Skip to content

Commit b56fae0

Browse files
hertghertg
committed
add permission check for custom x11 template and print warning
1 parent 758ab7c commit b56fae0

File tree

1 file changed

+39
-5
lines changed

1 file changed

+39
-5
lines changed

internal/xorg/conf.go

Lines changed: 39 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"fmt"
88
"io"
99
"os"
10+
"syscall"
1011
"text/template"
1112

1213
"github.com/hertg/egpu-switcher/internal/logger"
@@ -63,10 +64,21 @@ func RenderConf(id string, driver string, busid string, modesetting bool, verbos
6364
Modesetting: modesetting,
6465
}
6566

67+
customTemplatePermissionCheck()
68+
69+
confTemplate, isCustom := templateString(verbose)
70+
t := template.Must(template.New("conf").Parse(confTemplate))
6671
buf := bytes.NewBuffer(nil)
72+
err := t.Execute(buf, c)
73+
if err != nil {
74+
return "", isCustom, err
75+
}
6776

68-
var confTemplate string
77+
return buf.String(), isCustom, nil
78+
}
6979

80+
func templateString(verbose bool) (string, bool) {
81+
var confTemplate string
7082
templateFile, err := os.OpenFile(templatePath, os.O_RDONLY, 0644)
7183
isCustom := false
7284
if err != nil {
@@ -88,12 +100,34 @@ func RenderConf(id string, driver string, busid string, modesetting bool, verbos
88100
confTemplate = buf.String()
89101
isCustom = true
90102
}
103+
return confTemplate, isCustom
104+
}
91105

92-
t := template.Must(template.New("conf").Parse(confTemplate))
93-
err = t.Execute(buf, c)
106+
func customTemplatePermissionCheck() {
107+
logWarn := false
108+
info, err := os.Stat(templatePath)
94109
if err != nil {
95-
return "", isCustom, err
110+
logger.Error("%s", err)
111+
return
96112
}
113+
if stat, ok := info.Sys().(*syscall.Stat_t); ok {
114+
if stat.Uid != 0 {
115+
logger.Warn("the custom x11 config template is not owned by root user")
116+
logWarn = true
117+
}
118+
if stat.Gid != 0 {
119+
logger.Warn("the custom x11 config template is not owned by root group")
120+
logWarn = true
121+
}
97122

98-
return buf.String(), isCustom, nil
123+
otherPerm := info.Mode().Perm() & 0x007
124+
if otherPerm&0x2 != 0 {
125+
logger.Warn("the custom x11 config template is writable by other")
126+
logWarn = true
127+
}
128+
}
129+
if logWarn {
130+
logger.Warn("ensure that the custom x11 config template at '%s' is not writable by unauthorized users."+
131+
"this could pose a security risk. file should be owned by root:root and have a file permission of 644", templatePath)
132+
}
99133
}

0 commit comments

Comments
 (0)