Avoiding getpwnam() by default

Roshan Pius rpius at google.com
Wed Jan 7 09:10:55 PST 2015 

Hi Aleksander,

Sorry for the late response. Was on vacation for a couple of weeks. The
changes look good to me.

Regards,
Roshan Pius


On Tue Dec 30 2014 at 4:53:22 AM Aleksander Morgado <
aleksander at aleksander.es> wrote:

> On Tue, Dec 30, 2014 at 10:08 AM, Aleksander Morgado
> <aleksander at aleksander.es> wrote:
> > The recently introduced check for MBIM username ends up using
> > getpwnam() by default always (same in libqmi). This method triggers a
> > read in the /etc/passwd file, which gets detected by SELinux enabled
> > systems:
> >
> > SELinux is preventing /usr/bin/bash from read access on the file
> /etc/passwd.
> >
> >                                            *****  Plugin catchall
> > (100. confidence) suggests   **************************
> >
> >                                            If you believe that bash
> > should be allowed read access on the passwd file by default.
> >                                            Then you should report this
> as a bug.
> >                                            You can generate a local
> > policy module to allow this access.
> >                                            Do
> >                                            allow this access for now
> > by executing:
> >                                            # grep mbim-proxy
> > /var/log/audit/audit.log | audit2allow -M mypol
> >                                            # semodule -i mypol.pp
> >
> > What do you think of updating the logic in the __mbim_user_allowed()
> > method to not call getpwnam() if the user didn't use the
> > --enable-mbim-username option?
> >
> > Instead of defining MBIM_USERNAME to "root" when the
> > --enable-mbim-username isn't used, I would leave it undefined
> > completely, so that we can do #ifndef MBIM_USERNAME in the code, and
> > just check for uid==0 in that case.
> >
> > Most distributions will not use the new option, so we shouldn't add
> > unnecessary stuff like the getpwnam() call.
>
>
> Roshan, this is what I mean:
>
> http://cgit.freedesktop.org/libmbim/libmbim/commit/?h=
> aleksander/avoid-getpwnam&id=f69e6b96d7bb687f2b9d6ff939cef730ec7cfd9c
>
> If --enable-mbim-username is not used we just don't install the udev
> rules and the proxy will only check for UID == 0 to allow the incoming
> connections.
>
> --
> Aleksander
> https://aleksander.es
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/libmbim-devel/attachments/20150107/92f38e03/attachment.html>

More information about the libmbim-devel mailing list