diff options
| author | Andrej Mihajlov <and@mullvad.net> | 2018-02-13 11:19:56 +0100 |
|---|---|---|
| committer | Andrej Mihajlov <and@mullvad.net> | 2018-02-13 11:19:56 +0100 |
| commit | 4cc0b2c8cf0003f0af91d1417e210e03eac32b2b (patch) | |
| tree | 088e135a9d3a5626f470286cca7776311c8369d3 /app/lib | |
| parent | f9d375bcb3403bc81cec7ebbcb7fd2943b5c2ac5 (diff) | |
| parent | d33fabdc783d5a997395a4f02bf96fce1affaf98 (diff) | |
| download | mullvadvpn-4cc0b2c8cf0003f0af91d1417e210e03eac32b2b.tar.xz mullvadvpn-4cc0b2c8cf0003f0af91d1417e210e03eac32b2b.zip | |
Merge branch 'rpc-file-win-security'
Diffstat (limited to 'app/lib')
| -rw-r--r-- | app/lib/rpc-file-security.js | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/app/lib/rpc-file-security.js b/app/lib/rpc-file-security.js new file mode 100644 index 0000000000..da777d9b78 --- /dev/null +++ b/app/lib/rpc-file-security.js @@ -0,0 +1,32 @@ +// @flow + +import fs from 'fs'; + +export function canTrustRpcAddressFile(path: string): boolean { + const platform = process.platform; + switch(platform) { + case 'win32': + return isOwnedByLocalSystem(path); + case 'darwin': + case 'linux': + return isOwnedAndOnlyWritableByRoot(path); + default: + throw new Error(`Unknown platform: ${platform}`); + } +} + +function isOwnedAndOnlyWritableByRoot(path: string): boolean { + const stat = fs.statSync(path); + const isOwnedByRoot = stat.uid === 0; + const isOnlyWritableByOwner = (stat.mode & parseInt('022', 8)) === 0; + + return isOwnedByRoot && isOnlyWritableByOwner; +} + +function isOwnedByLocalSystem(path: string): boolean { + const winsec = require('windows-security'); + const ownerSid = winsec.getFileOwnerSid(path, null); + const isWellKnownSid = winsec.isWellKnownSid(ownerSid, winsec.WellKnownSid.LocalSystemSid); + + return isWellKnownSid; +}
\ No newline at end of file |
