From 0abfa9e0b0b396420a165ac90e69952b23b5ca3e Mon Sep 17 00:00:00 2001 Message-Id: <0abfa9e0b0b396420a165ac90e69952b23b5ca3e@dist-git> From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 15 May 2019 21:40:56 +0100 Subject: [PATCH] admin: reject clients unless their UID matches the current UID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The admin protocol RPC messages are only intended for use by the user running the daemon. As such they should not be allowed for any client UID that does not match the server UID. Fixes CVE-2019-10132 Reviewed-by: Ján Tomko Signed-off-by: Daniel P. Berrangé (cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) Reviewed-by: Jiri Denemark Message-Id: <20190515204058.28077-2-berrange@redhat.com> --- src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c index b78ff902c0..9f25813ae3 100644 --- a/src/admin/admin_server_dispatch.c +++ b/src/admin/admin_server_dispatch.c @@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, void *opaque) { struct daemonAdmClientPrivate *priv; + uid_t clientuid; + gid_t clientgid; + pid_t clientpid; + unsigned long long timestamp; + + if (virNetServerClientGetUNIXIdentity(client, + &clientuid, + &clientgid, + &clientpid, + ×tamp) < 0) + return NULL; + + VIR_DEBUG("New client pid %lld uid %lld", + (long long)clientpid, + (long long)clientuid); + + if (geteuid() != clientuid) { + virReportRestrictedError(_("Disallowing client %lld with uid %lld"), + (long long)clientpid, + (long long)clientuid); + return NULL; + } if (VIR_ALLOC(priv) < 0) return NULL; -- 2.21.0