arno/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server synced 2024-12-26 00:38:10 +00:00
Code Issues Releases Wiki Activity

Throw an error if ubridge as incorrect permissions. Fixes #312.

Browse Source
This commit is contained in:
grossmj 2015-09-14 15:05:25 -06:00
parent a9ac0d3380
commit 59f5de5de2
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
gns3server/modules/base_manager.py
View File

@ -311,7 +311,7 @@ class BaseManager:
return vm return vm
@staticmethod @staticmethod
def _has_privileged_access(executable): def has_privileged_access(executable):
""" """
Check if an executable can access Ethernet and TAP devices in Check if an executable can access Ethernet and TAP devices in
RAW mode. RAW mode.
@ -328,18 +328,19 @@ class BaseManager:
if os.geteuid() == 0: if os.geteuid() == 0:
# we are root, so we should have privileged access. # we are root, so we should have privileged access.
return True return True
if os.stat(executable).st_mode & stat.S_ISUID or os.stat(executable).st_mode & stat.S_ISGID:
if os.stat(executable).st_uid == 0 and (os.stat(executable).st_mode & stat.S_ISUID or os.stat(executable).st_mode & stat.S_ISGID):
# the executable has set UID bit. # the executable has set UID bit.
return True return True
# test if the executable has the CAP_NET_RAW capability (Linux only) # test if the executable has the CAP_NET_RAW capability (Linux only)
if sys.platform.startswith("linux") and "security.capability" in os.listxattr(executable):
try: try:
if sys.platform.startswith("linux") and "security.capability" in os.listxattr(executable):
caps = os.getxattr(executable, "security.capability") caps = os.getxattr(executable, "security.capability")
# test the 2nd byte and check if the 13th bit (CAP_NET_RAW) is set # test the 2nd byte and check if the 13th bit (CAP_NET_RAW) is set
if struct.unpack("<IIIII", caps)[1] & 1 << 13: if struct.unpack("<IIIII", caps)[1] & 1 << 13:
return True return True
except Exception as e: except OSError as e:
log.error("could not determine if CAP_NET_RAW capability is set for {}: {}".format(executable, e)) log.error("could not determine if CAP_NET_RAW capability is set for {}: {}".format(executable, e))
return False return False
@ -374,7 +375,7 @@ class BaseManager:
if not is_interface_up(tap_device): if not is_interface_up(tap_device):
raise aiohttp.web.HTTPConflict(text="TAP interface {} does not exist or is down".format(tap_device)) raise aiohttp.web.HTTPConflict(text="TAP interface {} does not exist or is down".format(tap_device))
# FIXME: check for permissions on tap device # FIXME: check for permissions on tap device
# if not self._has_privileged_access(executable): # if not self.has_privileged_access(executable):
# raise aiohttp.web.HTTPForbidden(text="{} has no privileged access to {}.".format(executable, tap_device)) # raise aiohttp.web.HTTPForbidden(text="{} has no privileged access to {}.".format(executable, tap_device))
nio = NIOTAP(tap_device) nio = NIOTAP(tap_device)
elif nio_settings["type"] == "nio_generic_ethernet": elif nio_settings["type"] == "nio_generic_ethernet":

3
gns3server/modules/base_vm.py
View File

@ -287,6 +287,9 @@ class BaseVM:
Starts uBridge (handles connections to and from this VMware VM). Starts uBridge (handles connections to and from this VMware VM).
""" """
if not self._manager.has_privileged_access(self.ubridge_path):
raise VMError("uBridge requires root access or capability to interact with network adapters")
server_config = self._manager.config.get_section_config("Server") server_config = self._manager.config.get_section_config("Server")
server_host = server_config.get("host") server_host = server_config.get("host")
self._ubridge_hypervisor = Hypervisor(self._project, self.ubridge_path, self.working_dir, server_host) self._ubridge_hypervisor = Hypervisor(self._project, self.ubridge_path, self.working_dir, server_host)