* administrators must take care to not cause conflicts with these
* values (it was deemed safest to hardcode them as passing these
* values as arguments might permit messing with arbitrary firewall
- * rules, which would be dangerous).
+ * rules, which would be dangerous). Traffic coming from the same
+ * group ID as the effective group ID that this process is running
+ * as is not intercepted.
*
* The code first sets up the virtual interface, then begins to
* redirect the DNS traffic to it, and then on errors or SIGTERM shuts
*/
static const char *sbin_iptables;
+/**
+ * Name and full path of sysctl binary
+ */
+static const char *sbin_sysctl;
+
/**
* Name and full path of IPTABLES binary.
*/
}
+/**
+ * Open '/dev/null' and make the result the given
+ * file descriptor.
+ *
+ * @param target_fd desired FD to point to /dev/null
+ * @param flags open flags (O_RDONLY, O_WRONLY)
+ */
+static void
+open_dev_null (int target_fd,
+ int flags)
+{
+ int fd;
+
+ fd = open ("/dev/null", flags);
+ if (-1 == fd)
+ abort ();
+ if (fd == target_fd)
+ return;
+ if (-1 == dup2 (fd, target_fd))
+ {
+ (void) close (fd);
+ abort ();
+ }
+ (void) close (fd);
+}
+
+
/**
* Run the given command and wait for it to complete.
*
if (0 == pid)
{
/* we are the child process */
+ /* close stdin/stdout to not cause interference
+ with the helper's main protocol! */
+ (void) close (0);
+ open_dev_null (0, O_RDONLY);
+ (void) close (1);
+ open_dev_null (1, O_WRONLY);
(void) execv (file, cmd);
/* can only get here on error */
fprintf (stderr,
if (fd >= FD_SETSIZE)
{
fprintf (stderr, "File descriptor to large: %d", fd);
+ (void) close (fd);
return -1;
}
* We are supposed to read and the buffer is not empty
* -> select on write to stdout
*/
- if (0 != buftun_size)
+ if (0 < buftun_size)
FD_SET (1, &fds_w);
/*
{
if ( (errno == EINTR) ||
(errno == EAGAIN) )
- continue;
+ {
+ buftun_size = 0;
+ continue;
+ }
fprintf (stderr, "read-error: %s\n", strerror (errno));
return;
}
bufin_size = read (0, bufin + bufin_rpos, MAX_SIZE - bufin_rpos);
if (-1 == bufin_size)
{
+ bufin_read = NULL;
if ( (errno == EINTR) ||
(errno == EAGAIN) )
continue;
}
if (0 == bufin_size)
{
+ bufin_read = NULL;
fprintf (stderr, "EOF on stdin\n");
return;
}
* 3: IPv6 netmask length in bits ("64")
* 4: IPv4 address for the tunnel ("1.2.3.4")
* 5: IPv4 netmask ("255.255.0.0")
- * 6: PORT to not hijack ("55533")
* @return 0 on success, otherwise code indicating type of error:
* 1 wrong number of arguments
* 2 invalid arguments (i.e. port number / prefix length wrong)
* 25-39 failed to drop privs and then failed to undo some changes to routing table
* 40 failed to regain privs
* 41-55 failed to regain prisv and then failed to undo some changes to routing table
+ * 254 insufficient priviledges
* 255 failed to handle kill signal properly
*/
int
main (int argc, char *const*argv)
{
- unsigned int port;
- char localport[6];
int r;
char dev[IFNAMSIZ];
+ char mygid[32];
int fd_tun;
+ uid_t uid;
- if (7 != argc)
+ if (6 != argc)
{
fprintf (stderr, "Fatal: must supply 6 arguments!\n");
return 1;
}
+ /* assert privs so we can modify the firewall rules! */
+ uid = getuid ();
+#ifdef HAVE_SETRESUID
+ if (0 != setresuid (uid, 0, 0))
+ {
+ fprintf (stderr, "Failed to setresuid to root: %s\n", strerror (errno));
+ return 254;
+ }
+#else
+ if (0 != seteuid (0))
+ {
+ fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
+ return 254;
+ }
+#endif
+
/* verify that the binaries were care about are executable */
if (0 == access ("/sbin/iptables", X_OK))
sbin_iptables = "/sbin/iptables";
strerror (errno));
return 4;
}
-
- /* validate port number */
- port = atoi (argv[6]);
- if ( (port == 0) || (port >= 65536) )
+ if (0 == access ("/sbin/sysctl", X_OK))
+ sbin_sysctl = "/sbin/sysctl";
+ else if (0 == access ("/usr/sbin/sysctl", X_OK))
+ sbin_sysctl = "/usr/sbin/sysctl";
+ else
{
- fprintf (stderr,
- "Port `%u' is invalid\n",
- port);
- return 2;
+ fprintf (stderr,
+ "Fatal: executable sysctl not found in approved directories: %s\n",
+ strerror (errno));
+ return 5;
}
- /* print port number to string for command-line use*/
- (void) snprintf (localport,
- sizeof (localport),
- "%u",
- port);
+
+ /* setup 'mygid' string */
+ snprintf (mygid, sizeof (mygid), "%d", (int) getegid());
/* do not die on SIGPIPE */
if (SIG_ERR == signal (SIGPIPE, SIG_IGN))
strncpy (dev, argv[1], IFNAMSIZ);
dev[IFNAMSIZ - 1] = '\0';
+ /* Disable rp filtering */
+ {
+ char *const sysctl_args[] = {"sysctl", "-w",
+ "net.ipv4.conf.all.rp_filter=0", NULL};
+ char *const sysctl_args2[] = {"sysctl", "-w",
+ "net.ipv4.conf.default.rp_filter=0", NULL};
+ if ((0 != fork_and_exec (sbin_sysctl, sysctl_args)) ||
+ (0 != fork_and_exec (sbin_sysctl, sysctl_args2)))
+ {
+ fprintf (stderr,
+ "Failed to disable rp filtering.\n");
+ return 5;
+ }
+ }
+
+
/* now open virtual interface (first part that requires root) */
if (-1 == (fd_tun = init_tun (dev)))
{
set_address4 (dev, address, mask);
}
+
/* update routing tables -- next part why we need SUID! */
- /* Forward everything from the given local port (with destination
- to port 53, and only for UDP) without hijacking */
+ /* Forward everything from our EGID (which should only be held
+ by the 'gnunet-service-dns') and with destination
+ to port 53 on UDP, without hijacking */
r = 8; /* failed to fully setup routing table */
{
char *const mangle_args[] =
{
- "iptables", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
- "udp", "--sport", localport, "--dport", DNS_PORT, "-j",
+ "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
+ "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
"ACCEPT", NULL
};
if (0 != fork_and_exec (sbin_iptables, mangle_args))
/* drop privs *except* for the saved UID; this is not perfect, but better
than doing nothing */
- uid_t uid = getuid ();
#ifdef HAVE_SETRESUID
if (0 != setresuid (uid, uid, 0))
{
{
char *const mangle_clean_args[] =
{
- "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
- "--sport", localport, "--dport", DNS_PORT, "-j", "ACCEPT",
+ "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
NULL
};
if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
projects / oweals / gnunet.git / blobdiff