Blob Blame History Raw
From 5ed86f689f011c36e8008c30dc3dfe89bfbf280a Mon Sep 17 00:00:00 2001
Message-Id: <5ed86f689f011c36e8008c30dc3dfe89bfbf280a@dist-git>
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 15 May 2019 21:40:56 +0100
Subject: [PATCH] admin: reject clients unless their UID matches the current
 UID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from a private commit)
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
Message-Id: <20190515204058.28077-2-berrange@redhat.com>
---
 src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
index b78ff902c0..9f25813ae3 100644
--- a/src/admin/admin_server_dispatch.c
+++ b/src/admin/admin_server_dispatch.c
@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
                    void *opaque)
 {
     struct daemonAdmClientPrivate *priv;
+    uid_t clientuid;
+    gid_t clientgid;
+    pid_t clientpid;
+    unsigned long long timestamp;
+
+    if (virNetServerClientGetUNIXIdentity(client,
+                                          &clientuid,
+                                          &clientgid,
+                                          &clientpid,
+                                          &timestamp) < 0)
+        return NULL;
+
+    VIR_DEBUG("New client pid %lld uid %lld",
+              (long long)clientpid,
+              (long long)clientuid);
+
+    if (geteuid() != clientuid) {
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
+                                 (long long)clientpid,
+                                 (long long)clientuid);
+        return NULL;
+    }
 
     if (VIR_ALLOC(priv) < 0)
         return NULL;
-- 
2.21.0