/mandos/release : revision 237.22.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2012-06-06 19:08:17 UTC
mto: (237.7.144 trunk)
mto: This revision was merged to the branch mainline in revision 302.
Revision ID: teddy@recompile.se-20120606190817-c2x5o98vzn07xufd

* plugins.d/mandos-client.c: Refactoring.
  (uid, gid): New global variables.
  (raise_privileges, raise_privileges_permanently, lower_privileges,
  bring_up_interface): New functions.
  (main): Changed to use new functions.

files modified:
plugins.d/mandos-client.c

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

135

static const char sys_class_net[] = "/sys/class/net";

136

char *connect_to = NULL;

137

const char *hookdir = HOOKDIR;

138

uid_t uid = 65534;

139

gid_t gid = 65534;

138

140

139

141

/* Doubly linked list that need to be circularly linked when used */

140

142

typedef struct server{

1390

1392

}

1391

1393

}

1392

1394

1395

/* Set effective uid to 0, return errno */

1396

int raise_privileges(void){

1397

int old_errno = errno;

1398

int ret_errno = 0;

1399

errno = 0;

1400

if(seteuid(0) == -1){

1401

perror_plus("seteuid");

1402

}

1403

ret_errno = errno;

1404

errno = old_errno;

1405

return ret_errno;

1406

}

1407

1408

/* Set effective and real user ID to 0. Return errno. */

1409

int raise_privileges_permanently(void){

1410

int old_errno = errno;

1411

int ret_errno = raise_privileges();

1412

if(ret_errno != 0){

1413

errno = old_errno;

1414

return ret_errno;

1415

}

1416

errno = 0;

1417

if(setuid(0) == -1){

1418

perror_plus("seteuid");

1419

}

1420

ret_errno = errno;

1421

errno = old_errno;

1422

return ret_errno;

1423

}

1424

1425

/* Set effective user ID to unprivileged saved user ID */

1426

int lower_privileges(void){

1427

int old_errno = errno;

1428

int ret_errno = 0;

1429

errno = 0;

1430

if(seteuid(uid) == -1){

1431

perror_plus("seteuid");

1432

}

1433

ret_errno = errno;

1434

errno = old_errno;

1435

return ret_errno;

1436

}

1437

1393

1438

bool run_network_hooks(const char *mode, const char *interface,

1394

1439

const float delay){

1395

1440

struct dirent **direntries;

1417

1462

if(hook_pid == 0){

1418

1463

/* Child */

1419

1464

/* Raise privileges */

1420

errno = 0;

1421

ret = seteuid(0);

1422

if(ret == -1){

1423

perror_plus("seteuid");

1424

}

1425

/* Raise privileges even more */

1426

errno = 0;

1427

ret = setuid(0);

1428

if(ret == -1){

1429

perror_plus("setuid");

1430

}

1465

raise_privileges_permanently();

1431

1466

/* Set group */

1432

1467

errno = 0;

1433

1468

ret = setgid(0);

1526

1561

return true;

1527

1562

}

1528

1563

1564

int bring_up_interface(const char * const interface, const float delay){

1565

int sd = -1;

1566

int ret;

1567

struct ifreq network;

1568

AvahiIfIndex if_index = (AvahiIfIndex)if_nametoindex(interface);

1569

if(if_index == 0){

1570

fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);

1571

return EX_UNAVAILABLE;

1572

}

1573

1574

if(quit_now){

1575

return EINTR;

1576

}

1577

1578

/* Re-raise priviliges */

1579

raise_privileges();

1580

1581

#ifdef __linux__

1582

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1583

messages about the network interface to mess up the prompt */

1584

ret = klogctl(8, NULL, 5);

1585

bool restore_loglevel = true;

1586

if(ret == -1){

1587

restore_loglevel = false;

1588

perror_plus("klogctl");

1589

}

1590

#endif /* __linux__ */

1591

1592

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1593

if(sd < 0){

1594

perror_plus("socket");

1595

#ifdef __linux__

1596

if(restore_loglevel){

1597

ret = klogctl(7, NULL, 0);

1598

if(ret == -1){

1599

perror_plus("klogctl");

1600

}

1601

}

1602

#endif /* __linux__ */

1603

/* Lower privileges */

1604

lower_privileges();

1605

return EX_OSERR;

1606

;

1607

}

1608

strcpy(network.ifr_name, interface);

1609

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1610

if(ret == -1){

1611

perror_plus("ioctl SIOCGIFFLAGS");

1612

#ifdef __linux__

1613

if(restore_loglevel){

1614

ret = klogctl(7, NULL, 0);

1615

if(ret == -1){

1616

perror_plus("klogctl");

1617

}

1618

}

1619

#endif /* __linux__ */

1620

/* Lower privileges */

1621

lower_privileges();

1622

return EX_OSERR;

1623

}

1624

if((network.ifr_flags & IFF_UP) == 0){

1625

network.ifr_flags |= IFF_UP;

1626

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1627

if(ret == -1){

1628

perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");

1629

#ifdef __linux__

1630

if(restore_loglevel){

1631

ret = klogctl(7, NULL, 0);

1632

if(ret == -1){

1633

perror_plus("klogctl");

1634

}

1635

}

1636

#endif /* __linux__ */

1637

/* Lower privileges */

1638

lower_privileges();

1639

return EX_OSERR;

1640

}

1641

}

1642

/* Sleep checking until interface is running.

1643

Check every 0.25s, up to total time of delay */

1644

for(int i=0; i < delay * 4; i++){

1645

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1646

if(ret == -1){

1647

perror_plus("ioctl SIOCGIFFLAGS");

1648

} else if(network.ifr_flags & IFF_RUNNING){

1649

break;

1650

}

1651

struct timespec sleeptime = { .tv_nsec = 250000000 };

1652

ret = nanosleep(&sleeptime, NULL);

1653

if(ret == -1 and errno != EINTR){

1654

perror_plus("nanosleep");

1655

}

1656

}

1657

/* Close the socket */

1658

ret = (int)TEMP_FAILURE_RETRY(close(sd));

1659

if(ret == -1){

1660

perror_plus("close");

1661

}

1662

#ifdef __linux__

1663

if(restore_loglevel){

1664

/* Restores kernel loglevel to default */

1665

ret = klogctl(7, NULL, 0);

1666

if(ret == -1){

1667

perror_plus("klogctl");

1668

}

1669

}

1670

#endif /* __linux__ */

1671

/* Lower privileges */

1672

lower_privileges();

1673

return errno;

1674

}

1675

1529

1676

int main(int argc, char *argv[]){

1530

1677

AvahiSServiceBrowser *sb = NULL;

1531

1678

int error;

1537

1684

struct ifreq network;

1538

1685

int sd = -1;

1539

1686

bool take_down_interface = false;

1540

uid_t uid;

1541

gid_t gid;

1542

1687

char tempdir[] = "/tmp/mandosXXXXXX";

1543

1688

bool tempdir_created = false;

1544

1689

AvahiIfIndex if_index = AVAHI_IF_UNSPEC;

1724

1869

<http://bugs.debian.org/633582> */

1725

1870

1726

1871

/* Re-raise priviliges */

1727

errno = 0;

1728

ret = seteuid(0);

1729

if(ret == -1){

1730

perror_plus("seteuid");

1731

} else {

1872

if(raise_privileges() == 0){

1732

1873

struct stat st;

1733

1874

1734

1875

if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){

1899

2040

}

1900

2041

1901

2042

/* If the interface is down, bring it up */

1902

if(strcmp(interface, "none") != 0){

1903

if_index = (AvahiIfIndex) if_nametoindex(interface);

1904

if(if_index == 0){

1905

fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);

1906

exitcode = EX_UNAVAILABLE;

1907

goto end;

1908

}

1909

1910

if(quit_now){

1911

goto end;

1912

}

1913

1914

/* Re-raise priviliges */

1915

errno = 0;

1916

ret = seteuid(0);

1917

if(ret == -1){

1918

perror_plus("seteuid");

1919

}

1920

1921

#ifdef __linux__

1922

/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO

1923

messages about the network interface to mess up the prompt */

1924

ret = klogctl(8, NULL, 5);

1925

bool restore_loglevel = true;

1926

if(ret == -1){

1927

restore_loglevel = false;

1928

perror_plus("klogctl");

1929

}

1930

#endif /* __linux__ */

1931

1932

sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1933

if(sd < 0){

1934

perror_plus("socket");

1935

exitcode = EX_OSERR;

1936

#ifdef __linux__

1937

if(restore_loglevel){

1938

ret = klogctl(7, NULL, 0);

1939

if(ret == -1){

1940

perror_plus("klogctl");

1941

}

1942

}

1943

#endif /* __linux__ */

1944

/* Lower privileges */

1945

errno = 0;

1946

ret = seteuid(uid);

1947

if(ret == -1){

1948

perror_plus("seteuid");

1949

}

1950

goto end;

1951

}

1952

strcpy(network.ifr_name, interface);

1953

ret = ioctl(sd, SIOCGIFFLAGS, &network);

1954

if(ret == -1){

1955

perror_plus("ioctl SIOCGIFFLAGS");

1956

#ifdef __linux__

1957

if(restore_loglevel){

1958

ret = klogctl(7, NULL, 0);

1959

if(ret == -1){

1960

perror_plus("klogctl");

1961

}

1962

}

1963

#endif /* __linux__ */

1964

exitcode = EX_OSERR;

1965

/* Lower privileges */

1966

errno = 0;

1967

ret = seteuid(uid);

1968

if(ret == -1){

1969

perror_plus("seteuid");

1970

}

1971

goto end;

1972

}

1973

if((network.ifr_flags & IFF_UP) == 0){

1974

network.ifr_flags |= IFF_UP;

1975

take_down_interface = true;

1976

ret = ioctl(sd, SIOCSIFFLAGS, &network);

1977

if(ret == -1){

1978

take_down_interface = false;

1979

perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");

1980

exitcode = EX_OSERR;

1981

#ifdef __linux__

1982

if(restore_loglevel){

1983

ret = klogctl(7, NULL, 0);

1984

if(ret == -1){

1985

perror_plus("klogctl");

1986

}

1987

}

1988

#endif /* __linux__ */

1989

/* Lower privileges */

1990

errno = 0;

1991

ret = seteuid(uid);

1992

if(ret == -1){

1993

perror_plus("seteuid");

1994

}

1995

goto end;

1996

}

1997

}

1998

/* Sleep checking until interface is running.

1999

Check every 0.25s, up to total time of delay */

2000

for(int i=0; i < delay * 4; i++){

2001

ret = ioctl(sd, SIOCGIFFLAGS, &network);

2002

if(ret == -1){

2003

perror_plus("ioctl SIOCGIFFLAGS");

2004

} else if(network.ifr_flags & IFF_RUNNING){

2005

break;

2006

}

2007

struct timespec sleeptime = { .tv_nsec = 250000000 };

2008

ret = nanosleep(&sleeptime, NULL);

2009

if(ret == -1 and errno != EINTR){

2010

perror_plus("nanosleep");

2011

}

2012

}

2013

if(not take_down_interface){

2014

/* We won't need the socket anymore */

2015

ret = (int)TEMP_FAILURE_RETRY(close(sd));

2016

if(ret == -1){

2017

perror_plus("close");

2018

}

2019

}

2020

#ifdef __linux__

2021

if(restore_loglevel){

2022

/* Restores kernel loglevel to default */

2023

ret = klogctl(7, NULL, 0);

2024

if(ret == -1){

2025

perror_plus("klogctl");

2026

}

2027

}

2028

#endif /* __linux__ */

2029

/* Lower privileges */

2030

errno = 0;

2031

/* Lower privileges */

2032

ret = seteuid(uid);

2033

if(ret == -1){

2034

perror_plus("seteuid");

2043

if((interface[0] != '\0') and (strcmp(interface, "none") != 0)){

2044

ret = bring_up_interface(interface, delay);

2045

if(ret){

2046

errno = ret;

2047

perror_plus("Failed to bring up interface");

2035

2048

}

2036

2049

}

2037

2050

2078

2091

/* Connect directly, do not use Zeroconf */

2079

2092

/* (Mainly meant for debugging) */

2080

2093

char *address = strrchr(connect_to, ':');

2094

2081

2095

if(address == NULL){

2082

2096

fprintf_plus(stderr, "No colon in address\n");

2083

2097

exitcode = EX_USAGE;

2246

2260

2247

2261

/* Re-raise priviliges */

2248

2262

{

2249

errno = 0;

2250

ret = seteuid(0);

2251

if(ret == -1){

2252

perror_plus("seteuid");

2253

}

2263

raise_privileges();

2254

2264

2255

2265

/* Take down the network interface */

2256

2266

if(take_down_interface and geteuid() == 0){

Older »