From 5100ff45fa51aa8e85a896dda3b9b458dc931b43 Mon Sep 17 00:00:00 2001 From: bugclerk <40872210+bugclerk@users.noreply.github.com> Date: Thu, 25 Jul 2024 06:24:28 -0700 Subject: [PATCH] Remove check for whether localhost connection is root (#14082) We don't use this functionality internally and it's a potential security liability if someone decides to set up their own internal proxy to middlewared socket that's running as root. (cherry picked from commit 0673f0de2b7c17e00181a84fb9343cfed3696b59) Co-authored-by: Andrew Walker --- src/middlewared/middlewared/auth.py | 4 --- src/middlewared/middlewared/plugins/auth.py | 27 +++---------------- src/middlewared/middlewared/utils/nginx.py | 9 ------- .../middlewared/utils/privilege.py | 8 ++---- tests/api2/test_ip_auth.py | 24 ----------------- tests/api2/test_localhost_ws_auth.py | 11 ++++++++ 6 files changed, 16 insertions(+), 67 deletions(-) delete mode 100644 tests/api2/test_ip_auth.py create mode 100644 tests/api2/test_localhost_ws_auth.py diff --git a/src/middlewared/middlewared/auth.py b/src/middlewared/middlewared/auth.py index 5100b020389c4..7dc92f4398144 100644 --- a/src/middlewared/middlewared/auth.py +++ b/src/middlewared/middlewared/auth.py @@ -59,10 +59,6 @@ class UnixSocketSessionManagerCredentials(UserSessionManagerCredentials): pass -class RootTcpSocketSessionManagerCredentials(UserSessionManagerCredentials): - pass - - class LoginPasswordSessionManagerCredentials(UserSessionManagerCredentials): pass diff --git a/src/middlewared/middlewared/plugins/auth.py b/src/middlewared/middlewared/plugins/auth.py index 9202be3433466..09a956dcf0e77 100644 --- a/src/middlewared/middlewared/plugins/auth.py +++ b/src/middlewared/middlewared/plugins/auth.py @@ -8,9 +8,8 @@ import psutil from middlewared.auth import (SessionManagerCredentials, UserSessionManagerCredentials, - UnixSocketSessionManagerCredentials, RootTcpSocketSessionManagerCredentials, - LoginPasswordSessionManagerCredentials, ApiKeySessionManagerCredentials, - TrueNasNodeSessionManagerCredentials) + UnixSocketSessionManagerCredentials, LoginPasswordSessionManagerCredentials, + ApiKeySessionManagerCredentials, TrueNasNodeSessionManagerCredentials) from middlewared.schema import accepts, Any, Bool, Datetime, Dict, Int, List, Password, Patch, Ref, returns, Str from middlewared.service import ( Service, filterable, filterable_returns, filter_list, no_auth_required, no_authz_required, @@ -18,7 +17,6 @@ ) from middlewared.service_exception import MatchNotFound import middlewared.sqlalchemy as sa -from middlewared.utils.nginx import get_peer_process from middlewared.utils.origin import UnixSocketOrigin, TCPIPOrigin from middlewared.utils.crypto import generate_token @@ -210,10 +208,7 @@ def is_internal_session(session): if isinstance(session.app.origin, UnixSocketOrigin) and session.app.origin.uid == 0: return True - if isinstance(session.app.authenticated_credentials, ( - RootTcpSocketSessionManagerCredentials, - TrueNasNodeSessionManagerCredentials, - )): + if isinstance(session.app.authenticated_credentials, TrueNasNodeSessionManagerCredentials): return True return False @@ -673,22 +668,6 @@ async def check_permission(middleware, app): await AuthService.session_manager.login(app, UnixSocketSessionManagerCredentials(user)) return - if isinstance(origin, TCPIPOrigin): - if not (origin.addr.startswith('127.') or origin.addr == '::1'): - return - - # This is an expensive operation, but it is only performed for localhost TCP connections which are rare - if process := await middleware.run_in_thread(get_peer_process, origin.addr, origin.port): - try: - euid = (await middleware.run_in_thread(process.uids)).effective - except psutil.NoSuchProcess: - pass - else: - if euid == 0: - user = await middleware.call('auth.authenticate_root') - await AuthService.session_manager.login(app, RootTcpSocketSessionManagerCredentials(user)) - return - def setup(middleware): middleware.event_register('auth.sessions', 'Notification of new and removed sessions.') diff --git a/src/middlewared/middlewared/utils/nginx.py b/src/middlewared/middlewared/utils/nginx.py index 7c81036e89fa1..a4223cd919ec9 100644 --- a/src/middlewared/middlewared/utils/nginx.py +++ b/src/middlewared/middlewared/utils/nginx.py @@ -3,15 +3,6 @@ from psutil._common import addr -def get_peer_process(remote_addr, remote_port): - for connection in psutil.net_connections(kind='tcp'): - if connection.laddr == addr(remote_addr, remote_port): - try: - return psutil.Process(connection.pid) - except psutil.ProcessNotFound: - return None - - def get_remote_addr_port(request): try: remote_addr, remote_port = request.transport.get_extra_info("peername") diff --git a/src/middlewared/middlewared/utils/privilege.py b/src/middlewared/middlewared/utils/privilege.py index f350af98005ea..b5fd8c315f64b 100644 --- a/src/middlewared/middlewared/utils/privilege.py +++ b/src/middlewared/middlewared/utils/privilege.py @@ -1,6 +1,5 @@ import enum -from middlewared.auth import (RootTcpSocketSessionManagerCredentials, - TrueNasNodeSessionManagerCredentials) +from middlewared.auth import TrueNasNodeSessionManagerCredentials from middlewared.role import ROLES @@ -29,10 +28,7 @@ def credential_has_full_admin(credential: object) -> bool: if credential.is_user_session and 'FULL_ADMIN' in credential.user['privilege']['roles']: return True - if isinstance(credential, ( - RootTcpSocketSessionManagerCredentials, - TrueNasNodeSessionManagerCredentials - )): + if isinstance(credential, TrueNasNodeSessionManagerCredentials): return True if credential.allowlist is None: diff --git a/tests/api2/test_ip_auth.py b/tests/api2/test_ip_auth.py deleted file mode 100644 index a249f634aec74..0000000000000 --- a/tests/api2/test_ip_auth.py +++ /dev/null @@ -1,24 +0,0 @@ -import json -import shlex - -import pytest - -from middlewared.test.integration.assets.account import user -from middlewared.test.integration.utils import ssh - - -@pytest.mark.parametrize("url", ["127.0.0.1", "127.0.0.1:6000"]) -@pytest.mark.parametrize("root", [True, False]) -def test_tcp_connection_from_localhost(url, root): - cmd = f"midclt -u ws://{url}/websocket call auth.sessions '[[\"current\", \"=\", true]]' '{{\"get\": true}}'" - if root: - assert json.loads(ssh(cmd))["credentials"] == "ROOT_TCP_SOCKET" - else: - with user({ - "username": "unprivileged", - "full_name": "Unprivileged User", - "group_create": True, - "password": "test1234", - }): - result = ssh(f"sudo -u unprivileged {cmd}", check=False, complete_response=True) - assert "Not authenticated" in result["stderr"] diff --git a/tests/api2/test_localhost_ws_auth.py b/tests/api2/test_localhost_ws_auth.py new file mode 100644 index 0000000000000..36cb392fef9a9 --- /dev/null +++ b/tests/api2/test_localhost_ws_auth.py @@ -0,0 +1,11 @@ +from middlewared.test.integration.utils import ssh + + +def test__authentication_required_localhost(): + cmd = 'midclt -u ws://localhost/websocket call user.query' + resp = ssh(cmd, check=False, complete_response=True) + + assert not resp['result'] + + assert 'Not authenticated' in resp['stderr'] +