admin: reject clients unless their UID matches the current UID

The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 96f41cd765)
This commit is contained in:
Daniel P. Berrangé 2019-04-30 17:26:13 +01:00
parent 7966be03bd
commit de48bfbe09

View File

@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
void *opaque) void *opaque)
{ {
struct daemonAdmClientPrivate *priv; struct daemonAdmClientPrivate *priv;
uid_t clientuid;
gid_t clientgid;
pid_t clientpid;
unsigned long long timestamp;
if (virNetServerClientGetUNIXIdentity(client,
&clientuid,
&clientgid,
&clientpid,
&timestamp) < 0)
return NULL;
VIR_DEBUG("New client pid %lld uid %lld",
(long long)clientpid,
(long long)clientuid);
if (geteuid() != clientuid) {
virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
(long long)clientpid,
(long long)clientuid);
return NULL;
}
if (VIR_ALLOC(priv) < 0) if (VIR_ALLOC(priv) < 0)
return NULL; return NULL;