[PATCH] libmbim-glib, proxy: add a configure flag to set the UID of MBIM proxy
Prathmesh Prabhu Chromium
pprabhu at chromium.org
Wed Nov 5 10:15:21 PST 2014
Augh! I want a gmail plugin that'll tell me when I try sending to the
mm-devel list from the wrong email... :(
On Wed, Nov 5, 2014 at 10:11 AM, Prathmesh Prabhu <pprabhu at google.com>
wrote:
> +aleksander, +dcbw
>
> This is in response to
> http://lists.freedesktop.org/archives/libqmi-devel/2014-October/000956.html
>
> On Wed, Nov 5, 2014 at 10:01 AM, Roshan Pius <rpius at chromium.org> wrote:
>
>> Currently, the MBIM proxy process assumes that it is run as root UID and
>> that all incoming client connection UIDs are also root.
>> However, it's not always preferable to run the MBIM proxy as root for
>> security reasons. On some platforms, the MBIM proxy could be constrained
>> to run as a less-privileged user and specially granted the permission to
>> access the MBIM device. So, adding a compile time flag in libmbim to check
>> for the specified UID, rather than assume it to be the root UID. If the
>> flag is
>> not sent, it'll revert to the existing behaviour of checking for
>> UID=0(i.e root)
>>
>> ---
>> configure.ac | 11 +++++++++++
>> src/libmbim-glib/mbim-proxy.c | 11 ++++++-----
>> 2 files changed, 17 insertions(+), 5 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 27f82c9..132a0d7 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -96,6 +96,17 @@ AC_SUBST(GLIB_MKENUMS)
>> dnl Documentation
>> GTK_DOC_CHECK(1.0)
>>
>> +# MBIM proxy UID
>> +AC_ARG_ENABLE(mbim-proxy-uid,
>> + AS_HELP_STRING([--enable-mbim-proxy-uid=UID], [where mbim
>> proxy uid is]),
>> + mbim_proxy_uid=$enableval,
>> + mbim_proxy_uid="")
>> +if ! test x"$mbim_proxy_uid" = x""; then
>> + AC_DEFINE_UNQUOTED(MBIM_PROXY_UID, $mbim_proxy_uid, [Define the MBIM
>> Proxy UID])
>> +else
>> + AC_DEFINE(MBIM_PROXY_UID, 0, [Define the MBIM Proxy UID])
>> +fi
>> +
>> dnl Man page
>> AC_PATH_PROG(HELP2MAN, help2man, false)
>> AM_CONDITIONAL(BUILDOPT_MAN, test x$HELP2MAN != xfalse)
>> diff --git a/src/libmbim-glib/mbim-proxy.c b/src/libmbim-glib/mbim-proxy.c
>> index 7677cc6..0cdb05b 100644
>> --- a/src/libmbim-glib/mbim-proxy.c
>> +++ b/src/libmbim-glib/mbim-proxy.c
>> @@ -31,6 +31,7 @@
>> #include <glib/gstdio.h>
>> #include <gio/gunixsocketaddress.h>
>>
>> +#include "config.h"
>> #include "mbim-device.h"
>> #include "mbim-utils.h"
>> #include "mbim-proxy.h"
>> @@ -1060,8 +1061,8 @@ incoming_cb (GSocketService *service,
>> return;
>> }
>>
>> - if (uid != 0) {
>> - g_warning ("Client not allowed: Not enough privileges");
>> + if (uid != MBIM_PROXY_UID) {
>> + g_warning ("Client not allowed: Not the expected UID: %u",
>> MBIM_PROXY_UID);
>> return;
>> }
>>
>> @@ -1214,12 +1215,12 @@ mbim_proxy_new (GError **error)
>> {
>> MbimProxy *self;
>>
>> - /* Only root can run the mbim-proxy */
>> - if (getuid () != 0) {
>> + /* Only the specified UID can run the mbim-proxy */
>> + if (getuid () != MBIM_PROXY_UID) {
>> g_set_error (error,
>> MBIM_CORE_ERROR,
>> MBIM_CORE_ERROR_FAILED,
>> - "Not enough privileges");
>> + "Not started with the expected UID: %u",
>> MBIM_PROXY_UID);
>> return NULL;
>> }
>>
>> --
>> 2.1.0.rc2.206.gedb03e5
>>
>> _______________________________________________
>> ModemManager-devel mailing list
>> ModemManager-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/modemmanager-devel
>>
>
>
>
> --
> Regards,
> Prathmesh
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/modemmanager-devel/attachments/20141105/047b6ca0/attachment-0001.html>
More information about the ModemManager-devel
mailing list