faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cmdmon: allow unauthenticated commands from Unix domain socket

Browse source 
Allow all commands received from the Unix domain command socket (which
is accessible only by the root and chrony user/group), even when they
are not authenticated with the command key.
This commit is contained in:
Miroslav Lichvar 2015-08-19 18:33:18 +02:00
parent fbe65f2c71
commit 0887824324
1 changed files with 27 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
cmdmon.c
View file

@ -1808,7 +1808,13 @@ read_from_cmd_socket(void *anything)
/* This should be already handled */ /* This should be already handled */
assert(0); assert(0);
} else { } else {
/* Check level of authority required to issue the command */ /* Check level of authority required to issue the command. All commands
from the Unix domain socket (which is accessible only by the root and
chrony user/group) are allowed. */
if (where_from.sa.sa_family == AF_UNIX) {
assert(sock_fd == sock_fdu);
allowed = 1;
} else {
switch (permissions[rx_command]) { switch (permissions[rx_command]) {
case PERMIT_AUTH: case PERMIT_AUTH:
if (authenticated) { if (authenticated) {
@ -1831,6 +1837,7 @@ read_from_cmd_socket(void *anything)
assert(0); assert(0);
allowed = 0; allowed = 0;
} }
}
if (allowed) { if (allowed) {
switch(rx_command) { switch(rx_command) {