#include <privilege-control.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include <pwd.h>
+#include <limits.h>
+#include <cstring>
#include "installer.h"
#include "protocols.h"
static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid)
{
- for (const auto &appPath : req.appPaths) {
- app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second);
- if (pathType == SECURITY_MANAGER_PATH_PUBLIC && uid != 0) {
- LogDebug("Only root can register SECURITY_MANAGER_PATH_PUBLIC path");
+ struct passwd *pwd;
+ char buffer[PATH_MAX];
+ do {
+ errno = 0;
+ pwd = getpwuid(uid);
+ if (!pwd && errno != EINTR) {
+ LogError("getpwuid failed with '" << uid << "' as paramter: " << strerror(errno));
return false;
}
+ } while (!pwd);
+
+ for (const auto &appPath : req.appPaths) {
+
+ if (uid != 0) {
+ char *real_path = realpath(appPath.first.c_str(), buffer);
+ if (!real_path) {
+ LogError("realpath failed with '" << appPath.first.c_str()
+ << "' as paramter: " << strerror(errno));
+ return false;
+ }
+ LogDebug("Requested path is '" << appPath.first.c_str()
+ << "'. User's HOME is '" << pwd->pw_dir << "'");
+ if (strncmp(pwd->pw_dir, real_path, strlen(pwd->pw_dir))!=0) {
+ LogWarning("User's apps may have registered folders only in user's home dir");
+ return false;
+ }
+
+ app_install_path_type pathType = static_cast<app_install_path_type>(appPath.second);
+ if (pathType == SECURITY_MANAGER_PATH_PUBLIC) {
+ LogWarning("Only root can register SECURITY_MANAGER_PATH_PUBLIC path");
+ return false;
+ }
+ }
}
return true;
}
projects / platform / core / security / security-manager.git / commitdiff