<div dir="ltr"><p dir="ltr"><br>><br>
> Letting the clients check whether they are allowed to open the port<br>
> before trying to use the proxy is not a good idea; you would be<br>
> relying on well-behaved clients, but that is not secure. One issue<br>
> currently is that the proxy is launched by the first process that<br>
> wants to use the port, and therefore inherits all its<br>
> uid/pid/environment. Limiting the usage to the root user was just a<br>
> quick way to make it safe, but if we can really do a proper<br>
> per-file-access-control that is secure, I'm all for it. Although not<br>
> sure exactly how that would be.<br>
></p>
<p dir="ltr">I was not suggesting that the client should perform the check. The qmi-proxy should probably check if a client can access the device in incoming_cb, but that seems tricky as you said (unless it uses a helper to impersonate the client credential and perform the file permissions check). That's why I'm looking for a compilation option to disable the check in qmi-proxy and have a sandbox to constrain the ModemManagr/qmi-proxy process.</p>
</div>