mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-13 03:40:01 +00:00
de31bfe8a0
The auth daemon's gRPC socket was world-writable and accepted any local UID that could connect to it. On a multi-tenant host any user on the box could speak the gRPC API and run an arbitrary username/ password through PAM -- effectively an unauthenticated PAM oracle. Create the socket with mode 0660 (Umask(0117)) and gate Accept on SO_PEERCRED: only the daemon's own UID is allowed by default, plus any operator-supplied --allow-uid / --allow-gid. Privilege-separated deployments (rdpgw and rdpgw-auth as different users) need to list the gateway's UID, or share a group; the existing path otherwise would have been permissive. The peer-credentials check is Linux-only; the non-Linux build keeps the listener as-is and logs a warning, since rdpgw-auth itself requires libpam and is effectively Linux-only in practice.
17 lines
486 B
Go
17 lines
486 B
Go
//go:build !linux
|
|
|
|
package main
|
|
|
|
import (
|
|
"log"
|
|
"net"
|
|
)
|
|
|
|
// On non-Linux platforms SO_PEERCRED isn't portable, so we don't gate by
|
|
// peer credentials. rdpgw-auth itself depends on PAM and is effectively
|
|
// Linux-only; this file just keeps the build green if anyone tries.
|
|
func newGatedListener(l net.Listener, _, _ []int) net.Listener {
|
|
log.Printf("rdpgw-auth: peer-credential gating is not implemented on this platform; relying on socket file mode for access control")
|
|
return l
|
|
}
|