[PATCH] libmbim-glib, proxy: add a configure flag to set the UID of MBIM proxy

Wed Nov 5 10:01:58 PST 2014

Currently, the MBIM proxy process assumes that it is run as root UID and
that all incoming client connection UIDs are also root.
However, it's not always preferable to run the MBIM proxy as root for
security reasons. On some platforms, the MBIM proxy could be constrained
to run as a less-privileged user and specially granted the permission to
access the MBIM device. So, adding a compile time flag in libmbim to check
for the specified UID, rather than assume it to be the root UID. If the flag is
not sent, it'll revert to the existing behaviour of checking for UID=0(i.e root)

---
 configure.ac                  | 11 +++++++++++
 src/libmbim-glib/mbim-proxy.c | 11 ++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 27f82c9..132a0d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -96,6 +96,17 @@ AC_SUBST(GLIB_MKENUMS)
 dnl Documentation
 GTK_DOC_CHECK(1.0)
 
+# MBIM proxy UID
+AC_ARG_ENABLE(mbim-proxy-uid,
+              AS_HELP_STRING([--enable-mbim-proxy-uid=UID], [where mbim proxy uid is]),
+              mbim_proxy_uid=$enableval,
+              mbim_proxy_uid="")
+if ! test x"$mbim_proxy_uid" = x""; then
+  AC_DEFINE_UNQUOTED(MBIM_PROXY_UID, $mbim_proxy_uid, [Define the MBIM Proxy UID])
+else
+  AC_DEFINE(MBIM_PROXY_UID, 0, [Define the MBIM Proxy UID])
+fi
+
 dnl Man page
 AC_PATH_PROG(HELP2MAN, help2man, false)
 AM_CONDITIONAL(BUILDOPT_MAN, test x$HELP2MAN != xfalse)
diff --git a/src/libmbim-glib/mbim-proxy.c b/src/libmbim-glib/mbim-proxy.c
index 7677cc6..0cdb05b 100644
--- a/src/libmbim-glib/mbim-proxy.c
+++ b/src/libmbim-glib/mbim-proxy.c
@@ -31,6 +31,7 @@
 #include <glib/gstdio.h>
 #include <gio/gunixsocketaddress.h>
 
+#include "config.h"
 #include "mbim-device.h"
 #include "mbim-utils.h"
 #include "mbim-proxy.h"
@@ -1060,8 +1061,8 @@ incoming_cb (GSocketService *service,
         return;
     }
 
-    if (uid != 0) {
-        g_warning ("Client not allowed: Not enough privileges");
+    if (uid != MBIM_PROXY_UID) {
+        g_warning ("Client not allowed: Not the expected UID: %u", MBIM_PROXY_UID);
         return;
     }
 
@@ -1214,12 +1215,12 @@ mbim_proxy_new (GError **error)
 {
     MbimProxy *self;
 
-    /* Only root can run the mbim-proxy */
-    if (getuid () != 0) {
+    /* Only the specified UID can run the mbim-proxy */
+    if (getuid () != MBIM_PROXY_UID) {
         g_set_error (error,
                      MBIM_CORE_ERROR,
                      MBIM_CORE_ERROR_FAILED,
-                     "Not enough privileges");
+                     "Not started with the expected UID: %u", MBIM_PROXY_UID);
         return NULL;
     }
 
-- 
2.1.0.rc2.206.gedb03e5

