From b15c62a678d6129dda4814e99af690f1664296a1 Mon Sep 17 00:00:00 2001
From: Michael Buesch <m@bues.ch>
Date: Sat, 21 Sep 2024 19:12:17 +0200
Subject: [PATCH] Explicitly check and forbid knocking on the control port

The resource configuration is incorrect.
Check for this scenario to avoid accidental modification of the firewall rules
and to give the user an error message.
---
 letmeind/src/protocol.rs | 12 +++++++++++-
 letmeinfwd/src/server.rs |  8 ++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/letmeind/src/protocol.rs b/letmeind/src/protocol.rs
index 7b0b9d5..41d526e 100644
--- a/letmeind/src/protocol.rs
+++ b/letmeind/src/protocol.rs
@@ -102,13 +102,23 @@ impl<'a, C: ConnectionOps> Protocol<'a, C> {
 
         // Check if the authenticating user is allowed to access this resource.
         match resource {
-            Resource::Port { .. } => {
+            Resource::Port { port, users: _ } => {
+                // Check the mapped user on the resource.
                 if !resource.contains_user(user_id) {
                     let _ = self.send_go_away().await;
                     return Err(err!(
                         "Resource {resource_id} not allowed for user {user_id}"
                     ));
                 }
+                // The control port is never allowed.
+                let control_port = self.conf.port();
+                if *port == control_port {
+                    let _ = self.send_go_away().await;
+                    return Err(err!(
+                        "Incorrect configuration: The resource {resource_id} uses the \
+                         letmein control port {control_port}. That is not allowed."
+                    ));
+                }
             }
         }
 
diff --git a/letmeinfwd/src/server.rs b/letmeinfwd/src/server.rs
index 3f27a16..a5ff486 100644
--- a/letmeinfwd/src/server.rs
+++ b/letmeinfwd/src/server.rs
@@ -108,6 +108,14 @@ impl FirewallConnection {
                     return Err(err!("The port {port} is not configured in letmeind.conf."));
                 }
 
+                // Don't allow letmein to manage its own control port.
+                if port == conf.port() {
+                    // Whoops, letmeind should never send us a request for the
+                    // control port. Did some other process write to the unix socket?
+                    self.send_msg(&FirewallMessage::new_nack()).await?;
+                    return Err(err!("The knocked port {port} is the letmein control port."));
+                }
+
                 // Open the firewall.
                 let ok = {
                     let mut fw = fw.lock().await;