qmi-proxy running as non-root user
Aleksander Morgado
aleksander at aleksander.es
Wed Oct 1 06:31:31 PDT 2014
On Mon, Sep 29, 2014 at 11:49 PM, Prathmesh Prabhu Chromium
<pprabhu at chromium.org> wrote:
>> > (All discussion here applies equally to mbim-proxy and qmi-proxy)
>> >
>> > Reviving this thread since ChromeOS needs to relax the root requirement
>> > in
>> > order to use mbim-proxy.
>> >
>> > I discussed this somewhat widely here, and it seems that the simplest
>> > linux-footed solution is to use user/group membership.
>> > So, instead of forcing clients that connect with the proxy to be root,
>> > we
>> > can force them to have the same group id.
>> >
>> > This keeps the current behavior (when mbim-proxy is indeed launched as
>> > root)
>> > unchanged (uid(proxy) == gid(proxy) == uid(client) == gid(client) == 0)
>> > It introduces no new security vulnerabilities. If mbim-proxy is launched
>> > with insufficient rights to access the modem device, any attempt to open
>> > the
>> > device will simply fail.
>> >
>> > Those systems that want to sandbox the modemmanager/proxy process better
>> > can
>> > then do so using groups.
>> >
>> > I'll submit a patch separately for mbim-proxy for this approach.
>> >
>> > What do you think?
>>
>> Problem here is that there will only be one qmi-proxy process in the
>> system. If a user without enough privileges to open a QMI port
>> launches the proxy, we will end up with a proxy process which cannot
>> do anything. The root user check is not only to ensure that
>> unprivileged users don't make use of the QMI ports; it's also to
>> ensure that the process launching the proxy will be able to open and
>> use the QMI ports.
>>
>> Maybe, a special new 'modem' unix group would be a good idea; i.e. so
>> that the QMI/MBIM ports get rwx for that group, and so that we can
>> directly pass a --with-group=modem configure switch when compiling
>> libmbim/libqmi? That would limit all QMI/MBIM access to users
>> belonging to that group.
>
>
> I agree that it is a problem if mbim-proxy is launched with not enough
> privileges. But this is a problem that should be solved by the system
> packagers, not the proxy.
>
> I think the ideal solution lies in the 'modem' unix group your talked about.
> The distro packagers can create the 'modem' unix group, and make sure that
> all required kernel devices have rwx for this group. The same packagers then
> also make sure that the proxy is executable only by the 'modem' group.
> This provides the required access control and also guarantees capabilities
> needed by the proxy.
>
> mbim-proxy documentation can recommend this approach, but it is up to the
> distro to choose its own access control policy.
>
> What do you think?
To make it clear, "All required kernel devices" here would mean "All
/dev/cdc-wdm ports created by the cdc-wdm driver when used as a
subdriver of either qmi-wwan or cdc-mbim".
I have no idea how to configure those to be owned by a specific
user... Is that also done via udev rules? i.e. could we have ourselves
in libqmi/libmbim a udev rule that does the port ownership update as
soon as it's exposed?
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list