/*
This file is part of GNUnet.
- (C) 2010, 2011, 2012 Christian Grothoff
+ Copyright (C) 2010, 2011, 2012 Christian Grothoff
- GNUnet is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published
- by the Free Software Foundation; either version 3, or (at your
- option) any later version.
+ GNUnet is free software: you can redistribute it and/or modify it
+ under the terms of the GNU Affero General Public License as published
+ by the Free Software Foundation, either version 3 of the License,
+ or (at your option) any later version.
GNUnet is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with GNUnet; see the file COPYING. If not, write to the
- Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- Boston, MA 02111-1307, USA.
+ Affero General Public License for more details.
+
+ You should have received a copy of the GNU Affero General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @brief helper to install firewall rules to hijack all DNS traffic
* and send it to our virtual interface (except for DNS traffic
* that originates on the specified port). We then
- * allow interacting with our virtual interface via stdin/stdout.
+ * allow interacting with our virtual interface via stdin/stdout.
* @author Philipp Tölke
* @author Christian Grothoff
*
* Naturally, neither of these problems can be helped as this is the
* fundamental purpose of the binary. Certifying that this code is
* "safe" thus only means that it doesn't allow anything else (such
- * as local priv. escalation, etc.).
+ * as local priv. escalation, etc.).
*
* The following list of people have reviewed this code and considered
* it safe (within specifications) since the last modification (if you
* reviewed it, please have your name added to the list):
*
- * - Christian Grothoff
+ * - Christian Grothoff
*/
#include "platform.h"
/**
* Need 'struct GNUNET_MessageHeader'.
*/
+#include "gnunet_crypto_lib.h"
#include "gnunet_common.h"
/**
#include "gnunet_protocols.h"
/**
- * Maximum size of a GNUnet message (GNUNET_SERVER_MAX_MESSAGE_SIZE)
+ * Maximum size of a GNUnet message (GNUNET_MAX_MESSAGE_SIZE)
*/
#define MAX_SIZE 65536
*/
static const char *sbin_iptables;
+/**
+ * Name and full path of IPTABLES binary.
+ */
+static const char *sbin_ip6tables;
+
/**
* Name and full path of sysctl binary
*/
if (fd == target_fd)
return;
if (-1 == dup2 (fd, target_fd))
- {
+ {
(void) close (fd);
abort ();
}
/**
* Run the given command and wait for it to complete.
- *
+ *
* @param file name of the binary to run
* @param cmd command line arguments (as given to 'execv')
* @return 0 on success, 1 on any error
*/
static int
-fork_and_exec (const char *file,
+fork_and_exec (const char *file,
char *const cmd[])
{
int status;
pid = fork ();
if (-1 == pid)
{
- fprintf (stderr,
- "fork failed: %s\n",
+ fprintf (stderr,
+ "fork failed: %s\n",
strerror (errno));
return 1;
}
/* we are the child process */
/* close stdin/stdout to not cause interference
with the helper's main protocol! */
- (void) close (0);
+ (void) close (0);
open_dev_null (0, O_RDONLY);
- (void) close (1);
+ (void) close (1);
open_dev_null (1, O_WRONLY);
(void) execv (file, cmd);
/* can only get here on error */
- fprintf (stderr,
- "exec `%s' failed: %s\n",
+ fprintf (stderr,
+ "exec `%s' failed: %s\n",
file,
strerror (errno));
_exit (1);
}
/* keep running waitpid as long as the only error we get is 'EINTR' */
while ( (-1 == (ret = waitpid (pid, &status, 0))) &&
- (errno == EINTR) );
+ (errno == EINTR) );
if (-1 == ret)
{
- fprintf (stderr,
- "waitpid failed: %s\n",
+ fprintf (stderr,
+ "waitpid failed: %s\n",
strerror (errno));
return 1;
}
/**
- * Creates a tun-interface called dev;
+ * Creates a tun-interface called @a dev;
*
* @param dev is asumed to point to a char[IFNAMSIZ]
* if *dev == '\\0', uses the name supplied by the kernel;
/**
- * @brief Sets the IPv6-Address given in address on the interface dev
+ * @brief Sets the IPv6-Address given in @a address on the interface @a dev
*
* @param dev the interface to configure
* @param address the IPv6-Address
sa6.sin6_family = AF_INET6;
if (1 != inet_pton (AF_INET6, address, sa6.sin6_addr.s6_addr))
{
- fprintf (stderr, "Failed to parse address `%s': %s\n", address,
+ fprintf (stderr,
+ "Failed to parse IPv6 address `%s': %s\n",
+ address,
strerror (errno));
exit (1);
}
if (-1 == (fd = socket (PF_INET6, SOCK_DGRAM, 0)))
{
- fprintf (stderr, "Error creating socket: %s\n", strerror (errno));
- exit (1);
+ fprintf (stderr,
+ "Error creating IPv6 socket: %s (ignored)\n",
+ strerror (errno));
+ /* ignore error, maybe only IPv4 works on this system! */
+ return;
}
memset (&ifr, 0, sizeof (struct ifreq));
/**
- * @brief Sets the IPv4-Address given in address on the interface dev
+ * @brief Sets the IPv4-Address given in @a address on the interface @a dev
*
* @param dev the interface to configure
* @param address the IPv4-Address
*/
if (1 != inet_pton (AF_INET, address, &addr->sin_addr.s_addr))
{
- fprintf (stderr, "Failed to parse address `%s': %s\n", address,
+ fprintf (stderr,
+ "Failed to parse IPv4 address `%s': %s\n",
+ address,
strerror (errno));
exit (1);
}
if (-1 == (fd = socket (PF_INET, SOCK_DGRAM, 0)))
{
- fprintf (stderr, "Error creating socket: %s\n", strerror (errno));
+ fprintf (stderr,
+ "Error creating IPv4 socket: %s\n",
+ strerror (errno));
exit (1);
}
return;
}
buftun_size -= written;
- buftun_read += written;
+ buftun_read += written;
}
if (FD_ISSET (0, &fds_r))
* 3: IPv6 netmask length in bits ("64")
* 4: IPv4 address for the tunnel ("1.2.3.4")
* 5: IPv4 netmask ("255.255.0.0")
+ * 6: skip sysctl, routing and iptables setup ("0")
* @return 0 on success, otherwise code indicating type of error:
* 1 wrong number of arguments
* 2 invalid arguments (i.e. port number / prefix length wrong)
char mygid[32];
int fd_tun;
uid_t uid;
+ int nortsetup = 0;
- if (6 != argc)
+ if (7 != argc)
{
fprintf (stderr, "Fatal: must supply 6 arguments!\n");
return 1;
return 254;
}
#else
- if (0 != seteuid (0))
+ if (0 != seteuid (0))
{
fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
return 254;
}
#endif
+ if (0 == strncmp (argv[6], "1", 2))
+ nortsetup = 1;
- /* verify that the binaries were care about are executable */
- if (0 == access ("/sbin/iptables", X_OK))
- sbin_iptables = "/sbin/iptables";
- else if (0 == access ("/usr/sbin/iptables", X_OK))
- sbin_iptables = "/usr/sbin/iptables";
- else
- {
- fprintf (stderr,
- "Fatal: executable iptables not found in approved directories: %s\n",
- strerror (errno));
- return 3;
- }
- if (0 == access ("/sbin/ip", X_OK))
- sbin_ip = "/sbin/ip";
- else if (0 == access ("/usr/sbin/ip", X_OK))
- sbin_ip = "/usr/sbin/ip";
- else
- {
- fprintf (stderr,
- "Fatal: executable ip not found in approved directories: %s\n",
- strerror (errno));
- return 4;
- }
- if (0 == access ("/sbin/sysctl", X_OK))
- sbin_sysctl = "/sbin/sysctl";
- else if (0 == access ("/usr/sbin/sysctl", X_OK))
- sbin_sysctl = "/usr/sbin/sysctl";
- else
+ if (0 == nortsetup)
{
- fprintf (stderr,
- "Fatal: executable sysctl not found in approved directories: %s\n",
- strerror (errno));
- return 5;
+ /* verify that the binaries we care about are executable */
+ if (0 == access ("/sbin/iptables", X_OK))
+ sbin_iptables = "/sbin/iptables";
+ else if (0 == access ("/usr/sbin/iptables", X_OK))
+ sbin_iptables = "/usr/sbin/iptables";
+ else
+ {
+ fprintf (stderr,
+ "Fatal: executable iptables not found in approved directories: %s\n",
+ strerror (errno));
+ return 3;
+ }
+ if (0 == access ("/sbin/ip6tables", X_OK))
+ sbin_ip6tables = "/sbin/ip6tables";
+ else if (0 == access ("/usr/sbin/ip6tables", X_OK))
+ sbin_ip6tables = "/usr/sbin/ip6tables";
+ else
+ {
+ fprintf (stderr,
+ "Fatal: executable ip6tables not found in approved directories: %s\n",
+ strerror (errno));
+ return 3;
+ }
+ if (0 == access ("/sbin/ip", X_OK))
+ sbin_ip = "/sbin/ip";
+ else if (0 == access ("/usr/sbin/ip", X_OK))
+ sbin_ip = "/usr/sbin/ip";
+ else if (0 == access ("/bin/ip", X_OK)) /* gentoo has it there */
+ sbin_ip = "/bin/ip";
+ else
+ {
+ fprintf (stderr,
+ "Fatal: executable ip not found in approved directories: %s\n",
+ strerror (errno));
+ return 4;
+ }
+ if (0 == access ("/sbin/sysctl", X_OK))
+ sbin_sysctl = "/sbin/sysctl";
+ else if (0 == access ("/usr/sbin/sysctl", X_OK))
+ sbin_sysctl = "/usr/sbin/sysctl";
+ else
+ {
+ fprintf (stderr,
+ "Fatal: executable sysctl not found in approved directories: %s\n",
+ strerror (errno));
+ return 5;
+ }
}
/* setup 'mygid' string */
/* setup pipe to shutdown nicely on SIGINT */
if (0 != pipe (cpipe))
{
- fprintf (stderr,
+ fprintf (stderr,
"Fatal: could not setup control pipe: %s\n",
strerror (errno));
return 6;
}
}
if ( (SIG_ERR == signal (SIGTERM, &signal_handler)) ||
+#if (SIGTERM != GNUNET_TERM_SIG)
+ (SIG_ERR == signal (GNUNET_TERM_SIG, &signal_handler)) ||
+#endif
(SIG_ERR == signal (SIGINT, &signal_handler)) ||
- (SIG_ERR == signal (SIGHUP, &signal_handler)) )
- {
- fprintf (stderr,
+ (SIG_ERR == signal (SIGHUP, &signal_handler)) )
+ {
+ fprintf (stderr,
"Fatal: could not initialize signal handler: %s\n",
strerror (errno));
(void) close (cpipe[0]);
(void) close (cpipe[1]);
- return 7;
+ return 7;
}
dev[IFNAMSIZ - 1] = '\0';
/* Disable rp filtering */
+ if (0 == nortsetup)
{
char *const sysctl_args[] = {"sysctl", "-w",
"net.ipv4.conf.all.rp_filter=0", NULL};
return 5;
}
}
-
-
+
+
/* now open virtual interface (first part that requires root) */
if (-1 == (fd_tun = init_tun (dev)))
{
fprintf (stderr, "Fatal: could not initialize tun-interface\n");
(void) signal (SIGTERM, SIG_IGN);
+#if (SIGTERM != GNUNET_TERM_SIG)
+ (void) signal (GNUNET_TERM_SIG, SIG_IGN);
+#endif
(void) signal (SIGINT, SIG_IGN);
(void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
{
fprintf (stderr, "Fatal: prefix_len out of range\n");
(void) signal (SIGTERM, SIG_IGN);
+#if (SIGTERM != GNUNET_TERM_SIG)
+ (void) signal (GNUNET_TERM_SIG, SIG_IGN);
+#endif
(void) signal (SIGINT, SIG_IGN);
(void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
set_address4 (dev, address, mask);
}
-
+
/* update routing tables -- next part why we need SUID! */
/* Forward everything from our EGID (which should only be held
by the 'gnunet-service-dns') and with destination
to port 53 on UDP, without hijacking */
- r = 8; /* failed to fully setup routing table */
- {
- char *const mangle_args[] =
- {
- "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
- "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
- "ACCEPT", NULL
- };
- if (0 != fork_and_exec (sbin_iptables, mangle_args))
- goto cleanup_rest;
- }
- /* Mark all of the other DNS traffic using our mark DNS_MARK */
- {
- char *const mark_args[] =
- {
- "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
- "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
- NULL
- };
- if (0 != fork_and_exec (sbin_iptables, mark_args))
- goto cleanup_mangle_1;
- }
- /* Forward all marked DNS traffic to our DNS_TABLE */
+ if (0 == nortsetup)
{
- char *const forward_args[] =
- {
- "ip", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
- };
- if (0 != fork_and_exec (sbin_ip, forward_args))
- goto cleanup_mark_2;
- }
- /* Finally, add rule in our forwarding table to pass to our virtual interface */
- {
- char *const route_args[] =
- {
- "ip", "route", "add", "default", "dev", dev,
- "table", DNS_TABLE, NULL
- };
- if (0 != fork_and_exec (sbin_ip, route_args))
- goto cleanup_forward_3;
+ r = 8; /* failed to fully setup routing table */
+ {
+ char *const mangle_args[] =
+ {
+ "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
+ "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
+ "ACCEPT", NULL
+ };
+ if (0 != fork_and_exec (sbin_iptables, mangle_args))
+ goto cleanup_rest;
+ }
+ {
+ char *const mangle_args[] =
+ {
+ "ip6tables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
+ "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
+ "ACCEPT", NULL
+ };
+ if (0 != fork_and_exec (sbin_ip6tables, mangle_args))
+ goto cleanup_mangle_1b;
+ }
+ /* Mark all of the other DNS traffic using our mark DNS_MARK,
+ unless it is on a link-local IPv6 address, which we cannot support. */
+ {
+ char *const mark_args[] =
+ {
+ "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
+ "udp", "--dport", DNS_PORT,
+ "-j", "MARK", "--set-mark", DNS_MARK,
+ NULL
+ };
+ if (0 != fork_and_exec (sbin_iptables, mark_args))
+ goto cleanup_mangle_1;
+ }
+ {
+ char *const mark_args[] =
+ {
+ "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
+ "udp", "--dport", DNS_PORT,
+ "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
+ "-j", "MARK", "--set-mark", DNS_MARK,
+ NULL
+ };
+ if (0 != fork_and_exec (sbin_ip6tables, mark_args))
+ goto cleanup_mark_2b;
+ }
+ /* Forward all marked DNS traffic to our DNS_TABLE */
+ {
+ char *const forward_args[] =
+ {
+ "ip", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, forward_args))
+ goto cleanup_mark_2;
+ }
+ {
+ char *const forward_args[] =
+ {
+ "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, forward_args))
+ goto cleanup_forward_3b;
+ }
+ /* Finally, add rule in our forwarding table to pass to our virtual interface */
+ {
+ char *const route_args[] =
+ {
+ "ip", "route", "add", "default", "dev", dev,
+ "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, route_args))
+ goto cleanup_forward_3;
+ }
+ {
+ char *const route_args[] =
+ {
+ "ip", "-6", "route", "add", "default", "dev", dev,
+ "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, route_args))
+ goto cleanup_route_4b;
+ }
}
/* drop privs *except* for the saved UID; this is not perfect, but better
}
#else
/* Note: no 'setuid' here as we must keep our saved UID as root */
- if (0 != seteuid (uid))
+ if (0 != seteuid (uid))
{
fprintf (stderr, "Failed to seteuid: %s\n", strerror (errno));
r = 24;
r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */
/* now forward until we hit a problem */
- run (fd_tun);
-
+ run (fd_tun);
+
/* now need to regain privs so we can remove the firewall rules we added! */
#ifdef HAVE_SETRESUID
if (0 != setresuid (uid, 0, 0))
goto cleanup_route_4;
}
#else
- if (0 != seteuid (0))
+ if (0 != seteuid (0))
{
fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
r = 40;
goto cleanup_route_4;
}
#endif
-
+
/* update routing tables again -- this is why we could not fully drop privs */
/* now undo updating of routing tables; normal exit or clean-up-on-error case */
cleanup_route_4:
+ if (0 == nortsetup)
+ {
+ char *const route_clean_args[] =
+ {
+ "ip", "-6", "route", "del", "default", "dev", dev,
+ "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, route_clean_args))
+ r += 1;
+ }
+ cleanup_route_4b:
+ if (0 == nortsetup)
{
- char *const route_clean_args[] =
+ char *const route_clean_args[] =
{
"ip", "route", "del", "default", "dev", dev,
"table", DNS_TABLE, NULL
r += 1;
}
cleanup_forward_3:
+ if (0 == nortsetup)
+ {
+ char *const forward_clean_args[] =
+ {
+ "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip, forward_clean_args))
+ r += 2;
+ }
+ cleanup_forward_3b:
+ if (0 == nortsetup)
{
char *const forward_clean_args[] =
{
"ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, forward_clean_args))
- r += 2;
+ r += 2;
}
cleanup_mark_2:
+ if (0 == nortsetup)
+ {
+ char *const mark_clean_args[] =
+ {
+ "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "--dport", DNS_PORT,
+ "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
+ "-j", "MARK", "--set-mark", DNS_MARK, NULL
+ };
+ if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
+ r += 4;
+ }
+ cleanup_mark_2b:
+ if (0 == nortsetup)
{
char *const mark_clean_args[] =
{
};
if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
r += 4;
- }
+ }
cleanup_mangle_1:
+ if (0 == nortsetup)
+ {
+ char *const mangle_clean_args[] =
+ {
+ "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
+ NULL
+ };
+ if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
+ r += 8;
+ }
+ cleanup_mangle_1b:
+ if (0 == nortsetup)
{
char *const mangle_clean_args[] =
{
(void) close (fd_tun);
/* remove signal handler so we can close the pipes */
(void) signal (SIGTERM, SIG_IGN);
+#if (SIGTERM != GNUNET_TERM_SIG)
+ (void) signal (GNUNET_TERM_SIG, SIG_IGN);
+#endif
(void) signal (SIGINT, SIG_IGN);
(void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
projects / oweals / gnunet.git / blobdiff