aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorRoshan Pius <rpius@chromium.org>2014-11-07 11:29:05 -0800
committerAleksander Morgado <aleksander@aleksander.es>2014-11-18 17:03:01 +0100
commitc474d34db0dd409818b008798df35a212447d0b9 (patch)
tree7fe6e0db43d41b102f35d2ef37faa5148160b1eb /src
parentaafe3e64abe92fc558044418e75d5f9f9d261118 (diff)
downloadexternal_libqmi-c474d34db0dd409818b008798df35a212447d0b9.zip
external_libqmi-c474d34db0dd409818b008798df35a212447d0b9.tar.gz
external_libqmi-c474d34db0dd409818b008798df35a212447d0b9.tar.bz2
libqmi-glib,proxy: add a configure flag to set the user ID of QMI proxy
Currently, the QMI proxy process assumes that it is run as root user and that all incoming client connection users are also root. However, it's not always preferable to run the QMI proxy as root for security reasons. On some platforms, the QMI proxy could be constrained to run as a less-privileged user and specially granted the permission to access the QMI device. So, adding a compile time flag in libqmi to check for the specified user, rather than assume it to be the root user. If the flag is not sent, it'll revert to the existing behaviour of checking for user=root(i.e UID=0)
Diffstat (limited to 'src')
-rw-r--r--src/libqmi-glib/qmi-proxy.c38
1 files changed, 32 insertions, 6 deletions
diff --git a/src/libqmi-glib/qmi-proxy.c b/src/libqmi-glib/qmi-proxy.c
index 33916fb..d446e8f 100644
--- a/src/libqmi-glib/qmi-proxy.c
+++ b/src/libqmi-glib/qmi-proxy.c
@@ -24,12 +24,15 @@
#include <string.h>
#include <ctype.h>
#include <sys/file.h>
+#include <sys/types.h>
#include <errno.h>
+#include <pwd.h>
#include <glib.h>
#include <glib/gstdio.h>
#include <gio/gunixsocketaddress.h>
+#include "config.h"
#include "qmi-enum-types.h"
#include "qmi-error-types.h"
#include "qmi-device.h"
@@ -625,6 +628,7 @@ incoming_cb (GSocketService *service,
Client *client;
GCredentials *credentials;
GError *error = NULL;
+ struct passwd *expected_usr = NULL;
uid_t uid;
g_debug ("client connection open...");
@@ -644,8 +648,17 @@ incoming_cb (GSocketService *service,
return;
}
- if (uid != 0) {
- g_warning ("Client not allowed: Not enough privileges");
+ expected_usr = getpwnam (QMI_PROXY_USERNAME);
+ if (!expected_usr) {
+ g_warning ("Unknown user configured: %s", QMI_PROXY_USERNAME);
+ /* Falling back to check for root user if the configured user is unknown */
+ if (uid != 0) {
+ g_warning ("Client not allowed: Not enough privileges");
+ return;
+ }
+ }
+ else if (uid != expected_usr->pw_uid) {
+ g_warning ("Client not allowed: Not the expected user: %s", QMI_PROXY_USERNAME);
return;
}
@@ -731,13 +744,26 @@ QmiProxy *
qmi_proxy_new (GError **error)
{
QmiProxy *self;
-
- /* Only root can run the qmi-proxy */
- if (getuid () != 0) {
+ struct passwd *expected_usr = NULL;
+
+ /* Only the specified user can run the mbim-proxy */
+ expected_usr = getpwnam (QMI_PROXY_USERNAME);
+ if (!expected_usr) {
+ g_warning ("Unknown user configured: %s", QMI_PROXY_USERNAME);
+ /* Falling back to check for root user if the configured user is unknown */
+ if (getuid () != 0) {
+ g_set_error (error,
+ QMI_CORE_ERROR,
+ QMI_CORE_ERROR_FAILED,
+ "Not enough privileges");
+ return NULL;
+ }
+ }
+ else if (getuid () != expected_usr->pw_uid) {
g_set_error (error,
QMI_CORE_ERROR,
QMI_CORE_ERROR_FAILED,
- "Not enough privileges");
+ "Not started with the expected user: %s", QMI_PROXY_USERNAME);
return NULL;
}