[PATCH] udevd - client access authorization

[PATCH] udevd - client access authorization

[Kay Sievers]

[-- Attachment #1: Type: text/plain, Size: 439 bytes --]

Here is the badly needed client authorization for udevd.
Since we switched to abstract namespace sockets, we are unable to
control the access of the socket by file permissions.

So here we send a ancillary credential message with every datagram,
to be able to verify the uid of the sender. The sender can't fake the
credentials, cause the kernel doesn't allow it for non root users.

udevd is still working with klibc here :)

thanks,
Kay

[-- Attachment #2: 04-credentials.patch --]
[-- Type: text/plain, Size: 3299 bytes --]

diff -Nru a/udevd.c b/udevd.c
--- a/udevd.c	Wed Feb 11 03:45:28 2004
+++ b/udevd.c	Wed Feb 11 03:45:28 2004
@@ -216,6 +216,11 @@
 {
 	struct hotplug_msg *msg;
 	int retval;
+	struct msghdr smsg;
+	struct cmsghdr *cmsg;
+	struct iovec iov;
+	struct ucred *cred;
+	char cred_msg[CMSG_SPACE(sizeof(struct ucred))];
 
 	msg = msg_create();
 	if (msg == NULL) {
@@ -223,13 +228,30 @@
 		return;
 	}
 
-	retval = recv(sock, msg, sizeof(struct hotplug_msg), 0);
+	iov.iov_base = msg;
+	iov.iov_len = sizeof(struct hotplug_msg);
+
+	memset(&smsg, 0x00, sizeof(struct msghdr));
+	smsg.msg_iov = &iov;
+	smsg.msg_iovlen = 1;
+	smsg.msg_control = cred_msg;
+	smsg.msg_controllen = sizeof(cred_msg);
+
+	retval = recvmsg(sock, &smsg, 0);
 	if (retval <  0) {
 		if (errno != EINTR)
 			dbg("unable to receive message");
 		return;
 	}
-	
+	cmsg = CMSG_FIRSTHDR(&smsg);
+	cred = (struct ucred *) CMSG_DATA(cmsg);
+
+	if (cred->uid != 0) {
+		dbg("sender uid=%i, message ignored", cred->uid);
+		free(msg);
+		return;
+	}
+
 	if (strncmp(msg->magic, UDEV_MAGIC, sizeof(UDEV_MAGIC)) != 0 ) {
 		dbg("message magic '%s' doesn't match, ignore it", msg->magic);
 		free(msg);
@@ -283,6 +305,7 @@
 	struct sockaddr_un saddr;
 	socklen_t addrlen;
 	int retval;
+	const int on = 1;
 	struct sigaction act;
 
 	init_logging("udevd");
@@ -317,6 +340,9 @@
 		dbg("bind failed\n");
 		goto exit;
 	}
+
+	/* enable receiving of the sender credentials */
+	setsockopt(ssock, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on));
 
 	while (1) {
 		handle_msg(ssock);
diff -Nru a/udevsend.c b/udevsend.c
--- a/udevsend.c	Wed Feb 11 03:45:28 2004
+++ b/udevsend.c	Wed Feb 11 03:45:28 2004
@@ -114,7 +114,7 @@
 
 int main(int argc, char* argv[])
 {
-	struct hotplug_msg message;
+	struct hotplug_msg msg;
 	char *action;
 	char *devpath;
 	char *subsystem;
@@ -128,6 +128,13 @@
 	struct sockaddr_un saddr;
 	socklen_t addrlen;
 	int started_daemon = 0;
+	struct iovec iov;
+	struct msghdr smsg;
+	char cred_msg[CMSG_SPACE(sizeof(struct ucred))];
+	struct cmsghdr *cmsg;
+	struct ucred *cred;
+	
+
 
 #ifdef DEBUG
 	init_logging("udevsend");
@@ -169,12 +176,34 @@
 	strcpy(&saddr.sun_path[1], UDEVD_SOCK_PATH);
 	addrlen = offsetof(struct sockaddr_un, sun_path) + strlen(saddr.sun_path+1) + 1;
 
-	size = build_hotplugmsg(&message, action, devpath, subsystem, seq);
-	
+	size = build_hotplugmsg(&msg, action, devpath, subsystem, seq);
+
+	/* prepare message with credentials to authenticate ourself */
+	iov.iov_base = &msg;
+	iov.iov_len = size;
+
+	smsg.msg_name = &saddr;
+	smsg.msg_namelen = addrlen;
+	smsg.msg_iov = &iov;
+	smsg.msg_iovlen = 1;
+	smsg.msg_control = cred_msg;
+	smsg.msg_controllen = CMSG_LEN(sizeof(struct ucred));;
+	smsg.msg_flags = 0;
+
+	cmsg = CMSG_FIRSTHDR(&smsg);
+	cmsg->cmsg_level = SOL_SOCKET;
+	cmsg->cmsg_type = SCM_CREDENTIALS;
+	cmsg->cmsg_len = sizeof(cred_msg);
+	cred = (struct ucred *) CMSG_DATA(cmsg);
+	cred->uid = getuid();
+	cred->gid = getgid();
+	cred->pid = getpid();
+	cred->pid = getpid();
+
 	/* If we can't send, try to start daemon and resend message */
 	loop = UDEVSEND_CONNECT_RETRY;
 	while (loop--) {
-		retval = sendto(sock, &message, size, 0, (struct sockaddr *)&saddr, addrlen);
+		retval = sendmsg(sock, &smsg, 0);
 		if (retval != -1) {
 			retval = 0;
 			goto close_and_exit;

Re: [PATCH] udevd - client access authorization

[Greg KH]

On Wed, Feb 11, 2004 at 04:04:04AM +0100, Kay Sievers wrote:
> Here is the badly needed client authorization for udevd.
> Since we switched to abstract namespace sockets, we are unable to
> control the access of the socket by file permissions.
> 
> So here we send a ancillary credential message with every datagram,
> to be able to verify the uid of the sender. The sender can't fake the
> credentials, cause the kernel doesn't allow it for non root users.

Thanks a lot for fixing this up.  I wouldn't want any user to be able to
add or remove devices from /dev by just talking through a socket.

Applied.

greg k-h


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: [PATCH] udevd - client access authorization

[Kay Sievers]

[-- Attachment #1: Type: text/plain, Size: 992 bytes --]

On Wed, Feb 11, 2004 at 02:34:32PM -0800, Greg KH wrote:
> On Wed, Feb 11, 2004 at 04:04:04AM +0100, Kay Sievers wrote:
> > Here is the badly needed client authorization for udevd.
> > Since we switched to abstract namespace sockets, we are unable to
> > control the access of the socket by file permissions.
> > 
> > So here we send a ancillary credential message with every datagram,
> > to be able to verify the uid of the sender. The sender can't fake the
> > credentials, cause the kernel doesn't allow it for non root users.
> 
> Thanks a lot for fixing this up.  I wouldn't want any user to be able to
> add or remove devices from /dev by just talking through a socket.

Here is a small improvement. We check for the type of message we receive
and udevsend seems not to need all the credential setup stuff, the
kernel will fill it for us.

udevd now refuses to start as non root, cause it doesn't make any sense.

Are we changing the mode_t in udev.h to unsigned int now?

thanks,
Kay

[-- Attachment #2: 01-better-credentials.patch --]
[-- Type: text/plain, Size: 2856 bytes --]

diff -Nru a/udevd.c b/udevd.c
--- a/udevd.c	Thu Feb 12 00:58:08 2004
+++ b/udevd.c	Thu Feb 12 00:58:08 2004
@@ -252,16 +252,19 @@
 	cmsg = CMSG_FIRSTHDR(&smsg);
 	cred = (struct ucred *) CMSG_DATA(cmsg);
 
+	if (cmsg == NULL || cmsg->cmsg_type != SCM_CREDENTIALS) {
+		dbg("no sender credentials received, message ignored");
+		goto skip;
+	}
+
 	if (cred->uid != 0) {
 		dbg("sender uid=%i, message ignored", cred->uid);
-		free(msg);
-		return;
+		goto skip;
 	}
 
 	if (strncmp(msg->magic, UDEV_MAGIC, sizeof(UDEV_MAGIC)) != 0 ) {
 		dbg("message magic '%s' doesn't match, ignore it", msg->magic);
-		free(msg);
-		return;
+		goto skip;
 	}
 
 	/* if no seqnum is given, we move straight to exec queue */
@@ -271,6 +274,11 @@
 	} else {
 		msg_queue_insert(msg);
 	}
+	return;
+
+skip:
+	free(msg);
+	return;
 }
 
 static void sig_handler(int signum)
@@ -316,6 +324,11 @@
 
 	init_logging("udevd");
 
+	if (getuid() != 0) {
+		dbg("need to be root, exit");
+		exit(1);
+	}
+
 	/* set signal handler */
 	act.sa_handler = sig_handler;
 	sigemptyset (&act.sa_mask);
@@ -336,14 +349,14 @@
 
 	ssock = socket(AF_LOCAL, SOCK_DGRAM, 0);
 	if (ssock == -1) {
-		dbg("error getting socket");
+		dbg("error getting socket, exit");
 		exit(1);
 	}
 
 	/* the bind takes care of ensuring only one copy running */
 	retval = bind(ssock, (struct sockaddr *) &saddr, addrlen);
 	if (retval < 0) {
-		dbg("bind failed\n");
+		dbg("bind failed, exit");
 		goto exit;
 	}
 
diff -Nru a/udevsend.c b/udevsend.c
--- a/udevsend.c	Thu Feb 12 00:58:08 2004
+++ b/udevsend.c	Thu Feb 12 00:58:08 2004
@@ -133,13 +133,6 @@
 	struct sockaddr_un saddr;
 	socklen_t addrlen;
 	int started_daemon = 0;
-	struct iovec iov;
-	struct msghdr smsg;
-	char cred_msg[CMSG_SPACE(sizeof(struct ucred))];
-	struct cmsghdr *cmsg;
-	struct ucred *cred;
-	
-
 
 #ifdef DEBUG
 	init_logging("udevsend");
@@ -183,32 +176,10 @@
 
 	size = build_hotplugmsg(&msg, action, devpath, subsystem, seq);
 
-	/* prepare message with credentials to authenticate ourself */
-	iov.iov_base = &msg;
-	iov.iov_len = size;
-
-	smsg.msg_name = &saddr;
-	smsg.msg_namelen = addrlen;
-	smsg.msg_iov = &iov;
-	smsg.msg_iovlen = 1;
-	smsg.msg_control = cred_msg;
-	smsg.msg_controllen = CMSG_LEN(sizeof(struct ucred));;
-	smsg.msg_flags = 0;
-
-	cmsg = CMSG_FIRSTHDR(&smsg);
-	cmsg->cmsg_level = SOL_SOCKET;
-	cmsg->cmsg_type = SCM_CREDENTIALS;
-	cmsg->cmsg_len = sizeof(cred_msg);
-	cred = (struct ucred *) CMSG_DATA(cmsg);
-	cred->uid = getuid();
-	cred->gid = getgid();
-	cred->pid = getpid();
-	cred->pid = getpid();
-
 	/* If we can't send, try to start daemon and resend message */
 	loop = UDEVSEND_CONNECT_RETRY;
 	while (loop--) {
-		retval = sendmsg(sock, &smsg, 0);
+		retval = sendto(sock, &msg, size, 0, (struct sockaddr *)&saddr, addrlen);
 		if (retval != -1) {
 			retval = 0;
 			goto close_and_exit;

Re: [PATCH] udevd - client access authorization

[Greg KH]

On Thu, Feb 12, 2004 at 01:14:31AM +0100, Kay Sievers wrote:
> On Wed, Feb 11, 2004 at 02:34:32PM -0800, Greg KH wrote:
> > On Wed, Feb 11, 2004 at 04:04:04AM +0100, Kay Sievers wrote:
> > > Here is the badly needed client authorization for udevd.
> > > Since we switched to abstract namespace sockets, we are unable to
> > > control the access of the socket by file permissions.
> > > 
> > > So here we send a ancillary credential message with every datagram,
> > > to be able to verify the uid of the sender. The sender can't fake the
> > > credentials, cause the kernel doesn't allow it for non root users.
> > 
> > Thanks a lot for fixing this up.  I wouldn't want any user to be able to
> > add or remove devices from /dev by just talking through a socket.
> 
> Here is a small improvement. We check for the type of message we receive
> and udevsend seems not to need all the credential setup stuff, the
> kernel will fill it for us.
> 
> udevd now refuses to start as non root, cause it doesn't make any sense.

Applied, thanks.

> Are we changing the mode_t in udev.h to unsigned int now?

I just did that in the tree.

thanks,

greg k-h


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id\x1356&alloc_id438&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel