render / rpms / libvirt

Forked from rpms/libvirt 11 months ago
Clone
f3a72a
From dba153a54183187d16cb983d269516930c555ad8 Mon Sep 17 00:00:00 2001
f3a72a
Message-Id: <dba153a54183187d16cb983d269516930c555ad8@dist-git>
f3a72a
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
f3a72a
Date: Wed, 15 May 2019 21:40:56 +0100
f3a72a
Subject: [PATCH] admin: reject clients unless their UID matches the current
f3a72a
 UID
f3a72a
MIME-Version: 1.0
f3a72a
Content-Type: text/plain; charset=UTF-8
f3a72a
Content-Transfer-Encoding: 8bit
f3a72a
f3a72a
The admin protocol RPC messages are only intended for use by the user
f3a72a
running the daemon. As such they should not be allowed for any client
f3a72a
UID that does not match the server UID.
f3a72a
f3a72a
Fixes CVE-2019-10132
f3a72a
f3a72a
Reviewed-by: Ján Tomko <jtomko@redhat.com>
f3a72a
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
f3a72a
(cherry picked from a private commit)
f3a72a
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
f3a72a
Message-Id: <20190515204058.28077-2-berrange@redhat.com>
f3a72a
---
f3a72a
 src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
f3a72a
 1 file changed, 22 insertions(+)
f3a72a
f3a72a
diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
f3a72a
index b78ff902c0..9f25813ae3 100644
f3a72a
--- a/src/admin/admin_server_dispatch.c
f3a72a
+++ b/src/admin/admin_server_dispatch.c
f3a72a
@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
f3a72a
                    void *opaque)
f3a72a
 {
f3a72a
     struct daemonAdmClientPrivate *priv;
f3a72a
+    uid_t clientuid;
f3a72a
+    gid_t clientgid;
f3a72a
+    pid_t clientpid;
f3a72a
+    unsigned long long timestamp;
f3a72a
+
f3a72a
+    if (virNetServerClientGetUNIXIdentity(client,
f3a72a
+                                          &clientuid,
f3a72a
+                                          &clientgid,
f3a72a
+                                          &clientpid,
f3a72a
+                                          &timestamp) < 0)
f3a72a
+        return NULL;
f3a72a
+
f3a72a
+    VIR_DEBUG("New client pid %lld uid %lld",
f3a72a
+              (long long)clientpid,
f3a72a
+              (long long)clientuid);
f3a72a
+
f3a72a
+    if (geteuid() != clientuid) {
f3a72a
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
f3a72a
+                                 (long long)clientpid,
f3a72a
+                                 (long long)clientuid);
f3a72a
+        return NULL;
f3a72a
+    }
f3a72a
 
f3a72a
     if (VIR_ALLOC(priv) < 0)
f3a72a
         return NULL;
f3a72a
-- 
f3a72a
2.21.0
f3a72a