|
 |
0a7476 |
From 0abfa9e0b0b396420a165ac90e69952b23b5ca3e Mon Sep 17 00:00:00 2001
|
|
|
0a7476 |
Message-Id: <0abfa9e0b0b396420a165ac90e69952b23b5ca3e@dist-git>
|
|
|
f3a72a |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
f3a72a |
Date: Wed, 15 May 2019 21:40:56 +0100
|
|
|
f3a72a |
Subject: [PATCH] admin: reject clients unless their UID matches the current
|
|
|
f3a72a |
UID
|
|
|
f3a72a |
MIME-Version: 1.0
|
|
|
f3a72a |
Content-Type: text/plain; charset=UTF-8
|
|
|
f3a72a |
Content-Transfer-Encoding: 8bit
|
|
|
f3a72a |
|
|
|
f3a72a |
The admin protocol RPC messages are only intended for use by the user
|
|
|
f3a72a |
running the daemon. As such they should not be allowed for any client
|
|
|
f3a72a |
UID that does not match the server UID.
|
|
|
f3a72a |
|
|
|
f3a72a |
Fixes CVE-2019-10132
|
|
|
f3a72a |
|
|
|
f3a72a |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
f3a72a |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
0a7476 |
(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
|
|
|
f3a72a |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
f3a72a |
Message-Id: <20190515204058.28077-2-berrange@redhat.com>
|
|
|
f3a72a |
---
|
|
|
f3a72a |
src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
|
|
|
f3a72a |
1 file changed, 22 insertions(+)
|
|
|
f3a72a |
|
|
|
f3a72a |
diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
|
|
|
f3a72a |
index b78ff902c0..9f25813ae3 100644
|
|
|
f3a72a |
--- a/src/admin/admin_server_dispatch.c
|
|
|
f3a72a |
+++ b/src/admin/admin_server_dispatch.c
|
|
|
f3a72a |
@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
|
|
|
f3a72a |
void *opaque)
|
|
|
f3a72a |
{
|
|
|
f3a72a |
struct daemonAdmClientPrivate *priv;
|
|
|
f3a72a |
+ uid_t clientuid;
|
|
|
f3a72a |
+ gid_t clientgid;
|
|
|
f3a72a |
+ pid_t clientpid;
|
|
|
f3a72a |
+ unsigned long long timestamp;
|
|
|
f3a72a |
+
|
|
|
f3a72a |
+ if (virNetServerClientGetUNIXIdentity(client,
|
|
|
f3a72a |
+ &clientuid,
|
|
|
f3a72a |
+ &clientgid,
|
|
|
f3a72a |
+ &clientpid,
|
|
|
f3a72a |
+ ×tamp) < 0)
|
|
|
f3a72a |
+ return NULL;
|
|
|
f3a72a |
+
|
|
|
f3a72a |
+ VIR_DEBUG("New client pid %lld uid %lld",
|
|
|
f3a72a |
+ (long long)clientpid,
|
|
|
f3a72a |
+ (long long)clientuid);
|
|
|
f3a72a |
+
|
|
|
f3a72a |
+ if (geteuid() != clientuid) {
|
|
|
f3a72a |
+ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
|
|
|
f3a72a |
+ (long long)clientpid,
|
|
|
f3a72a |
+ (long long)clientuid);
|
|
|
f3a72a |
+ return NULL;
|
|
|
f3a72a |
+ }
|
|
|
f3a72a |
|
|
|
f3a72a |
if (VIR_ALLOC(priv) < 0)
|
|
|
f3a72a |
return NULL;
|
|
|
f3a72a |
--
|
|
|
f3a72a |
2.21.0
|
|
|
f3a72a |
|