mirror of
https://github.com/GNS3/gns3-server
synced 2025-01-13 09:30:54 +00:00
Throw an error if ubridge as incorrect permissions. Fixes #312.
This commit is contained in:
parent
a9ac0d3380
commit
59f5de5de2
@ -311,7 +311,7 @@ class BaseManager:
|
|||||||
return vm
|
return vm
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _has_privileged_access(executable):
|
def has_privileged_access(executable):
|
||||||
"""
|
"""
|
||||||
Check if an executable can access Ethernet and TAP devices in
|
Check if an executable can access Ethernet and TAP devices in
|
||||||
RAW mode.
|
RAW mode.
|
||||||
@ -328,19 +328,20 @@ class BaseManager:
|
|||||||
if os.geteuid() == 0:
|
if os.geteuid() == 0:
|
||||||
# we are root, so we should have privileged access.
|
# we are root, so we should have privileged access.
|
||||||
return True
|
return True
|
||||||
if os.stat(executable).st_mode & stat.S_ISUID or os.stat(executable).st_mode & stat.S_ISGID:
|
|
||||||
|
if os.stat(executable).st_uid == 0 and (os.stat(executable).st_mode & stat.S_ISUID or os.stat(executable).st_mode & stat.S_ISGID):
|
||||||
# the executable has set UID bit.
|
# the executable has set UID bit.
|
||||||
return True
|
return True
|
||||||
|
|
||||||
# test if the executable has the CAP_NET_RAW capability (Linux only)
|
# test if the executable has the CAP_NET_RAW capability (Linux only)
|
||||||
if sys.platform.startswith("linux") and "security.capability" in os.listxattr(executable):
|
try:
|
||||||
try:
|
if sys.platform.startswith("linux") and "security.capability" in os.listxattr(executable):
|
||||||
caps = os.getxattr(executable, "security.capability")
|
caps = os.getxattr(executable, "security.capability")
|
||||||
# test the 2nd byte and check if the 13th bit (CAP_NET_RAW) is set
|
# test the 2nd byte and check if the 13th bit (CAP_NET_RAW) is set
|
||||||
if struct.unpack("<IIIII", caps)[1] & 1 << 13:
|
if struct.unpack("<IIIII", caps)[1] & 1 << 13:
|
||||||
return True
|
return True
|
||||||
except Exception as e:
|
except OSError as e:
|
||||||
log.error("could not determine if CAP_NET_RAW capability is set for {}: {}".format(executable, e))
|
log.error("could not determine if CAP_NET_RAW capability is set for {}: {}".format(executable, e))
|
||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@ -374,7 +375,7 @@ class BaseManager:
|
|||||||
if not is_interface_up(tap_device):
|
if not is_interface_up(tap_device):
|
||||||
raise aiohttp.web.HTTPConflict(text="TAP interface {} does not exist or is down".format(tap_device))
|
raise aiohttp.web.HTTPConflict(text="TAP interface {} does not exist or is down".format(tap_device))
|
||||||
# FIXME: check for permissions on tap device
|
# FIXME: check for permissions on tap device
|
||||||
# if not self._has_privileged_access(executable):
|
# if not self.has_privileged_access(executable):
|
||||||
# raise aiohttp.web.HTTPForbidden(text="{} has no privileged access to {}.".format(executable, tap_device))
|
# raise aiohttp.web.HTTPForbidden(text="{} has no privileged access to {}.".format(executable, tap_device))
|
||||||
nio = NIOTAP(tap_device)
|
nio = NIOTAP(tap_device)
|
||||||
elif nio_settings["type"] == "nio_generic_ethernet":
|
elif nio_settings["type"] == "nio_generic_ethernet":
|
||||||
|
@ -287,6 +287,9 @@ class BaseVM:
|
|||||||
Starts uBridge (handles connections to and from this VMware VM).
|
Starts uBridge (handles connections to and from this VMware VM).
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
if not self._manager.has_privileged_access(self.ubridge_path):
|
||||||
|
raise VMError("uBridge requires root access or capability to interact with network adapters")
|
||||||
|
|
||||||
server_config = self._manager.config.get_section_config("Server")
|
server_config = self._manager.config.get_section_config("Server")
|
||||||
server_host = server_config.get("host")
|
server_host = server_config.get("host")
|
||||||
self._ubridge_hypervisor = Hypervisor(self._project, self.ubridge_path, self.working_dir, server_host)
|
self._ubridge_hypervisor = Hypervisor(self._project, self.ubridge_path, self.working_dir, server_host)
|
||||||
|
Loading…
Reference in New Issue
Block a user