[PATCH] libqmi-glib,proxy: add a configure flag to set the user ID of QMI proxy
Aleksander Morgado
aleksander at aleksander.es
Tue Nov 18 08:05:39 PST 2014
On 07/11/14 20:29, Roshan Pius wrote:
> Currently, the QMI proxy process assumes that it is run as root user and
> that all incoming client connection users are also root.
> However, it's not always preferable to run the QMI proxy as root for
> security reasons. On some platforms, the QMI proxy could be constrained
> to run as a less-privileged user and specially granted the permission to
> access the QMI device. So, adding a compile time flag in libqmi to check
> for the specified user, rather than assume it to be the root user. If the flag
> is not sent, it'll revert to the existing behaviour of checking for
> user=root(i.e UID=0)
>
Pushed to git master now, thanks.
> ---
> configure.ac | 11 +++++++++++
> src/libqmi-glib/qmi-proxy.c | 38 ++++++++++++++++++++++++++++++++------
> 2 files changed, 43 insertions(+), 6 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 3a63843..8c73ca7 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -79,6 +79,17 @@ AC_SUBST(GLIB_MKENUMS)
> dnl Documentation
> GTK_DOC_CHECK(1.0)
>
> +# QMI proxy UID
> +AC_ARG_ENABLE(qmi-proxy-username,
> + AS_HELP_STRING([--enable-qmi-proxy-username=<username>], [where qmi proxy username is]),
> + qmi_proxy_username=$enableval,
> + qmi_proxy_username="")
> +if ! test x"$qmi_proxy_username" = x""; then
> + AC_DEFINE_UNQUOTED(QMI_PROXY_USERNAME, $qmi_proxy_username, [Define the QMI Proxy username])
> +else
> + AC_DEFINE(QMI_PROXY_USERNAME, "root", [Define the QMI Proxy username])
> +fi
> +
> dnl Man page
> AC_PATH_PROG(HELP2MAN, help2man, false)
> AM_CONDITIONAL(BUILDOPT_MAN, test x$HELP2MAN != xfalse)
> diff --git a/src/libqmi-glib/qmi-proxy.c b/src/libqmi-glib/qmi-proxy.c
> index 16e003e..c69a3e8 100644
> --- a/src/libqmi-glib/qmi-proxy.c
> +++ b/src/libqmi-glib/qmi-proxy.c
> @@ -24,12 +24,15 @@
> #include <string.h>
> #include <ctype.h>
> #include <sys/file.h>
> +#include <sys/types.h>
> #include <errno.h>
> +#include <pwd.h>
>
> #include <glib.h>
> #include <glib/gstdio.h>
> #include <gio/gunixsocketaddress.h>
>
> +#include "config.h"
> #include "qmi-enum-types.h"
> #include "qmi-error-types.h"
> #include "qmi-device.h"
> @@ -610,6 +613,7 @@ incoming_cb (GSocketService *service,
> Client *client;
> GCredentials *credentials;
> GError *error = NULL;
> + struct passwd *expected_usr = NULL;
> uid_t uid;
>
> g_debug ("client connection open...");
> @@ -629,8 +633,17 @@ incoming_cb (GSocketService *service,
> return;
> }
>
> - if (uid != 0) {
> - g_warning ("Client not allowed: Not enough privileges");
> + expected_usr = getpwnam (QMI_PROXY_USERNAME);
> + if (!expected_usr) {
> + g_warning ("Unknown user configured: %s", QMI_PROXY_USERNAME);
> + /* Falling back to check for root user if the configured user is unknown */
> + if (uid != 0) {
> + g_warning ("Client not allowed: Not enough privileges");
> + return;
> + }
> + }
> + else if (uid != expected_usr->pw_uid) {
> + g_warning ("Client not allowed: Not the expected user: %s", QMI_PROXY_USERNAME);
> return;
> }
>
> @@ -708,13 +721,26 @@ QmiProxy *
> qmi_proxy_new (GError **error)
> {
> QmiProxy *self;
> -
> - /* Only root can run the qmi-proxy */
> - if (getuid () != 0) {
> + struct passwd *expected_usr = NULL;
> +
> + /* Only the specified user can run the mbim-proxy */
> + expected_usr = getpwnam (QMI_PROXY_USERNAME);
> + if (!expected_usr) {
> + g_warning ("Unknown user configured: %s", QMI_PROXY_USERNAME);
> + /* Falling back to check for root user if the configured user is unknown */
> + if (getuid () != 0) {
> + g_set_error (error,
> + QMI_CORE_ERROR,
> + QMI_CORE_ERROR_FAILED,
> + "Not enough privileges");
> + return NULL;
> + }
> + }
> + else if (getuid () != expected_usr->pw_uid) {
> g_set_error (error,
> QMI_CORE_ERROR,
> QMI_CORE_ERROR_FAILED,
> - "Not enough privileges");
> + "Not started with the expected user: %s", QMI_PROXY_USERNAME);
> return NULL;
> }
>
>
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list