sendnrw/rdpgw
2
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2026-05-13 03:40:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
de31bfe8a06daf524d949f177325e763e4abfda4
rdpgw/CHANGELOG.md
bolkedebruin de31bfe8a0 Restrict the rdpgw-auth socket to its own UID by default (#190) 
The auth daemon's gRPC socket was world-writable and accepted any
local UID that could connect to it. On a multi-tenant host any user
on the box could speak the gRPC API and run an arbitrary username/
password through PAM -- effectively an unauthenticated PAM oracle.

Create the socket with mode 0660 (Umask(0117)) and gate Accept on
SO_PEERCRED: only the daemon's own UID is allowed by default, plus
any operator-supplied --allow-uid / --allow-gid. Privilege-separated
deployments (rdpgw and rdpgw-auth as different users) need to list
the gateway's UID, or share a group; the existing path otherwise
would have been permissive.

The peer-credentials check is Linux-only; the non-Linux build keeps
the listener as-is and logs a warning, since rdpgw-auth itself
requires libpam and is effectively Linux-only in practice.
2026-04-30 18:59:48 +02:00

1.7 KiB
Raw Blame History

Changelog

All user-visible changes to rdpgw will be documented in this file.

The format is based on Keep a Changelog, and the project adheres to Semantic Versioning.

[Unreleased]

Changed

  • rdpgw-auth now creates its socket with mode 0660 and accepts only connections whose peer UID is on an allow-list (default: the daemon's own UID). Operators running rdpgw and rdpgw-auth as different users must list the gateway's UID via --allow-uid or share a group via --allow-gid. See UPGRADING.md.
  • X-Forwarded-For is now honored only when the request arrives from a Server.TrustedProxies CIDR. The default Server.TrustedProxies is empty, so by default the request's RemoteAddr (host portion) is the source of AttrClientIp. See UPGRADING.md if your deployment relies on a fronting proxy stamping XFF.
  • server.hostselection: any now refuses destinations that resolve to loopback, RFC1918, link-local, IPv6 ULA, unspecified, or multicast addresses, and only forwards to ports in Server.AllowedDestinationPorts (default [3389]). Operators that need the old behavior can opt back in with Server.AllowPrivateDestinations: true and an extended port list. See UPGRADING.md for migration notes. The other host-selection modes (roundrobin, signed, unsigned) already used the operator-curated Server.Hosts list and are unaffected.

Added

  • rdpgw-auth --allow-uid and --allow-gid flags (repeatable).
  • Server.TrustedProxies ([]string, CIDR, default empty).
  • Server.AllowedDestinationPorts ([]int, default [3389]).
  • Server.AllowPrivateDestinations (bool, default false).
Reference in New Issue View Git Blame Copy Permalink