cgi-io: use different acl scopes for path and command permissions
Use the `cgi-io` scope to check for permission to execute the requested
command (`upload`, `backup`) and the `file` scope to check path
permissions.
The reasoning of this change is that `cgi-io` is usually used in
conjunction with `rpcd-mod-file` to transfer large file data out
of band and `rpcd-mod-file` already uses the `file` scope to manage
file path access permissions. After this change, both `rpc-mod-file`
and `cgi-io` can share the same path acl rules.
Write access to a path can be granted by using an ubus call in the
following form:
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "file",
"objects": [
[ "/var/lib/uploads/*", "write" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich
John Crispin
parent
a1057cea1f
commit
c8a86c8c8e
2 changed files with 7 additions and 7 deletions
|
|
@ -8,7 +8,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=cgi-io
|
||||
PKG_RELEASE:=8
|
||||
PKG_RELEASE:=9
|
||||
|
||||
PKG_LICENSE:=GPL-2.0-or-later
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ endef
|
|||
define Package/cgi-io/install
|
||||
$(INSTALL_DIR) $(1)/usr/libexec $(1)/www/cgi-bin/
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/cgi-io $(1)/usr/libexec
|
||||
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload
|
||||
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload
|
||||
$(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-backup
|
||||
endef
|
||||
|
||||
|
|
|
|||
|
|
@ -89,7 +89,7 @@ session_access_cb(struct ubus_request *req, int type, struct blob_attr *msg)
|
|||
}
|
||||
|
||||
static bool
|
||||
session_access(const char *sid, const char *obj, const char *func)
|
||||
session_access(const char *sid, const char *scope, const char *obj, const char *func)
|
||||
{
|
||||
uint32_t id;
|
||||
bool allow = false;
|
||||
|
|
@ -103,7 +103,7 @@ session_access(const char *sid, const char *obj, const char *func)
|
|||
|
||||
blob_buf_init(&req, 0);
|
||||
blobmsg_add_string(&req, "ubus_rpc_session", sid);
|
||||
blobmsg_add_string(&req, "scope", "cgi-io");
|
||||
blobmsg_add_string(&req, "scope", scope);
|
||||
blobmsg_add_string(&req, "object", obj);
|
||||
blobmsg_add_string(&req, "function", func);
|
||||
|
||||
|
|
@ -475,7 +475,7 @@ data_begin_cb(multipart_parser *p)
|
|||
if (!st.filename)
|
||||
return response(false, "File data without name");
|
||||
|
||||
if (!session_access(st.sessionid, st.filename, "write"))
|
||||
if (!session_access(st.sessionid, "file", st.filename, "write"))
|
||||
return response(false, "Access to path denied by ACL");
|
||||
|
||||
st.tempfd = mkstemp(tmpname);
|
||||
|
|
@ -530,7 +530,7 @@ data_end_cb(multipart_parser *p)
|
|||
{
|
||||
if (st.parttype == PART_SESSIONID)
|
||||
{
|
||||
if (!session_access(st.sessionid, "upload", "write"))
|
||||
if (!session_access(st.sessionid, "cgi-io", "upload", "write"))
|
||||
{
|
||||
errno = EPERM;
|
||||
return response(false, "Upload permission denied");
|
||||
|
|
@ -658,7 +658,7 @@ main_backup(int argc, char **argv)
|
|||
char hostname[64] = { 0 };
|
||||
char *fields[] = { "sessionid", NULL };
|
||||
|
||||
if (!postdecode(fields, 1) || !session_access(fields[1], "backup", "read"))
|
||||
if (!postdecode(fields, 1) || !session_access(fields[1], "cgi-io", "backup", "read"))
|
||||
return failure(0, "Backup permission denied");
|
||||
|
||||
if (pipe(fds))
|
||||
|
|
|
|||
Loading…
Reference in a new issue