Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change socket location and add checks #33

Merged
merged 1 commit into from
Jul 1, 2020
Merged

Change socket location and add checks #33

merged 1 commit into from
Jul 1, 2020

Conversation

hug-dev
Copy link
Member

@hug-dev hug-dev commented Jun 29, 2020

Adds a check for the directory containing the socket. It must be owned
by the parsec user and parsec-clients group and be 750. This check is
disabled for testing.

Signed-off-by: Hugues de Valon [email protected]

@hug-dev hug-dev marked this pull request as draft June 29, 2020 15:35
@hug-dev hug-dev mentioned this pull request Jun 29, 2020
Merged
@hug-dev hug-dev requested a review from ionut-arm June 29, 2020 15:37
@hug-dev hug-dev self-assigned this Jun 29, 2020
ionut-arm
ionut-arm approved these changes Jun 29, 2020
View reviewed changes
Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be a lot more secure for clients!! Thanks 🎉

src/core/ipc_handler/unix_socket.rs
/// Checks if the socket is inside a folder with correct owners and permissions to make sure it
/// is from the Parsec service.
#[cfg(not(testing))]
fn secure_parsec_socket_folder(&self) -> Result<()> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it's worth making this check conditional (as in, not only on testing, but also on another feature) in case an admin can't/doesn't want to follow these directives 100%?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are probably right, admins could use a client that does not use this security feature. Will add another feature.

ionut-arm
ionut-arm reviewed Jun 30, 2020
View reviewed changes
Cargo.toml Outdated

[dev-dependencies]
mockstream = "0.0.3"

[features]
testing = ["parsec-interface/testing"]
testing = ["parsec-interface/testing", "no-security-check"]
no-security-check = []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the name is a bit extreme, maybe something like no-fs-permission-check - a bit lengthy but closer in meaning. Also, I guess it should be documented somewhere (both in Readme and in docs.rs?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modified the name and added it to the README.

ionut-arm
ionut-arm approved these changes Jun 30, 2020
View reviewed changes
Copy link
Member

@ionut-arm ionut-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@hug-dev hug-dev marked this pull request as ready for review July 1, 2020 11:14
@hug-dev
Change socket location and add checks
c967ad4 
Adds a check for the directory containing the socket. It must be owned
by the parsec user and parsec-clients group and be 750. This check is
disabled for testing.

Signed-off-by: Hugues de Valon <[email protected]>
@hug-dev hug-dev merged commit 5240723 into parallaxsecond:master Jul 1, 2020
@hug-dev hug-dev deleted the socket-location branch July 1, 2020 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ionut-arm ionut-arm ionut-arm approved these changes

Assignees

@hug-dev hug-dev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hug-dev @ionut-arm