qmi-proxy running as non-root user

[Aleksander Morgado]

>
> qmi-proxy is currently expected to run as root. IIUC, that's enforced by
> incoming_cb and qmi_proxy_new in qmi-proxy.c. I guess it's a security
> measure to prevent any arbitrary client application to access the QMI port
> via qmi-proxy, unless it has root privilege.
>
> The implication of this approach is that both qmi-proxy and ModemManager
> need to run as root, which may not be ideal in some scenarios. For example,
> I'm trying to run ModemManager in a sandboxed environment (i.e. non-root,
> with limited access to only tty/usb devices, e.g. /dev/cdc-wdm0, associated
> with modems).
>
> I'm wondering if libqmi can provide a build time option to disable the root
> privilege check in qmi-proxy. Alternatively, qmi-proxy can simply rely on
> the file permissions to control the access to /dev/cdc-wdm*, and accept a
> client process that can access /dev/cdc-wdm*. The rationale is that if a
> client process can access /dev/cdc-wdm*, it can just bypass qmi-proxy.
>
> How do you think?
>

Letting the clients check whether they are allowed to open the port
before trying to use the proxy is not a good idea; you would be
relying on well-behaved clients, but that is not secure. One issue
currently is that the proxy is launched by the first process that
wants to use the port, and therefore inherits all its
uid/pid/environment. Limiting the usage to the root user was just a
quick way to make it safe, but if we can really do a proper
per-file-access-control that is secure, I'm all for it. Although not
sure exactly how that would be.

-- 
Aleksander