Avoiding getpwnam() by default
aleksander at aleksander.es
Fri Jan 9 04:08:37 PST 2015
On Wed, Jan 7, 2015 at 6:10 PM, Roshan Pius <rpius at google.com> wrote:
> Hi Aleksander,
> Sorry for the late response. Was on vacation for a couple of weeks. The
> changes look good to me.
> Roshan Pius
> On Tue Dec 30 2014 at 4:53:22 AM Aleksander Morgado
> <aleksander at aleksander.es> wrote:
>> On Tue, Dec 30, 2014 at 10:08 AM, Aleksander Morgado
>> <aleksander at aleksander.es> wrote:
>> > The recently introduced check for MBIM username ends up using
>> > getpwnam() by default always (same in libqmi). This method triggers a
>> > read in the /etc/passwd file, which gets detected by SELinux enabled
>> > systems:
>> > SELinux is preventing /usr/bin/bash from read access on the file
>> > /etc/passwd.
>> > ***** Plugin catchall
>> > (100. confidence) suggests **************************
>> > If you believe that bash
>> > should be allowed read access on the passwd file by default.
>> > Then you should report this
>> > as a bug.
>> > You can generate a local
>> > policy module to allow this access.
>> > Do
>> > allow this access for now
>> > by executing:
>> > # grep mbim-proxy
>> > /var/log/audit/audit.log | audit2allow -M mypol
>> > # semodule -i mypol.pp
>> > What do you think of updating the logic in the __mbim_user_allowed()
>> > method to not call getpwnam() if the user didn't use the
>> > --enable-mbim-username option?
>> > Instead of defining MBIM_USERNAME to "root" when the
>> > --enable-mbim-username isn't used, I would leave it undefined
>> > completely, so that we can do #ifndef MBIM_USERNAME in the code, and
>> > just check for uid==0 in that case.
>> > Most distributions will not use the new option, so we shouldn't add
>> > unnecessary stuff like the getpwnam() call.
>> Roshan, this is what I mean:
>> If --enable-mbim-username is not used we just don't install the udev
>> rules and the proxy will only check for UID == 0 to allow the incoming
Pushed as 5ad9573a05 and removed that branch.
More information about the libmbim-devel