discover/discover-server: Restrict clients based on uid

If crypt support is enabled restrict what actions clients can perform by
default. Initial authorisation is set at connection time; clients
running as root are unrestricted, anything else runs as restricted until
it makes an authentication to pb-discover.

Unprivileged clients may only perform the following actions:
- Boot the default boot option.
- Cancel the autoboot timeout.
- Make an authentication request.

If a group named "petitgroup" exists then the socket permissions are
also modified so that only clients running as root or in that group may
connect to the socket.
The user-event socket is only usable by root since the two main
usecases are by utilities called by pb-discover or by a user in the
shell who will need to su to root anyway.

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/discover/user-event.c b/discover/user-event.c
index 734f77b..d3d4a5e 100644
--- a/discover/user-event.c
+++ b/discover/user-event.c
@@ -24,6 +24,7 @@
 #include <errno.h>
 #include <string.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/un.h>
 
@@ -507,7 +508,7 @@ static int user_event_boot(struct user_event *uev, struct event *event)
 		cmd->boot_args = talloc_strdup(cmd, event_get_param(event, "args"));
 	}
 
-	device_handler_boot(handler, cmd);
+	device_handler_boot(handler, false, cmd);
 
 	talloc_free(cmd);
 
@@ -749,6 +750,10 @@ struct user_event *user_event_init(struct device_handler *handler,
 			strerror(errno));
 	}
 
+	/* Don't allow events from non-priviledged users */
+	chown(PBOOT_USER_EVENT_SOCKET, 0, 0);
+	chmod(PBOOT_USER_EVENT_SOCKET, 0660);
+
 	waiter_register_io(waitset, uev->socket, WAIT_IN,
 			user_event_process, uev);