From f29e6dcc140b1577880261016225edee041f5168 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Wed, 8 Nov 2023 00:48:44 +0100 Subject: [PATCH] ui: restrict unix socket to the current user By default, restrict reading from the unix socket to the user who launched the GUI. --- ui/bin/opensnitch-ui | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ui/bin/opensnitch-ui b/ui/bin/opensnitch-ui index 0ae98b1af7..34de4912e7 100755 --- a/ui/bin/opensnitch-ui +++ b/ui/bin/opensnitch-ui @@ -58,6 +58,14 @@ def on_exit(): pass sys.exit(0) +def restrict_socket_perms(socket): + """Restrict socket reading to the current user""" + try: + if socket.startswith("unix://") and os.path.exists(socket[7:]): + os.chmod(socket[7:], 0o640) + except Exception as e: + print("Unable to change unix socket permissions:", socket, e) + def supported_qt_version(major, medium, minor): q = QtCore.QT_VERSION_STR.split(".") return int(q[0]) >= major and int(q[1]) >= medium and int(q[2]) >= minor @@ -176,7 +184,7 @@ Examples: parts = args.socket.split("@") args.socket = "unix-abstract:{0}".format(parts[1]) - print("Using server address:", args.socket) + print("Using server address:", args.socket, "auth type:", auth_type) if auth_type == auth.Simple or auth_type == "": server.add_insecure_port(args.socket) @@ -201,6 +209,9 @@ Examples: # print "OpenSnitch UI service running on %s ..." % socket server.start() + + restrict_socket_perms(args.socket) + app.exec_() except KeyboardInterrupt: