qmi-proxy running as non-root user
Prathmesh Prabhu Chromium
pprabhu at chromium.org
Mon Sep 29 14:50:25 PDT 2014
On Mon, Sep 29, 2014 at 2:49 PM, Prathmesh Prabhu Chromium <
pprabhu at chromium.org> wrote:
>
>
> On Wed, Sep 24, 2014 at 12:36 AM, Aleksander Morgado <
> aleksander at aleksander.es> wrote:
>
>> On Wed, Sep 24, 2014 at 12:37 AM, Prathmesh Prabhu Chromium
>> <pprabhu at chromium.org> wrote:
>> > (All discussion here applies equally to mbim-proxy and qmi-proxy)
>> >
>> > Reviving this thread since ChromeOS needs to relax the root requirement
>> in
>> > order to use mbim-proxy.
>> >
>> > I discussed this somewhat widely here, and it seems that the simplest
>> > linux-footed solution is to use user/group membership.
>> > So, instead of forcing clients that connect with the proxy to be root,
>> we
>> > can force them to have the same group id.
>> >
>> > This keeps the current behavior (when mbim-proxy is indeed launched as
>> root)
>> > unchanged (uid(proxy) == gid(proxy) == uid(client) == gid(client) == 0)
>> > It introduces no new security vulnerabilities. If mbim-proxy is launched
>> > with insufficient rights to access the modem device, any attempt to
>> open the
>> > device will simply fail.
>> >
>> > Those systems that want to sandbox the modemmanager/proxy process
>> better can
>> > then do so using groups.
>> >
>> > I'll submit a patch separately for mbim-proxy for this approach.
>> >
>> > What do you think?
>>
>> Problem here is that there will only be one qmi-proxy process in the
>> system. If a user without enough privileges to open a QMI port
>> launches the proxy, we will end up with a proxy process which cannot
>> do anything. The root user check is not only to ensure that
>> unprivileged users don't make use of the QMI ports; it's also to
>> ensure that the process launching the proxy will be able to open and
>> use the QMI ports.
>>
>> Maybe, a special new 'modem' unix group would be a good idea; i.e. so
>> that the QMI/MBIM ports get rwx for that group, and so that we can
>> directly pass a --with-group=modem configure switch when compiling
>> libmbim/libqmi? That would limit all QMI/MBIM access to users
>> belonging to that group.
>>
>
> I agree that it is a problem if mbim-proxy is launched with not enough
> privileges. But this is a problem that should be solved by the system
> packagers, not the proxy.
>
> I think the ideal solution lies in the 'modem' unix group your talked
> about. The distro packagers can create the 'modem' unix group, and make
> sure that all required kernel devices have rwx for this group. The same
> packagers then also make sure that the proxy is executable only by the
> 'modem' group.
> This provides the required access control and also guarantees capabilities
> needed by the proxy.
>
> mbim-proxy documentation can recommend this approach, but it is up to the
> distro to choose its own access control policy.
>
> What do you think?
>
Once again: I mean mbim-proxy/qmi-proxy.
>
>>
>> --
>> Aleksander
>> https://aleksander.es
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/libqmi-devel/attachments/20140929/461cc4d0/attachment.html>
More information about the libqmi-devel
mailing list