sendnrw/rdpgw
2
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2026-05-15 12:50:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
de31bfe8a06daf524d949f177325e763e4abfda4
rdpgw/CHANGELOG.md
bolkedebruin de31bfe8a0 Restrict the rdpgw-auth socket to its own UID by default (#190) 
The auth daemon's gRPC socket was world-writable and accepted any
local UID that could connect to it. On a multi-tenant host any user
on the box could speak the gRPC API and run an arbitrary username/
password through PAM -- effectively an unauthenticated PAM oracle.

Create the socket with mode 0660 (Umask(0117)) and gate Accept on
SO_PEERCRED: only the daemon's own UID is allowed by default, plus
any operator-supplied --allow-uid / --allow-gid. Privilege-separated
deployments (rdpgw and rdpgw-auth as different users) need to list
the gateway's UID, or share a group; the existing path otherwise
would have been permissive.

The peer-credentials check is Linux-only; the non-Linux build keeps
the listener as-is and logs a warning, since rdpgw-auth itself
requires libpam and is effectively Linux-only in practice.
2026-04-30 18:59:48 +02:00

37 lines
1.7 KiB
Markdown
Raw Blame History

# Changelog
All user-visible changes to rdpgw will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Changed
- `rdpgw-auth` now creates its socket with mode `0660` and accepts only
connections whose peer UID is on an allow-list (default: the daemon's
own UID). Operators running rdpgw and rdpgw-auth as different users
must list the gateway's UID via `--allow-uid` or share a group via
`--allow-gid`. See [UPGRADING.md](UPGRADING.md).
- `X-Forwarded-For` is now honored only when the request arrives from
a `Server.TrustedProxies` CIDR. The default `Server.TrustedProxies`
is empty, so by default the request's `RemoteAddr` (host portion) is
the source of `AttrClientIp`. See [UPGRADING.md](UPGRADING.md) if
your deployment relies on a fronting proxy stamping XFF.
- `server.hostselection: any` now refuses destinations that resolve to
loopback, RFC1918, link-local, IPv6 ULA, unspecified, or multicast
addresses, and only forwards to ports in `Server.AllowedDestinationPorts`
(default `[3389]`). Operators that need the old behavior can opt back in
with `Server.AllowPrivateDestinations: true` and an extended port list.
See [UPGRADING.md](UPGRADING.md) for migration notes. The other
host-selection modes (`roundrobin`, `signed`, `unsigned`) already used
the operator-curated `Server.Hosts` list and are unaffected.
### Added
- `rdpgw-auth --allow-uid` and `--allow-gid` flags (repeatable).
- `Server.TrustedProxies` (`[]string`, CIDR, default empty).
- `Server.AllowedDestinationPorts` (`[]int`, default `[3389]`).
- `Server.AllowPrivateDestinations` (`bool`, default `false`).
Reference in New Issue View Git Blame Copy Permalink