qmi-proxy running as non-root user
Aleksander Morgado
aleksander at aleksander.es
Wed Sep 24 00:36:28 PDT 2014
On Wed, Sep 24, 2014 at 12:37 AM, Prathmesh Prabhu Chromium
<pprabhu at chromium.org> wrote:
> (All discussion here applies equally to mbim-proxy and qmi-proxy)
>
> Reviving this thread since ChromeOS needs to relax the root requirement in
> order to use mbim-proxy.
>
> I discussed this somewhat widely here, and it seems that the simplest
> linux-footed solution is to use user/group membership.
> So, instead of forcing clients that connect with the proxy to be root, we
> can force them to have the same group id.
>
> This keeps the current behavior (when mbim-proxy is indeed launched as root)
> unchanged (uid(proxy) == gid(proxy) == uid(client) == gid(client) == 0)
> It introduces no new security vulnerabilities. If mbim-proxy is launched
> with insufficient rights to access the modem device, any attempt to open the
> device will simply fail.
>
> Those systems that want to sandbox the modemmanager/proxy process better can
> then do so using groups.
>
> I'll submit a patch separately for mbim-proxy for this approach.
>
> What do you think?
Problem here is that there will only be one qmi-proxy process in the
system. If a user without enough privileges to open a QMI port
launches the proxy, we will end up with a proxy process which cannot
do anything. The root user check is not only to ensure that
unprivileged users don't make use of the QMI ports; it's also to
ensure that the process launching the proxy will be able to open and
use the QMI ports.
Maybe, a special new 'modem' unix group would be a good idea; i.e. so
that the QMI/MBIM ports get rwx for that group, and so that we can
directly pass a --with-group=modem configure switch when compiling
libmbim/libqmi? That would limit all QMI/MBIM access to users
belonging to that group.
--
Aleksander
https://aleksander.es
More information about the libqmi-devel
mailing list