qmi-proxy running as non-root user
Prathmesh Prabhu Chromium
pprabhu at chromium.org
Mon Sep 29 14:49:47 PDT 2014
On Wed, Sep 24, 2014 at 12:36 AM, Aleksander Morgado <
aleksander at aleksander.es> wrote:
> On Wed, Sep 24, 2014 at 12:37 AM, Prathmesh Prabhu Chromium
> <pprabhu at chromium.org> wrote:
> > (All discussion here applies equally to mbim-proxy and qmi-proxy)
> >
> > Reviving this thread since ChromeOS needs to relax the root requirement
> in
> > order to use mbim-proxy.
> >
> > I discussed this somewhat widely here, and it seems that the simplest
> > linux-footed solution is to use user/group membership.
> > So, instead of forcing clients that connect with the proxy to be root, we
> > can force them to have the same group id.
> >
> > This keeps the current behavior (when mbim-proxy is indeed launched as
> root)
> > unchanged (uid(proxy) == gid(proxy) == uid(client) == gid(client) == 0)
> > It introduces no new security vulnerabilities. If mbim-proxy is launched
> > with insufficient rights to access the modem device, any attempt to open
> the
> > device will simply fail.
> >
> > Those systems that want to sandbox the modemmanager/proxy process better
> can
> > then do so using groups.
> >
> > I'll submit a patch separately for mbim-proxy for this approach.
> >
> > What do you think?
>
> Problem here is that there will only be one qmi-proxy process in the
> system. If a user without enough privileges to open a QMI port
> launches the proxy, we will end up with a proxy process which cannot
> do anything. The root user check is not only to ensure that
> unprivileged users don't make use of the QMI ports; it's also to
> ensure that the process launching the proxy will be able to open and
> use the QMI ports.
>
> Maybe, a special new 'modem' unix group would be a good idea; i.e. so
> that the QMI/MBIM ports get rwx for that group, and so that we can
> directly pass a --with-group=modem configure switch when compiling
> libmbim/libqmi? That would limit all QMI/MBIM access to users
> belonging to that group.
>
I agree that it is a problem if mbim-proxy is launched with not enough
privileges. But this is a problem that should be solved by the system
packagers, not the proxy.
I think the ideal solution lies in the 'modem' unix group your talked
about. The distro packagers can create the 'modem' unix group, and make
sure that all required kernel devices have rwx for this group. The same
packagers then also make sure that the proxy is executable only by the
'modem' group.
This provides the required access control and also guarantees capabilities
needed by the proxy.
mbim-proxy documentation can recommend this approach, but it is up to the
distro to choose its own access control policy.
What do you think?
>
>
> --
> Aleksander
> https://aleksander.es
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/libqmi-devel/attachments/20140929/178bf365/attachment.html>
More information about the libqmi-devel
mailing list