diff options
| author | Jan Cybulski <j.cybulski@samsung.com> | 2014-07-18 10:56:11 +0200 |
|---|---|---|
| committer | Jan Cybulski <j.cybulski@samsung.com> | 2014-07-21 10:51:27 +0200 |
| commit | f0da65c408fa2c8a776d91733fde94f10c63147f (patch) | |
| tree | 43c258c724ced4f403d0d1b344a3decfc96f27ce /src | |
| parent | 536102ce612c9d61053e1dca4e87f04d30e00c28 (diff) | |
| download | security-manager-f0da65c408fa2c8a776d91733fde94f10c63147f.tar.gz security-manager-f0da65c408fa2c8a776d91733fde94f10c63147f.tar.bz2 security-manager-f0da65c408fa2c8a776d91733fde94f10c63147f.zip | |
Register only directories inside user's HOME
Change-Id: I546ba542dea481db2efebb24bbe03e5cd87d7220
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/server/service/installer.cpp | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/src/server/service/installer.cpp b/src/server/service/installer.cpp index 6451dc8e..286fce69 100644 --- a/src/server/service/installer.cpp +++ b/src/server/service/installer.cpp @@ -29,6 +29,9 @@ #include <privilege-control.h> #include <sys/types.h> #include <sys/socket.h> +#include <pwd.h> +#include <limits.h> +#include <cstring> #include "installer.h" #include "protocols.h" @@ -177,12 +180,39 @@ bool InstallerService::processOne(const ConnectionID &conn, MessageBuffer &buffe static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid) { - for (const auto &appPath : req.appPaths) { - app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second); - if (pathType == SECURITY_MANAGER_PATH_PUBLIC && uid != 0) { - LogDebug("Only root can register SECURITY_MANAGER_PATH_PUBLIC path"); + struct passwd *pwd; + char buffer[PATH_MAX]; + do { + errno = 0; + pwd = getpwuid(uid); + if (!pwd && errno != EINTR) { + LogError("getpwuid failed with '" << uid << "' as paramter: " << strerror(errno)); return false; } + } while (!pwd); + + for (const auto &appPath : req.appPaths) { + + if (uid != 0) { + char *real_path = realpath(appPath.first.c_str(), buffer); + if (!real_path) { + LogError("realpath failed with '" << appPath.first.c_str() + << "' as paramter: " << strerror(errno)); + return false; + } + LogDebug("Requested path is '" << appPath.first.c_str() + << "'. User's HOME is '" << pwd->pw_dir << "'"); + if (strncmp(pwd->pw_dir, real_path, strlen(pwd->pw_dir))!=0) { + LogWarning("User's apps may have registered folders only in user's home dir"); + return false; + } + + app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second); + if (pathType == SECURITY_MANAGER_PATH_PUBLIC) { + LogWarning("Only root can register SECURITY_MANAGER_PATH_PUBLIC path"); + return false; + } + } } return true; } |