On Fri, Sep 10, 2021 at 01:41:14PM +0200, mwilck@xxxxxxxx wrote:
> From: Martin Wilck <mwilck@xxxxxxxx>
>
> Rather than using a separate poor-man's parser for checking root
> commands, use the real parser. It will return "LIST" as first verb
> for the read-only commands that non-root users may execute.
>
Reviewed-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx>
> Signed-off-by: Martin Wilck <mwilck@xxxxxxxx>
> ---
> multipathd/uxlsnr.c | 27 +++++++++++++++++----------
> 1 file changed, 17 insertions(+), 10 deletions(-)
>
> diff --git a/multipathd/uxlsnr.c b/multipathd/uxlsnr.c
> index cfff0ae..ff9604f 100644
> --- a/multipathd/uxlsnr.c
> +++ b/multipathd/uxlsnr.c
> @@ -362,16 +362,15 @@ static int uxsock_trigger(struct client *c, void *trigger_data)
>
> vecs = (struct vectors *)trigger_data;
>
> -
> - if (!c->is_root &&
> - (strncmp(c->cmd, "list", strlen("list")) != 0) &&
> - (strncmp(c->cmd, "show", strlen("show")) != 0)) {
> - append_strbuf_str(&c->reply, "permission deny: need to be root");
> - return r;
> - }
> -
> r = parse_cmd(c);
>
> + if (r == 0 && c->cmdvec && VECTOR_SIZE(c->cmdvec) > 0) {
> + struct key *kw = VECTOR_SLOT(c->cmdvec, 0);
> +
> + if (!c->is_root && kw->code != LIST)
> + r = EPERM;
> + }
> +
> if (r == 0 && c->handler)
> r = execute_handler(c, vecs, uxsock_timeout / 1000);
>
> @@ -381,10 +380,18 @@ static int uxsock_trigger(struct client *c, void *trigger_data)
> }
>
> if (r > 0) {
> - if (r == ETIMEDOUT)
> + switch(r) {
> + case ETIMEDOUT:
> append_strbuf_str(&c->reply, "timeout\n");
> - else
> + break;
> + case EPERM:
> + append_strbuf_str(&c->reply,
> + "permission deny: need to be root\n");
> + break;
> + default:
> append_strbuf_str(&c->reply, "fail\n");
> + break;
> + }
> }
> else if (!r && get_strbuf_len(&c->reply) == 0) {
> append_strbuf_str(&c->reply, "ok\n");
> --
> 2.33.0
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/dm-devel
