for uid==0 in that case.
>
> Most distributions will not use the new option, so we shouldn't add
> unnecessary stuff like the getpwnam() call.
Roshan, this is what I mean:
http://cgit.freedesktop.org/libmbim/libmbim/commit/?h=aleksander/avoid-getpwnam&id=f69e6b96d7bb687f2b9d6ff939cef730ec7cfd9c
If --enable-mbim-username is not used we just don't install the udev
rules and the proxy will only check for UID == 0 to allow the incoming
connections.
--
Aleksander
https://aleksander.es
More information about the libmbim-devel
mailing list