qmi-proxy running as non-root user
Ben Chan
benchan at chromium.org
Mon Jan 13 22:16:23 PST 2014
On Mon, Jan 13, 2014 at 1:35 PM, Ben Chan <benchan at chromium.org> wrote:
>
>>
>> Letting the clients check whether they are allowed to open the port
>> before trying to use the proxy is not a good idea; you would be
>> relying on well-behaved clients, but that is not secure. One issue
>> currently is that the proxy is launched by the first process that
>> wants to use the port, and therefore inherits all its
>> uid/pid/environment. Limiting the usage to the root user was just a
>> quick way to make it safe, but if we can really do a proper
>> per-file-access-control that is secure, I'm all for it. Although not
>> sure exactly how that would be.
>>
>
> I was not suggesting that the client should perform the check. The qmi-proxy
> should probably check if a client can access the device in incoming_cb, but
> that seems tricky as you said (unless it uses a helper to impersonate the
> client credential and perform the file permissions check). That's why I'm
> looking for a compilation option to disable the check in qmi-proxy and have
> a sandbox to constrain the ModemManagr/qmi-proxy process.
If qmi-proxy is granted the CAP_SETUID capability, it could seteuid()
and then check if the client process can access the device file.
If we need finer control over permissions, would it make sense to have
qmi-proxy running as a DBus service, such that access control can be
specified in the DBus configuration file. I'm not sure if the DBus
overheads (e.g. latency) would be too much.
Perhaps a simpler (near-term) solution to accept a client process that
runs as the same user as the qmi-proxy?
More information about the libqmi-devel
mailing list