diff --git a/letmeind/src/protocol.rs b/letmeind/src/protocol.rs index 7b0b9d5..41d526e 100644 --- a/letmeind/src/protocol.rs +++ b/letmeind/src/protocol.rs @@ -102,13 +102,23 @@ impl<'a, C: ConnectionOps> Protocol<'a, C> { // Check if the authenticating user is allowed to access this resource. match resource { - Resource::Port { .. } => { + Resource::Port { port, users: _ } => { + // Check the mapped user on the resource. if !resource.contains_user(user_id) { let _ = self.send_go_away().await; return Err(err!( "Resource {resource_id} not allowed for user {user_id}" )); } + // The control port is never allowed. + let control_port = self.conf.port(); + if *port == control_port { + let _ = self.send_go_away().await; + return Err(err!( + "Incorrect configuration: The resource {resource_id} uses the \ + letmein control port {control_port}. That is not allowed." + )); + } } } diff --git a/letmeinfwd/src/server.rs b/letmeinfwd/src/server.rs index 3f27a16..a5ff486 100644 --- a/letmeinfwd/src/server.rs +++ b/letmeinfwd/src/server.rs @@ -108,6 +108,14 @@ impl FirewallConnection { return Err(err!("The port {port} is not configured in letmeind.conf.")); } + // Don't allow letmein to manage its own control port. + if port == conf.port() { + // Whoops, letmeind should never send us a request for the + // control port. Did some other process write to the unix socket? + self.send_msg(&FirewallMessage::new_nack()).await?; + return Err(err!("The knocked port {port} is the letmein control port.")); + } + // Open the firewall. let ok = { let mut fw = fw.lock().await;