Explicitly check and forbid knocking on the control port

The resource configuration is incorrect. Check for this scenario to avoid accidental modification of the firewall rules and to give the user an error message.
mbuesch · Sep 21, 2024 · b15c62a · b15c62a
1 parent 5d0d582
commit b15c62a
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/letmeind/src/protocol.rs b/letmeind/src/protocol.rs
@@ -102,13 +102,23 @@ impl<'a, C: ConnectionOps> Protocol<'a, C> {
 
         // Check if the authenticating user is allowed to access this resource.
         match resource {
-            Resource::Port { .. } => {
+            Resource::Port { port, users: _ } => {
+                // Check the mapped user on the resource.
                 if !resource.contains_user(user_id) {
                     let _ = self.send_go_away().await;
                     return Err(err!(
                         "Resource {resource_id} not allowed for user {user_id}"
                     ));
                 }
+                // The control port is never allowed.
+                let control_port = self.conf.port();
+                if *port == control_port {
+                    let _ = self.send_go_away().await;
+                    return Err(err!(
+                        "Incorrect configuration: The resource {resource_id} uses the \
+                         letmein control port {control_port}. That is not allowed."
+                    ));
+                }
             }
         }
 

diff --git a/letmeinfwd/src/server.rs b/letmeinfwd/src/server.rs
@@ -108,6 +108,14 @@ impl FirewallConnection {
                     return Err(err!("The port {port} is not configured in letmeind.conf."));
                 }
 
+                // Don't allow letmein to manage its own control port.
+                if port == conf.port() {
+                    // Whoops, letmeind should never send us a request for the
+                    // control port. Did some other process write to the unix socket?
+                    self.send_msg(&FirewallMessage::new_nack()).await?;
+                    return Err(err!("The knocked port {port} is the letmein control port."));
+                }
+
                 // Open the firewall.
                 let ok = {
                     let mut fw = fw.lock().await;