From 59961b895415031a1360b6304f982531fd761080 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Thu, 11 Apr 2019 10:51:59 +0200 Subject: [PATCH] src/server/command_socket.rs: check control socket permissions --- src/server/command_socket.rs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/server/command_socket.rs b/src/server/command_socket.rs index 57a54a3a..2f1af86d 100644 --- a/src/server/command_socket.rs +++ b/src/server/command_socket.rs @@ -11,6 +11,8 @@ use std::io::Write; use std::path::PathBuf; use serde_json::Value; use std::sync::Arc; +use std::os::unix::io::AsRawFd; +use nix::sys::socket; /// Listens on a Unix Socket to handle simple command asynchronously pub fn create_control_socket(path: P, f: F) -> Result, Error> @@ -26,6 +28,21 @@ pub fn create_control_socket(path: P, f: F) -> Result { + let mygid = unsafe { libc::getgid() }; + if !(cred.uid() == 0 || cred.gid() == mygid) { + bail!("no permissions for {:?}", cred); + } + } + Err(err) => bail!("no permissions - unable to read peer credential - {}", err), + } + Ok(conn) + }) .map_err(move |err| { eprintln!("failed to accept on control socket {:?}: {}", path2, err); }) .for_each(move |conn| { let f1 = f.clone();