targetcli as_root check is not sufficient #163
Comments
|
targetclid is not required to be running. |
|
And the permissions on sysfs should require root, anyway. No? |
|
And how is this different from targetcli script (dameon=false) itself? |
|
Whilst targetclid is not required to be running, the systemd unit and socket unit mean that as soon as any client tries to connect to the daemon socket it will be spawned. The daemon is then running as root and so has full permissions to modify sysfs etc - so any commands sent to it will be executed as root - even if the cient does not have root privileges. Hence the daemon should check the UID of the client to know if it has authority to perform the action before doing it on it's behalf (otherwise this is a classic confused deputy problem) - failing this, at least addresing issue #162 would ensure non-root privileged clients cannot connect to the daemon and so this would then not be necessary to validate the permissions of the client. |
|
ack. |
If a command is to be disabled for non-root users, having targetcli check this via
getuid()is not sufficient, since a local user could just make a copy of the targetcli python script and edit it to remove this check - insteadtargetclidshould check the client's credentials viaSCM_CREDENTIALSand do permissions checks itself against the client and return appropriate errors.The text was updated successfully, but these errors were encountered: