To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 368
- compare with another revision
- download diff
- download tarball
- view history from revision 368
- Committer: Teddy Hogeborn
- Date: 2009-09-10 17:21:36 UTC
- Revision ID: teddy@fukt.bsnet.se-20090910172136-plhvv6jjz8bjrhz4
* plugins.d/mandos-client.c (init_gnutls_session): Retry interrupted
GnuTLS functions.
(main): Drop privileges early, and raise them only where needed and
lower them whenever possible.
GnuTLS functions.
(main): Drop privileges early, and raise them only where needed and
lower them whenever possible.
- files modified:
- plugins.d/mandos-client.c
added
removed
plugins.d/mandos-client.c
474
474
static int init_gnutls_session(gnutls_session_t *session){
475
475
int ret;
476
476
/* GnuTLS session creation */
477
ret = gnutls_init(session, GNUTLS_SERVER);
477
do {
478
ret = gnutls_init(session, GNUTLS_SERVER);
479
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
478
480
if(ret != GNUTLS_E_SUCCESS){
479
481
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
480
482
safer_gnutls_strerror(ret));
482
484
483
485
{
484
486
const char *err;
485
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
487
do {
488
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
489
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
486
490
if(ret != GNUTLS_E_SUCCESS){
487
491
fprintf(stderr, "Syntax error at: %s\n", err);
488
492
fprintf(stderr, "GnuTLS error: %s\n",
492
496
}
493
497
}
494
498
495
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
496
mc.cred);
499
do {
500
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
501
mc.cred);
502
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
497
503
if(ret != GNUTLS_E_SUCCESS){
498
504
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
499
505
safer_gnutls_strerror(ret));
502
508
}
503
509
504
510
/* ignore client certificate if any. */
505
gnutls_certificate_server_set_request(*session,
506
GNUTLS_CERT_IGNORE);
511
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
507
512
508
513
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
509
514
998
1003
struct sigaction old_sigterm_action;
999
1004
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
1000
1005
1006
uid = getuid();
1007
gid = getgid();
1008
1009
/* Lower any group privileges we might have, just to be safe */
1010
errno = 0;
1011
ret = setgid(gid);
1012
if(ret == -1){
1013
perror("setgid");
1014
}
1015
1016
/* Lower user privileges (temporarily) */
1017
errno = 0;
1018
ret = seteuid(uid);
1019
if(ret == -1){
1020
perror("seteuid");
1021
}
1022
1023
if(quit_now){
1024
goto end;
1025
}
1026
1001
1027
{
1002
1028
struct argp_option options[] = {
1003
1029
{ .name = "debug", .key = 128,
1187
1213
goto end;
1188
1214
}
1189
1215
1216
/* Re-raise priviliges */
1217
errno = 0;
1218
ret = seteuid(0);
1219
if(ret == -1){
1220
perror("seteuid");
1221
}
1222
1190
1223
#ifdef __linux__
1191
1224
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1192
1225
messages to mess up the prompt */
1210
1243
}
1211
1244
}
1212
1245
#endif /* __linux__ */
1246
/* Lower privileges */
1247
errno = 0;
1248
ret = seteuid(uid);
1249
if(ret == -1){
1250
perror("seteuid");
1251
}
1213
1252
goto end;
1214
1253
}
1215
1254
strcpy(network.ifr_name, interface);
1225
1264
}
1226
1265
#endif /* __linux__ */
1227
1266
exitcode = EXIT_FAILURE;
1267
/* Lower privileges */
1268
errno = 0;
1269
ret = seteuid(uid);
1270
if(ret == -1){
1271
perror("seteuid");
1272
}
1228
1273
goto end;
1229
1274
}
1230
1275
if((network.ifr_flags & IFF_UP) == 0){
1243
1288
}
1244
1289
}
1245
1290
#endif /* __linux__ */
1291
/* Lower privileges */
1292
errno = 0;
1293
ret = seteuid(uid);
1294
if(ret == -1){
1295
perror("seteuid");
1296
}
1246
1297
goto end;
1247
1298
}
1248
1299
}
1276
1327
}
1277
1328
}
1278
1329
#endif /* __linux__ */
1279
}
1280
1281
if(quit_now){
1282
goto end;
1283
}
1284
1285
uid = getuid();
1286
gid = getgid();
1287
1288
/* Drop any group privileges we might have, just to be safe */
1289
errno = 0;
1290
ret = setgid(gid);
1291
if(ret == -1){
1292
perror("setgid");
1293
}
1294
1295
/* Drop user privileges */
1296
errno = 0;
1297
/* Will we need privileges later? */
1298
if(take_down_interface){
1299
/* Drop user privileges temporarily */
1300
ret = seteuid(uid);
1301
if(ret == -1){
1302
perror("seteuid");
1303
}
1304
} else {
1305
/* Drop user privileges permanently */
1306
ret = setuid(uid);
1307
if(ret == -1){
1308
perror("setuid");
1330
/* Lower privileges */
1331
errno = 0;
1332
if(take_down_interface){
1333
/* Lower privileges */
1334
ret = seteuid(uid);
1335
if(ret == -1){
1336
perror("seteuid");
1337
}
1338
} else {
1339
/* Lower privileges permanently */
1340
ret = setuid(uid);
1341
if(ret == -1){
1342
perror("setuid");
1343
}
1309
1344
}
1310
1345
}
1311
1346
1507
1542
if(ret == -1){
1508
1543
perror("close");
1509
1544
}
1510
/* Lower privileges, permanently this time */
1545
/* Lower privileges permanently */
1511
1546
errno = 0;
1512
1547
ret = setuid(uid);
1513
1548
if(ret == -1){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0