mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-12 19:30:04 +00:00
de31bfe8a0
The auth daemon's gRPC socket was world-writable and accepted any local UID that could connect to it. On a multi-tenant host any user on the box could speak the gRPC API and run an arbitrary username/ password through PAM -- effectively an unauthenticated PAM oracle. Create the socket with mode 0660 (Umask(0117)) and gate Accept on SO_PEERCRED: only the daemon's own UID is allowed by default, plus any operator-supplied --allow-uid / --allow-gid. Privilege-separated deployments (rdpgw and rdpgw-auth as different users) need to list the gateway's UID, or share a group; the existing path otherwise would have been permissive. The peer-credentials check is Linux-only; the non-Linux build keeps the listener as-is and logs a warning, since rdpgw-auth itself requires libpam and is effectively Linux-only in practice.
104 lines
2.3 KiB
Go
104 lines
2.3 KiB
Go
//go:build linux
|
|
|
|
package main
|
|
|
|
import (
|
|
"net"
|
|
"os"
|
|
"path/filepath"
|
|
"syscall"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func startGatedListener(t *testing.T, allowUIDs, allowGIDs []int) (string, <-chan struct{}) {
|
|
t.Helper()
|
|
dir := t.TempDir()
|
|
addr := filepath.Join(dir, "auth.sock")
|
|
|
|
old := syscall.Umask(0117)
|
|
raw, err := net.Listen("unix", addr)
|
|
syscall.Umask(old)
|
|
if err != nil {
|
|
t.Fatalf("listen: %v", err)
|
|
}
|
|
t.Cleanup(func() { raw.Close() })
|
|
|
|
accepted := make(chan struct{}, 1)
|
|
gated := newGatedListener(raw, allowUIDs, allowGIDs)
|
|
go func() {
|
|
for {
|
|
conn, err := gated.Accept()
|
|
if err != nil {
|
|
return
|
|
}
|
|
accepted <- struct{}{}
|
|
conn.Close()
|
|
}
|
|
}()
|
|
return addr, accepted
|
|
}
|
|
|
|
func TestGatedListenerAcceptsCurrentUID(t *testing.T) {
|
|
addr, accepted := startGatedListener(t, []int{os.Getuid()}, nil)
|
|
|
|
conn, err := net.DialTimeout("unix", addr, 1*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("dial: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
select {
|
|
case <-accepted:
|
|
case <-time.After(500 * time.Millisecond):
|
|
t.Fatalf("listener did not accept connection from current UID %d", os.Getuid())
|
|
}
|
|
}
|
|
|
|
func TestGatedListenerRejectsForeignUID(t *testing.T) {
|
|
// Allow a UID we are not running as.
|
|
addr, accepted := startGatedListener(t, []int{os.Getuid() + 1}, nil)
|
|
|
|
conn, err := net.DialTimeout("unix", addr, 1*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("dial: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
if err := conn.SetReadDeadline(time.Now().Add(500 * time.Millisecond)); err != nil {
|
|
t.Fatalf("set read deadline: %v", err)
|
|
}
|
|
buf := make([]byte, 1)
|
|
if _, err := conn.Read(buf); err == nil {
|
|
t.Fatal("expected EOF / closed conn after gate rejection, got data")
|
|
}
|
|
|
|
select {
|
|
case <-accepted:
|
|
t.Fatal("Accept handed a connection from a UID outside the allow-list to the application")
|
|
case <-time.After(200 * time.Millisecond):
|
|
}
|
|
}
|
|
|
|
func TestSocketModeUmask0117(t *testing.T) {
|
|
dir := t.TempDir()
|
|
addr := filepath.Join(dir, "auth.sock")
|
|
|
|
old := syscall.Umask(0117)
|
|
l, err := net.Listen("unix", addr)
|
|
syscall.Umask(old)
|
|
if err != nil {
|
|
t.Fatalf("listen: %v", err)
|
|
}
|
|
defer l.Close()
|
|
|
|
st, err := os.Stat(addr)
|
|
if err != nil {
|
|
t.Fatalf("stat socket: %v", err)
|
|
}
|
|
mode := st.Mode().Perm()
|
|
if mode&0007 != 0 {
|
|
t.Errorf("socket mode = %#o, expected no permissions for `other`", mode)
|
|
}
|
|
}
|