diff options
| author | Andrej Mihajlov <and@mullvad.net> | 2018-02-08 18:03:04 +0100 |
|---|---|---|
| committer | Andrej Mihajlov <and@mullvad.net> | 2018-02-13 11:06:15 +0100 |
| commit | 339fe63ad8e0bed7d31b5d872756ef229d280a12 (patch) | |
| tree | 33c1361d77c2bc06ff2ae491326488152a53f31d /app/lib | |
| parent | 545c0dddaa2a16e1bcdc050be4c5217d3a629ac5 (diff) | |
| download | mullvadvpn-339fe63ad8e0bed7d31b5d872756ef229d280a12.tar.xz mullvadvpn-339fe63ad8e0bed7d31b5d872756ef229d280a12.zip | |
Add RPC address file check for windows
Diffstat (limited to 'app/lib')
| -rw-r--r-- | app/lib/rpc-file-security.js | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/app/lib/rpc-file-security.js b/app/lib/rpc-file-security.js new file mode 100644 index 0000000000..da777d9b78 --- /dev/null +++ b/app/lib/rpc-file-security.js @@ -0,0 +1,32 @@ +// @flow + +import fs from 'fs'; + +export function canTrustRpcAddressFile(path: string): boolean { + const platform = process.platform; + switch(platform) { + case 'win32': + return isOwnedByLocalSystem(path); + case 'darwin': + case 'linux': + return isOwnedAndOnlyWritableByRoot(path); + default: + throw new Error(`Unknown platform: ${platform}`); + } +} + +function isOwnedAndOnlyWritableByRoot(path: string): boolean { + const stat = fs.statSync(path); + const isOwnedByRoot = stat.uid === 0; + const isOnlyWritableByOwner = (stat.mode & parseInt('022', 8)) === 0; + + return isOwnedByRoot && isOnlyWritableByOwner; +} + +function isOwnedByLocalSystem(path: string): boolean { + const winsec = require('windows-security'); + const ownerSid = winsec.getFileOwnerSid(path, null); + const isWellKnownSid = winsec.isWellKnownSid(ownerSid, winsec.WellKnownSid.LocalSystemSid); + + return isWellKnownSid; +}
\ No newline at end of file |