To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 594.1.2
- compare with another revision
- download diff
- download tarball
- view history from revision 594.1.2
- Committer: Teddy Hogeborn
- Date: 2012-06-07 21:00:57 UTC
- mto: This revision was merged to the branch mainline in revision 596.
- Revision ID: teddy@recompile.se-20120607210057-9k4mou58uht7sj2m
* plugins.d/mandos-client.c (bring_up_interface): Bug fix: Return
errno code. Don't
modify errno.
errno code. Don't
modify errno.
- files added:
- debian/mandos-client.examples
- files modified:
- .bzrignore
added
removed
plugins.d/mandos-client.c
41
41
42
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
43
stdout, ferror(), remove() */
44
#include <stdint.h> /* uint16_t, uint32_t */
44
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
45
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
47
strtof(), abort() */
135
135
static const char sys_class_net[] = "/sys/class/net";
136
136
char *connect_to = NULL;
137
137
const char *hookdir = HOOKDIR;
138
uid_t uid = 65534;
139
gid_t gid = 65534;
138
140
139
141
/* Doubly linked list that need to be circularly linked when used */
140
142
typedef struct server{
821
823
goto mandos_end;
822
824
}
823
825
824
/* Spurious warning from -Wint-to-pointer-cast */
825
gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t) tcp_sd);
826
/* This casting via intptr_t is to eliminate warning about casting
827
an int to a pointer type. This is exactly how the GnuTLS Guile
828
function "set-session-transport-fd!" does it. */
829
gnutls_transport_set_ptr(session,
830
(gnutls_transport_ptr_t)(intptr_t)tcp_sd);
826
831
827
832
if(quit_now){
828
833
errno = EINTR;
1387
1392
}
1388
1393
}
1389
1394
1395
/* Set effective uid to 0, return errno */
1396
int raise_privileges(void){
1397
int old_errno = errno;
1398
int ret_errno = 0;
1399
errno = 0;
1400
if(seteuid(0) == -1){
1401
perror_plus("seteuid");
1402
}
1403
ret_errno = errno;
1404
errno = old_errno;
1405
return ret_errno;
1406
}
1407
1408
/* Set effective and real user ID to 0. Return errno. */
1409
int raise_privileges_permanently(void){
1410
int old_errno = errno;
1411
int ret_errno = raise_privileges();
1412
if(ret_errno != 0){
1413
errno = old_errno;
1414
return ret_errno;
1415
}
1416
errno = 0;
1417
if(setuid(0) == -1){
1418
perror_plus("seteuid");
1419
}
1420
ret_errno = errno;
1421
errno = old_errno;
1422
return ret_errno;
1423
}
1424
1425
/* Set effective user ID to unprivileged saved user ID */
1426
int lower_privileges(void){
1427
int old_errno = errno;
1428
int ret_errno = 0;
1429
errno = 0;
1430
if(seteuid(uid) == -1){
1431
perror_plus("seteuid");
1432
}
1433
ret_errno = errno;
1434
errno = old_errno;
1435
return ret_errno;
1436
}
1437
1390
1438
bool run_network_hooks(const char *mode, const char *interface,
1391
1439
const float delay){
1392
1440
struct dirent **direntries;
1414
1462
if(hook_pid == 0){
1415
1463
/* Child */
1416
1464
/* Raise privileges */
1417
errno = 0;
1418
ret = seteuid(0);
1419
if(ret == -1){
1420
perror_plus("seteuid");
1421
}
1422
/* Raise privileges even more */
1423
errno = 0;
1424
ret = setuid(0);
1425
if(ret == -1){
1426
perror_plus("setuid");
1427
}
1465
raise_privileges_permanently();
1428
1466
/* Set group */
1429
1467
errno = 0;
1430
1468
ret = setgid(0);
1523
1561
return true;
1524
1562
}
1525
1563
1564
int bring_up_interface(const char * const interface, const float delay){
1565
int sd = -1;
1566
int old_errno = errno;
1567
int ret_errno = 0;
1568
int ret;
1569
struct ifreq network;
1570
AvahiIfIndex if_index = (AvahiIfIndex)if_nametoindex(interface);
1571
if(if_index == 0){
1572
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
1573
errno = old_errno;
1574
return ENXIO;
1575
}
1576
1577
if(quit_now){
1578
errno = old_errno;
1579
return EINTR;
1580
}
1581
1582
/* Re-raise priviliges */
1583
raise_privileges();
1584
1585
#ifdef __linux__
1586
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1587
messages about the network interface to mess up the prompt */
1588
ret = klogctl(8, NULL, 5);
1589
bool restore_loglevel = true;
1590
if(ret == -1){
1591
restore_loglevel = false;
1592
perror_plus("klogctl");
1593
}
1594
#endif /* __linux__ */
1595
1596
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1597
if(sd < 0){
1598
ret_errno = errno;
1599
perror_plus("socket");
1600
#ifdef __linux__
1601
if(restore_loglevel){
1602
ret = klogctl(7, NULL, 0);
1603
if(ret == -1){
1604
perror_plus("klogctl");
1605
}
1606
}
1607
#endif /* __linux__ */
1608
/* Lower privileges */
1609
lower_privileges();
1610
errno = old_errno;
1611
return ret_errno;
1612
}
1613
strcpy(network.ifr_name, interface);
1614
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1615
if(ret == -1){
1616
ret_errno = errno;
1617
perror_plus("ioctl SIOCGIFFLAGS");
1618
#ifdef __linux__
1619
if(restore_loglevel){
1620
ret = klogctl(7, NULL, 0);
1621
if(ret == -1){
1622
perror_plus("klogctl");
1623
}
1624
}
1625
#endif /* __linux__ */
1626
/* Lower privileges */
1627
lower_privileges();
1628
errno = old_errno;
1629
return ret_errno;
1630
}
1631
if((network.ifr_flags & IFF_UP) == 0){
1632
network.ifr_flags |= IFF_UP;
1633
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1634
if(ret == -1){
1635
ret_errno = errno;
1636
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1637
#ifdef __linux__
1638
if(restore_loglevel){
1639
ret = klogctl(7, NULL, 0);
1640
if(ret == -1){
1641
perror_plus("klogctl");
1642
}
1643
}
1644
#endif /* __linux__ */
1645
/* Lower privileges */
1646
lower_privileges();
1647
errno = old_errno;
1648
return ret_errno;
1649
}
1650
}
1651
/* Sleep checking until interface is running.
1652
Check every 0.25s, up to total time of delay */
1653
for(int i=0; i < delay * 4; i++){
1654
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1655
if(ret == -1){
1656
perror_plus("ioctl SIOCGIFFLAGS");
1657
} else if(network.ifr_flags & IFF_RUNNING){
1658
break;
1659
}
1660
struct timespec sleeptime = { .tv_nsec = 250000000 };
1661
ret = nanosleep(&sleeptime, NULL);
1662
if(ret == -1 and errno != EINTR){
1663
perror_plus("nanosleep");
1664
}
1665
}
1666
/* Close the socket */
1667
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1668
if(ret == -1){
1669
perror_plus("close");
1670
}
1671
#ifdef __linux__
1672
if(restore_loglevel){
1673
/* Restores kernel loglevel to default */
1674
ret = klogctl(7, NULL, 0);
1675
if(ret == -1){
1676
perror_plus("klogctl");
1677
}
1678
}
1679
#endif /* __linux__ */
1680
/* Lower privileges */
1681
lower_privileges();
1682
errno = old_errno;
1683
return 0;
1684
}
1685
1526
1686
int main(int argc, char *argv[]){
1527
1687
AvahiSServiceBrowser *sb = NULL;
1528
1688
int error;
1534
1694
struct ifreq network;
1535
1695
int sd = -1;
1536
1696
bool take_down_interface = false;
1537
uid_t uid;
1538
gid_t gid;
1539
1697
char tempdir[] = "/tmp/mandosXXXXXX";
1540
1698
bool tempdir_created = false;
1541
1699
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
1721
1879
<http://bugs.debian.org/633582> */
1722
1880
1723
1881
/* Re-raise priviliges */
1724
errno = 0;
1725
ret = seteuid(0);
1726
if(ret == -1){
1727
perror_plus("seteuid");
1728
} else {
1882
if(raise_privileges() == 0){
1729
1883
struct stat st;
1730
1884
1731
1885
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1896
2050
}
1897
2051
1898
2052
/* If the interface is down, bring it up */
1899
if(strcmp(interface, "none") != 0){
1900
if_index = (AvahiIfIndex) if_nametoindex(interface);
1901
if(if_index == 0){
1902
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
1903
exitcode = EX_UNAVAILABLE;
1904
goto end;
1905
}
1906
1907
if(quit_now){
1908
goto end;
1909
}
1910
1911
/* Re-raise priviliges */
1912
errno = 0;
1913
ret = seteuid(0);
1914
if(ret == -1){
1915
perror_plus("seteuid");
1916
}
1917
1918
#ifdef __linux__
1919
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1920
messages about the network interface to mess up the prompt */
1921
ret = klogctl(8, NULL, 5);
1922
bool restore_loglevel = true;
1923
if(ret == -1){
1924
restore_loglevel = false;
1925
perror_plus("klogctl");
1926
}
1927
#endif /* __linux__ */
1928
1929
sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1930
if(sd < 0){
1931
perror_plus("socket");
1932
exitcode = EX_OSERR;
1933
#ifdef __linux__
1934
if(restore_loglevel){
1935
ret = klogctl(7, NULL, 0);
1936
if(ret == -1){
1937
perror_plus("klogctl");
1938
}
1939
}
1940
#endif /* __linux__ */
1941
/* Lower privileges */
1942
errno = 0;
1943
ret = seteuid(uid);
1944
if(ret == -1){
1945
perror_plus("seteuid");
1946
}
1947
goto end;
1948
}
1949
strcpy(network.ifr_name, interface);
1950
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1951
if(ret == -1){
1952
perror_plus("ioctl SIOCGIFFLAGS");
1953
#ifdef __linux__
1954
if(restore_loglevel){
1955
ret = klogctl(7, NULL, 0);
1956
if(ret == -1){
1957
perror_plus("klogctl");
1958
}
1959
}
1960
#endif /* __linux__ */
1961
exitcode = EX_OSERR;
1962
/* Lower privileges */
1963
errno = 0;
1964
ret = seteuid(uid);
1965
if(ret == -1){
1966
perror_plus("seteuid");
1967
}
1968
goto end;
1969
}
1970
if((network.ifr_flags & IFF_UP) == 0){
1971
network.ifr_flags |= IFF_UP;
1972
take_down_interface = true;
1973
ret = ioctl(sd, SIOCSIFFLAGS, &network);
1974
if(ret == -1){
1975
take_down_interface = false;
1976
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
1977
exitcode = EX_OSERR;
1978
#ifdef __linux__
1979
if(restore_loglevel){
1980
ret = klogctl(7, NULL, 0);
1981
if(ret == -1){
1982
perror_plus("klogctl");
1983
}
1984
}
1985
#endif /* __linux__ */
1986
/* Lower privileges */
1987
errno = 0;
1988
ret = seteuid(uid);
1989
if(ret == -1){
1990
perror_plus("seteuid");
1991
}
1992
goto end;
1993
}
1994
}
1995
/* Sleep checking until interface is running.
1996
Check every 0.25s, up to total time of delay */
1997
for(int i=0; i < delay * 4; i++){
1998
ret = ioctl(sd, SIOCGIFFLAGS, &network);
1999
if(ret == -1){
2000
perror_plus("ioctl SIOCGIFFLAGS");
2001
} else if(network.ifr_flags & IFF_RUNNING){
2002
break;
2003
}
2004
struct timespec sleeptime = { .tv_nsec = 250000000 };
2005
ret = nanosleep(&sleeptime, NULL);
2006
if(ret == -1 and errno != EINTR){
2007
perror_plus("nanosleep");
2008
}
2009
}
2010
if(not take_down_interface){
2011
/* We won't need the socket anymore */
2012
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2013
if(ret == -1){
2014
perror_plus("close");
2015
}
2016
}
2017
#ifdef __linux__
2018
if(restore_loglevel){
2019
/* Restores kernel loglevel to default */
2020
ret = klogctl(7, NULL, 0);
2021
if(ret == -1){
2022
perror_plus("klogctl");
2023
}
2024
}
2025
#endif /* __linux__ */
2026
/* Lower privileges */
2027
errno = 0;
2028
/* Lower privileges */
2029
ret = seteuid(uid);
2030
if(ret == -1){
2031
perror_plus("seteuid");
2053
if((interface[0] != '\0') and (strcmp(interface, "none") != 0)){
2054
ret = bring_up_interface(interface, delay);
2055
if(ret != 0){
2056
errno = ret;
2057
perror_plus("Failed to bring up interface");
2032
2058
}
2033
2059
}
2034
2060
2075
2101
/* Connect directly, do not use Zeroconf */
2076
2102
/* (Mainly meant for debugging) */
2077
2103
char *address = strrchr(connect_to, ':');
2104
2078
2105
if(address == NULL){
2079
2106
fprintf_plus(stderr, "No colon in address\n");
2080
2107
exitcode = EX_USAGE;
2243
2270
2244
2271
/* Re-raise priviliges */
2245
2272
{
2246
errno = 0;
2247
ret = seteuid(0);
2248
if(ret == -1){
2249
perror_plus("seteuid");
2250
}
2273
raise_privileges();
2251
2274
2252
2275
/* Take down the network interface */
2253
2276
if(take_down_interface and geteuid() == 0){
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0