Avoiding getpwnam() by default

Aleksander Morgado aleksander at aleksander.es
Fri Jan 9 04:08:37 PST 2015 

On Wed, Jan 7, 2015 at 6:10 PM, Roshan Pius <rpius at google.com> wrote:
> Hi Aleksander,
>
> Sorry for the late response. Was on vacation for a couple of weeks. The
> changes look good to me.
>
> Regards,
> Roshan Pius
>
>
> On Tue Dec 30 2014 at 4:53:22 AM Aleksander Morgado
> <aleksander at aleksander.es> wrote:
>>
>> On Tue, Dec 30, 2014 at 10:08 AM, Aleksander Morgado
>> <aleksander at aleksander.es> wrote:
>> > The recently introduced check for MBIM username ends up using
>> > getpwnam() by default always (same in libqmi). This method triggers a
>> > read in the /etc/passwd file, which gets detected by SELinux enabled
>> > systems:
>> >
>> > SELinux is preventing /usr/bin/bash from read access on the file
>> > /etc/passwd.
>> >
>> >                                            *****  Plugin catchall
>> > (100. confidence) suggests   **************************
>> >
>> >                                            If you believe that bash
>> > should be allowed read access on the passwd file by default.
>> >                                            Then you should report this
>> > as a bug.
>> >                                            You can generate a local
>> > policy module to allow this access.
>> >                                            Do
>> >                                            allow this access for now
>> > by executing:
>> >                                            # grep mbim-proxy
>> > /var/log/audit/audit.log | audit2allow -M mypol
>> >                                            # semodule -i mypol.pp
>> >
>> > What do you think of updating the logic in the __mbim_user_allowed()
>> > method to not call getpwnam() if the user didn't use the
>> > --enable-mbim-username option?
>> >
>> > Instead of defining MBIM_USERNAME to "root" when the
>> > --enable-mbim-username isn't used, I would leave it undefined
>> > completely, so that we can do #ifndef MBIM_USERNAME in the code, and
>> > just check for uid==0 in that case.
>> >
>> > Most distributions will not use the new option, so we shouldn't add
>> > unnecessary stuff like the getpwnam() call.
>>
>>
>> Roshan, this is what I mean:
>>
>>
>> http://cgit.freedesktop.org/libmbim/libmbim/commit/?h=aleksander/avoid-getpwnam&id=f69e6b96d7bb687f2b9d6ff939cef730ec7cfd9c
>>
>> If --enable-mbim-username is not used we just don't install the udev
>> rules and the proxy will only check for UID == 0 to allow the incoming
>> connections.
>>

Pushed as 5ad9573a05 and removed that branch.

Cheers,

-- 
Aleksander
https://aleksander.es

More information about the libmbim-devel mailing list