admin: reject clients unless their UID matches the current UID

The admin protocol RPC messages are only intended for use by the user running the daemon. As such they should not be allowed for any client UID that does not match the server UID. Fixes CVE-2019-10132 Reviewed-by: N Ján Tomko <jtomko@redhat.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>

admin: reject clients unless their UID matches the current UID
The admin protocol RPC messages are only intended for use by the user running the daemon. As such they should not be allowed for any client UID that does not match the server UID. Fixes CVE-2019-10132 Reviewed-by: N Ján Tomko <jtomko@redhat.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>
96f41cd7 · Daniel P. Berrangé · 43808f3e · 96f41cd7
隐藏空白更改
内联并排

Showing with 22 addition and 0 deletion

src/admin/admin_server_dispatch.c src/admin/admin_server_dispatch.c +22 -0

未找到文件。
--- a/src/admin/admin_server_dispatch.c
+++ b/src/admin/admin_server_dispatch.c
@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
                   void *opaque)
 {
    struct daemonAdmClientPrivate *priv;
+    uid_t clientuid;
+    gid_t clientgid;
+    pid_t clientpid;
+    unsigned long long timestamp;
+
+    if (virNetServerClientGetUNIXIdentity(client,
+                                          &clientuid,
+                                          &clientgid,
+                                          &clientpid,
+                                          &timestamp) < 0)
+        return NULL;
+
+    VIR_DEBUG("New client pid %lld uid %lld",
+              (long long)clientpid,
+              (long long)clientuid);
+
+    if (geteuid() != clientuid) {
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
+                                 (long long)clientpid,
+                                 (long long)clientuid);
+        return NULL;
+    }

    if (VIR_ALLOC(priv) < 0)
        return NULL;