LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

cgi-io: use different acl scopes for path and command permissions 

Use the `cgi-io` scope to check for permission to execute the requested
command (`upload`, `backup`) and the `file` scope to check path
permissions.

The reasoning of this change is that `cgi-io` is usually used in
conjunction with `rpcd-mod-file` to transfer large file data out
of band and `rpcd-mod-file` already uses the `file` scope to manage
file path access permissions. After this change, both `rpc-mod-file`
and `cgi-io` can share the same path acl rules.

Write access to a path can be granted by using an ubus call in the
following form:

    ubus call session grant '{
        "ubus_rpc_session": "...",
        "scope": "file",
        "objects": [
            [ "/var/lib/uploads/*", "write" ]
        ]
    }'

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
lilik-openwrt-22.03
Jo-Philipp Wich 5 years ago
committed by John Crispin
parent
a1057cea1f
commit
c8a86c8c8e
2 changed files with 7 additions and 7 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -2
      net/cgi-io/Makefile
  2. +5
    -5
      net/cgi-io/src/main.c

+ 2
- 2
net/cgi-io/Makefile View File

@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=cgi-io
PKG_RELEASE:=8
PKG_RELEASE:=9
PKG_LICENSE:=GPL-2.0-or-later
@ -37,7 +37,7 @@ endef
define Package/cgi-io/install
$(INSTALL_DIR) $(1)/usr/libexec $(1)/www/cgi-bin/
$(INSTALL_BIN) $(PKG_BUILD_DIR)/cgi-io $(1)/usr/libexec
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-backup
endef


+ 5
- 5
net/cgi-io/src/main.c View File

@ -89,7 +89,7 @@ session_access_cb(struct ubus_request *req, int type, struct blob_attr *msg)
}
static bool
session_access(const char *sid, const char *obj, const char *func)
session_access(const char *sid, const char *scope, const char *obj, const char *func)
{
uint32_t id;
bool allow = false;
@ -103,7 +103,7 @@ session_access(const char *sid, const char *obj, const char *func)
blob_buf_init(&req, 0);
blobmsg_add_string(&req, "ubus_rpc_session", sid);
blobmsg_add_string(&req, "scope", "cgi-io");
blobmsg_add_string(&req, "scope", scope);
blobmsg_add_string(&req, "object", obj);
blobmsg_add_string(&req, "function", func);
@ -475,7 +475,7 @@ data_begin_cb(multipart_parser *p)
if (!st.filename)
return response(false, "File data without name");
if (!session_access(st.sessionid, st.filename, "write"))
if (!session_access(st.sessionid, "file", st.filename, "write"))
return response(false, "Access to path denied by ACL");
st.tempfd = mkstemp(tmpname);
@ -530,7 +530,7 @@ data_end_cb(multipart_parser *p)
{
if (st.parttype == PART_SESSIONID)
{
if (!session_access(st.sessionid, "upload", "write"))
if (!session_access(st.sessionid, "cgi-io", "upload", "write"))
{
errno = EPERM;
return response(false, "Upload permission denied");
@ -658,7 +658,7 @@ main_backup(int argc, char **argv)
char hostname[64] = { 0 };
char *fields[] = { "sessionid", NULL };
if (!postdecode(fields, 1) || !session_access(fields[1], "backup", "read"))
if (!postdecode(fields, 1) || !session_access(fields[1], "cgi-io", "backup", "read"))
return failure(0, "Backup permission denied");
if (pipe(fds))


Write Preview
Loading…
Cancel
Save