cgi-io: use different acl scopes for path and command permissions

Use the `cgi-io` scope to check for permission to execute the requested
command (`upload`, `backup`) and the `file` scope to check path
permissions.

The reasoning of this change is that `cgi-io` is usually used in
conjunction with `rpcd-mod-file` to transfer large file data out
of band and `rpcd-mod-file` already uses the `file` scope to manage
file path access permissions. After this change, both `rpc-mod-file`
and `cgi-io` can share the same path acl rules.

Write access to a path can be granted by using an ubus call in the
following form:

    ubus call session grant '{
        "ubus_rpc_session": "...",
        "scope": "file",
        "objects": [
            [ "/var/lib/uploads/*", "write" ]
        ]
    }'

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/net/cgi-io/Makefile b/net/cgi-io/Makefile
index 4c47257879e788a0646f2cbd52ebbd0485d49485..4b2d664af9638f08d35a274741923f0904f4a3fc 100644 (file)
--- a/net/cgi-io/Makefile
+++ b/net/cgi-io/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=cgi-io
-PKG_RELEASE:=8
+PKG_RELEASE:=9
 
 PKG_LICENSE:=GPL-2.0-or-later
 
@@ -37,7 +37,7 @@ endef
 define Package/cgi-io/install
        $(INSTALL_DIR) $(1)/usr/libexec $(1)/www/cgi-bin/
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/cgi-io $(1)/usr/libexec
-       $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload 
+       $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-upload
        $(LN) ../../usr/libexec/cgi-io $(1)/www/cgi-bin/cgi-backup
 endef
 

diff --git a/net/cgi-io/src/main.c b/net/cgi-io/src/main.c
index a6ded065f426d81362c953cf893319edf9368b17..44a520576028ef722829681528de17017474539a 100644 (file)
--- a/net/cgi-io/src/main.c
+++ b/net/cgi-io/src/main.c
@@ -89,7 +89,7 @@ session_access_cb(struct ubus_request *req, int type, struct blob_attr *msg)
 }
 
 static bool
-session_access(const char *sid, const char *obj, const char *func)
+session_access(const char *sid, const char *scope, const char *obj, const char *func)
 {
        uint32_t id;
        bool allow = false;
@@ -103,7 +103,7 @@ session_access(const char *sid, const char *obj, const char *func)
 
        blob_buf_init(&req, 0);
        blobmsg_add_string(&req, "ubus_rpc_session", sid);
-       blobmsg_add_string(&req, "scope", "cgi-io");
+       blobmsg_add_string(&req, "scope", scope);
        blobmsg_add_string(&req, "object", obj);
        blobmsg_add_string(&req, "function", func);
 
@@ -475,7 +475,7 @@ data_begin_cb(multipart_parser *p)
                if (!st.filename)
                        return response(false, "File data without name");
 
-               if (!session_access(st.sessionid, st.filename, "write"))
+               if (!session_access(st.sessionid, "file", st.filename, "write"))
                        return response(false, "Access to path denied by ACL");
 
                st.tempfd = mkstemp(tmpname);
@@ -530,7 +530,7 @@ data_end_cb(multipart_parser *p)
 {
        if (st.parttype == PART_SESSIONID)
        {
-               if (!session_access(st.sessionid, "upload", "write"))
+               if (!session_access(st.sessionid, "cgi-io", "upload", "write"))
                {
                        errno = EPERM;
                        return response(false, "Upload permission denied");
@@ -658,7 +658,7 @@ main_backup(int argc, char **argv)
        char hostname[64] = { 0 };
        char *fields[] = { "sessionid", NULL };
 
-       if (!postdecode(fields, 1) || !session_access(fields[1], "backup", "read"))
+       if (!postdecode(fields, 1) || !session_access(fields[1], "cgi-io", "backup", "read"))
                return failure(0, "Backup permission denied");
 
        if (pipe(fds))