X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=src%2Futil%2Fservice.c;h=0594149d96e79798697daecf13daaabf57fece8f;hb=48718834d4fb6c411ff5b00b86662a3dee3ac6cc;hp=b45a736ae596769ede63d7a27c078df55b5725f5;hpb=fd9eec78a3c275401d4b661a49cd90b972c9f58d;p=oweals%2Fgnunet.git diff --git a/src/util/service.c b/src/util/service.c index b45a736ae..0594149d9 100644 --- a/src/util/service.c +++ b/src/util/service.c @@ -429,11 +429,6 @@ struct GNUNET_SERVICE_Context */ struct GNUNET_SERVER_Handle *server; - /** - * Scheduler for the server. - */ - struct GNUNET_SCHEDULER_Handle *sched; - /** * NULL-terminated array of addresses to bind to, NULL if we got pre-bound * listen sockets. @@ -498,11 +493,6 @@ struct GNUNET_SERVICE_Context */ struct GNUNET_TIME_Relative timeout; - /** - * Maximum buffer size for the server. - */ - size_t maxbuf; - /** * Overall success/failure of the service start. */ @@ -521,6 +511,18 @@ struct GNUNET_SERVICE_Context */ int require_found; + /** + * Do we require a matching UID for UNIX domain socket + * connections? + */ + int match_uid; + + /** + * Do we require a matching GID for UNIX domain socket + * connections? + */ + int match_gid; + /** * Our options. */ @@ -589,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = { /** * Check if access to the service is allowed from the given address. + * + * @param cls closure + * @param uc credentials, if available, otherwise NULL + * @param addr address + * @param addrlen length of address + * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR + * for unknown address family (will be denied). */ static int -check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) +check_access (void *cls, + const struct GNUNET_CONNECTION_Credentials *uc, + const struct sockaddr *addr, socklen_t addrlen) { struct GNUNET_SERVICE_Context *sctx = cls; const struct sockaddr_in *i4; @@ -619,8 +630,23 @@ check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr))); break; case AF_UNIX: - /* FIXME: support checking UID/GID in the future... */ ret = GNUNET_OK; /* always OK for now */ + if ( (sctx->match_uid == GNUNET_YES) || + (sctx->match_gid == GNUNET_YES) ) + ret = GNUNET_NO; + if ( (uc != NULL) && + ( (sctx->match_uid != GNUNET_YES) || + (uc->uid == geteuid()) || + (uc->uid == getuid()) ) && + ( (sctx->match_gid != GNUNET_YES) || + (uc->gid == getegid()) || + (uc->gid == getgid())) ) + ret = GNUNET_YES; + else + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + _("Access denied to UID %d / GID %d\n"), + (uc == NULL) ? -1 : uc->uid, + (uc == NULL) ? -1 : uc->gid); break; default: GNUNET_log (GNUNET_ERROR_TYPE_WARNING, @@ -870,13 +896,23 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, if (GNUNET_CONFIGURATION_have_value (cfg, serviceName, "UNIXPATH")) { - GNUNET_break (GNUNET_OK == + GNUNET_assert (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, serviceName, "UNIXPATH", &unixpath)); /* probe UNIX support */ + struct sockaddr_un s_un; + if (strlen(unixpath) >= sizeof(s_un.sun_path)) + { + GNUNET_log (GNUNET_ERROR_TYPE_WARNING, + _("UNIXPATH `%s' too long, maximum length is %llu\n"),unixpath, sizeof(s_un.sun_path)); + GNUNET_free_non_null (hostname); + GNUNET_free (unixpath); + return GNUNET_SYSERR; + } + desc = GNUNET_NETWORK_socket_create (AF_UNIX, SOCK_STREAM, 0); if (NULL == desc) { @@ -895,6 +931,11 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, GNUNET_free (unixpath); unixpath = NULL; } + else + { + GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (desc)); + desc = NULL; + } } else unixpath = NULL; @@ -908,11 +949,20 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, GNUNET_log (GNUNET_ERROR_TYPE_ERROR, _("Have neither PORT nor UNIXPATH for service `%s', but one is required\n"), serviceName); - if (desc != NULL) - GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (desc)); GNUNET_free_non_null(hostname); return GNUNET_SYSERR; } + if (port == 0) + { + saddrs = GNUNET_malloc (2 * sizeof(struct sockaddr*)); + saddrlens = GNUNET_malloc (2 * sizeof (socklen_t)); + add_unixpath (saddrs, saddrlens, unixpath); + GNUNET_free_non_null (unixpath); + GNUNET_free_non_null(hostname); + *addrs = saddrs; + *addr_lens = saddrlens; + return 1; + } if (hostname != NULL) { @@ -933,8 +983,6 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, hostname, gai_strerror (ret)); GNUNET_free (hostname); GNUNET_free (unixpath); - if (desc != NULL) - GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (desc)); return GNUNET_SYSERR; } next = res; @@ -1061,21 +1109,18 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, GNUNET_free_non_null (unixpath); *addrs = saddrs; *addr_lens = saddrlens; - if (desc != NULL) - GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (desc)); return resi; } /** - * Setup addr, addrlen, maxbuf, idle_timeout + * Setup addr, addrlen, idle_timeout * based on configuration! * * Configuration may specify: * - PORT (where to bind to for TCP) * - UNIXPATH (where to bind to for UNIX domain sockets) * - TIMEOUT (after how many ms does an inactive service timeout); - * - MAXBUF (maximum incoming message size supported) * - DISABLEV6 (disable support for IPv6, otherwise we use dual-stack) * - BINDTO (hostname or IP address to bind to, otherwise we take everything) * - ACCEPT_FROM (only allow connections from specified IPv4 subnets) @@ -1088,14 +1133,15 @@ GNUNET_SERVICE_get_server_addresses (const char *serviceName, static int setup_service (struct GNUNET_SERVICE_Context *sctx) { - unsigned long long maxbuf; struct GNUNET_TIME_Relative idleout; int tolerant; +#ifndef MINGW const char *lpid; unsigned int pid; const char *nfds; unsigned int cnt; int flags; +#endif if (GNUNET_CONFIGURATION_have_value (sctx->cfg, sctx->serviceName, "TIMEOUT")) @@ -1115,23 +1161,6 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) } else sctx->timeout = GNUNET_TIME_UNIT_FOREVER_REL; - if (GNUNET_CONFIGURATION_have_value (sctx->cfg, - sctx->serviceName, "MAXBUF")) - { - if (GNUNET_OK != - GNUNET_CONFIGURATION_get_value_number (sctx->cfg, - sctx->serviceName, - "MAXBUF", &maxbuf)) - { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - _("Specified value for `%s' of service `%s' is invalid\n"), - "MAXBUF", - sctx->serviceName); - return GNUNET_SYSERR; - } - } - else - maxbuf = GNUNET_SERVER_MAX_MESSAGE_SIZE; if (GNUNET_CONFIGURATION_have_value (sctx->cfg, sctx->serviceName, "TOLERANT")) @@ -1154,11 +1183,13 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) #ifndef MINGW errno = 0; if ( (NULL != (lpid = getenv ("LISTEN_PID"))) && - (1 == sscanf ("%u", lpid, &pid)) && + (1 == sscanf (lpid, "%u", &pid)) && (getpid () == (pid_t) pid) && (NULL != (nfds = getenv ("LISTEN_FDS"))) && - (1 == sscanf ("%u", nfds, &cnt)) && - (cnt > 0) ) + (1 == sscanf (nfds, "%u", &cnt)) && + (cnt > 0) && + (cnt < FD_SETSIZE) && + (cnt + 4 < FD_SETSIZE) ) { sctx->lsocks = GNUNET_malloc (sizeof(struct GNUNET_NETWORK_Handle*) * (cnt+1)); while (0 < cnt--) @@ -1173,7 +1204,7 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) (unsigned int) 3 +cnt); cnt++; while (sctx->lsocks[cnt] != NULL) - GNUNET_NETWORK_socket_close (sctx->lsocks[cnt++]); + GNUNET_break (0 == GNUNET_NETWORK_socket_close (sctx->lsocks[cnt++])); GNUNET_free (sctx->lsocks); sctx->lsocks = NULL; break; @@ -1192,16 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) &sctx->addrlens)) ) return GNUNET_SYSERR; sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES; - sctx->maxbuf = (size_t) maxbuf; - if (sctx->maxbuf != maxbuf) - { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - _ - ("Value in configuration for `%s' and service `%s' too large!\n"), - "MAXBUF", sctx->serviceName); - return GNUNET_SYSERR; - } - + sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, + sctx->serviceName, + "UNIX_MATCH_UID"); + sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, + sctx->serviceName, + "UNIX_MATCH_GID"); process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM"); process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM"); process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6"); @@ -1309,21 +1336,16 @@ service_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) struct GNUNET_SERVICE_Context *sctx = cls; unsigned int i; - sctx->sched = tc->sched; if (sctx->lsocks != NULL) - sctx->server = GNUNET_SERVER_create_with_sockets (tc->sched, - &check_access, + sctx->server = GNUNET_SERVER_create_with_sockets (&check_access, sctx, sctx->lsocks, - sctx->maxbuf, sctx->timeout, sctx->require_found); else - sctx->server = GNUNET_SERVER_create (tc->sched, - &check_access, + sctx->server = GNUNET_SERVER_create (&check_access, sctx, sctx->addrs, sctx->addrlens, - sctx->maxbuf, sctx->timeout, sctx->require_found); if (sctx->server == NULL) { @@ -1346,8 +1368,7 @@ service_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) { /* install a task that will kill the server process if the scheduler ever gets a shutdown signal */ - GNUNET_SCHEDULER_add_delayed (tc->sched, - GNUNET_TIME_UNIT_FOREVER_REL, + GNUNET_SCHEDULER_add_delayed (GNUNET_TIME_UNIT_FOREVER_REL, &shutdown_task, sctx->server); } sctx->my_handlers = GNUNET_malloc (sizeof (defhandlers)); @@ -1375,7 +1396,7 @@ service_task (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) i++; } } - sctx->task (sctx->task_cls, tc->sched, sctx->server, sctx->cfg); + sctx->task (sctx->task_cls, sctx->server, sctx->cfg); } @@ -1439,10 +1460,12 @@ detach_terminal (struct GNUNET_SERVICE_Context *sctx) return GNUNET_SYSERR; /* set stdin/stdout to /dev/null */ if ((dup2 (nullfd, 0) < 0) || (dup2 (nullfd, 1) < 0)) - { + { GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "dup2"); + (void) CLOSE (nullfd); return GNUNET_SYSERR; } + (void) CLOSE (nullfd); /* Detach from controlling terminal */ pid = setsid (); if (pid == -1) @@ -1568,8 +1591,8 @@ GNUNET_SERVICE_run (int argc, sctx.ready_confirm_fd = -1; sctx.ret = GNUNET_OK; sctx.timeout = GNUNET_TIME_UNIT_FOREVER_REL; - sctx.maxbuf = GNUNET_SERVER_MAX_MESSAGE_SIZE; sctx.task = task; + sctx.task_cls = task_cls; sctx.serviceName = serviceName; sctx.cfg = cfg = GNUNET_CONFIGURATION_create (); /* setup subsystems */ @@ -1631,13 +1654,11 @@ shutdown: * initialized system. * * @param serviceName our service name - * @param sched scheduler to use * @param cfg configuration to use * @return NULL on error, service handle */ struct GNUNET_SERVICE_Context * GNUNET_SERVICE_start (const char *serviceName, - struct GNUNET_SCHEDULER_Handle *sched, const struct GNUNET_CONFIGURATION_Handle *cfg) { int i; @@ -1647,10 +1668,8 @@ GNUNET_SERVICE_start (const char *serviceName, sctx->ready_confirm_fd = -1; /* no daemonizing */ sctx->ret = GNUNET_OK; sctx->timeout = GNUNET_TIME_UNIT_FOREVER_REL; - sctx->maxbuf = GNUNET_SERVER_MAX_MESSAGE_SIZE; sctx->serviceName = serviceName; sctx->cfg = cfg; - sctx->sched = sched; /* setup subsystems */ if (GNUNET_OK != setup_service (sctx)) @@ -1659,19 +1678,15 @@ GNUNET_SERVICE_start (const char *serviceName, return NULL; } if (sctx->lsocks != NULL) - sctx->server = GNUNET_SERVER_create_with_sockets (sched, - &check_access, + sctx->server = GNUNET_SERVER_create_with_sockets (&check_access, sctx, sctx->lsocks, - sctx->maxbuf, sctx->timeout, sctx->require_found); else - sctx->server = GNUNET_SERVER_create (sched, - &check_access, + sctx->server = GNUNET_SERVER_create (&check_access, sctx, sctx->addrs, sctx->addrlens, - sctx->maxbuf, sctx->timeout, sctx->require_found);