Check owner and permissions based on DBus sender (!13) · Merge requests · UBports / Development / Core / click

Guido Berhörster requested to merge personal/gber/service-rewrite into main Dec 20, 2022

When installing a click package via DBus the package file is passed as-is as an argument to click which is running as root. This allows arbitrary users to install click package files which they would otherwise not be able to access.

Address this by temporarily dropping privileges to the user and groups of the sender in order to open the package file. After restoring root privileges pass the pseudo file /proc/<pid>/fd/<fd> corresponding to the open fd to the click command. This pseudo file refers to the inode of the file referred to by the fd. Since the parent keeps the fd open for the lifetime of the click command my understanding is that the inode cannot be reused. This avoids TOCTTOU issues since click will open the file again and pass the package to external commands.

This addresses #10 (closed).

Edited Feb 15, 2023 by Guido Berhörster

Check owner and permissions based on DBus sender

Merge request reports