Details about security of communication between Eddie UI and the Elevated process

Eddie main application (UI or CLI, generally called Main in this document) runs as normal user.
However, it needs to perform some privileged operations (like activating the network lock or changing routing table).
For this reason, another process (called Elevated in this document) needs to be run with elevated privileges as helper.
Elevated process performs only known action with restriction on parameters (there isn't any arbitrary shell command that can be called, for example).

This document lists the chosen restrictions to avoid abuses of Elevated process.

Elevated process can be launched in two modes:

  • spot: When UI or CLI starts, it launches the elevated process (an elevation prompt will show up), establish a connection and close it at the end.
  • service: Installed and active as a service (Windows service, or Linux systemd, or macOS launchd)
Elevated listens to a TCP socket (localhost only) for communication with main application.
Elevated is written in C++11

All supported OS

  • Elevated accepts only one connection at a time. If it finds an already established connection (typical at startup in 'spot' mode), it doesn't accept any other connection (and never will in 'spot' mode, because it's closed at the end of the first connection).
  • At connection, Main application sends a random session token that is used for any next communication/packet in the same connection.
  • In spot mode, Elevated accepts connection on a random port chosen by Main.
    In service mode, the port is fixed, 9349 (but can be changed with cmdline arguments, service-port for Elevated, elevated.service.port for Main)
  • In spot mode, Elevated accepts connection only if coming from the parent process that launches it.
  • In service mode, when Elevated is installed (as root), it computes a series of executable (Elevated and Main) and library integrity check through hashes. Main must pass the same integrity check when connecting. If it fails, the fallback spot mode is triggered.

Windows & macOS

  • Elevated checks if the main application digital signature matches the digital signature of the elevated itself.
    This is a redundant check.
    The check occurs ONLY if Elevated itself is digitally signed, so it occurs with the official binary packages from web sites, and not if the programs are compiled manually without signature.