X-Git-Url: https://git.librecmc.org/?p=oweals%2Ftinc.git;a=blobdiff_plain;f=src%2Ftincd.c;h=b0e95beff502b7677d5825dbf77730a3a31bcd37;hp=c82872b35ac87de9b8d357441554d5542b9e1aac;hb=54cb6b1aecb06a1ca44a7a60c74dd0d65b0043dd;hpb=de78d79db84c486afcc353884ec1770866beb653 diff --git a/src/tincd.c b/src/tincd.c index c82872b..b0e95be 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd Copyright (C) 1998-2005 Ivo Timmermans - 2000-2006 Guus Sliepen + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,7 +37,13 @@ #include #include -#include +#include LZO1X_H + +#ifndef HAVE_MINGW +#include +#include +#include +#endif #include #include "pidfile.h" @@ -73,6 +79,12 @@ bool bypass_security = false; /* If nonzero, disable swapping for this process. */ bool do_mlock = false; +/* If nonzero, chroot to netdir after startup. */ +static bool do_chroot = false; + +/* If !NULL, do setuid to given user after startup */ +static const char *switchuser = NULL; + /* If nonzero, write log entries to a separate file. */ bool use_logfile = false; @@ -94,6 +106,8 @@ static struct option const long_options[] = { {"debug", optional_argument, NULL, 'd'}, {"bypass-security", no_argument, NULL, 3}, {"mlock", no_argument, NULL, 'L'}, + {"chroot", no_argument, NULL, 'R'}, + {"user", required_argument, NULL, 'U'}, {"logfile", optional_argument, NULL, 4}, {"pidfile", required_argument, NULL, 5}, {NULL, 0, NULL, 0} @@ -119,6 +133,8 @@ static void usage(bool status) " -L, --mlock Lock tinc into main memory.\n" " --logfile[=FILENAME] Write log entries to a logfile.\n" " --pidfile=FILENAME Write PID to FILENAME.\n" + " -R, --chroot chroot to NET dir at startup.\n" + " -U, --user=USER setuid to given USER at startup.\n" " --help Display this help and exit.\n" " --version Output version information and exit.\n\n")); printf(_("Report bugs to tinc@tinc-vpn.org.\n")); @@ -130,7 +146,7 @@ static bool parse_options(int argc, char **argv) int r; int option_index = 0; - while((r = getopt_long(argc, argv, "c:DLd::k::n:K::", long_options, &option_index)) != EOF) { + while((r = getopt_long(argc, argv, "c:DLd::k::n:K::RU:", long_options, &option_index)) != EOF) { switch (r) { case 0: /* long option */ break; @@ -144,8 +160,14 @@ static bool parse_options(int argc, char **argv) break; case 'L': /* no detach */ +#ifndef HAVE_MLOCKALL + /* logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()"); */ + logger(LOG_ERR, _("mlockall() not supported on this platform!")); + return false; +#else do_mlock = true; break; +#endif case 'd': /* inc debug level */ if(optarg) @@ -210,6 +232,14 @@ static bool parse_options(int argc, char **argv) generate_keys = 1024; break; + case 'R': /* chroot to NETNAME dir */ + do_chroot = true; + break; + + case 'U': /* setuid to USER */ + switchuser = optarg; + break; + case 1: /* show help */ show_help = true; break; @@ -292,6 +322,13 @@ static bool keygen(int bits) char *name = NULL; char *filename; + get_config_string(lookup_config(config_tree, "Name"), &name); + + if(name && !check_id(name)) { + fprintf(stderr, _("Invalid name for myself!\n")); + return false; + } + fprintf(stderr, _("Generating %d bits keys:\n"), bits); rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); @@ -302,41 +339,41 @@ static bool keygen(int bits) fprintf(stderr, _("Done.\n")); asprintf(&filename, "%s/rsa_key.priv", confbase); - f = ask_and_open(filename, _("private RSA key"), "a"); + f = ask_and_open(filename, _("private RSA key")); if(!f) return false; + + if(disable_old_keys(f)) + fprintf(stderr, _("Warning: old key(s) found and disabled.\n")); #ifdef HAVE_FCHMOD /* Make it unreadable for others. */ fchmod(fileno(f), 0600); #endif - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); - PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); fclose(f); free(filename); - get_config_string(lookup_config(config_tree, "Name"), &name); - if(name) asprintf(&filename, "%s/hosts/%s", confbase, name); else asprintf(&filename, "%s/rsa_key.pub", confbase); - f = ask_and_open(filename, _("public RSA key"), "a"); + f = ask_and_open(filename, _("public RSA key")); if(!f) return false; - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); + if(disable_old_keys(f)) + fprintf(stderr, _("Warning: old key(s) found and disabled.\n")); PEM_write_RSAPublicKey(f, rsa_key); fclose(f); free(filename); + if(name) + free(name); return true; } @@ -392,6 +429,62 @@ static void make_names(void) } } +static void free_names() { + if (identname) free(identname); + if (netname) free(netname); + if (pidfilename) free(pidfilename); + if (logfilename) free(logfilename); + if (confbase) free(confbase); +} + +static bool drop_privs() { +#ifdef HAVE_MINGW + if (switchuser) { + logger(LOG_ERR, _("%s not supported on this platform"), "-U"); + return false; + } + if (do_chroot) { + logger(LOG_ERR, _("%s not supported on this platform"), "-R"); + return false; + } +#else + uid_t uid = 0; + if (switchuser) { + struct passwd *pw = getpwnam(switchuser); + if (!pw) { + logger(LOG_ERR, _("unknown user `%s'"), switchuser); + return false; + } + uid = pw->pw_uid; + if (initgroups(switchuser, pw->pw_gid) != 0 || + setgid(pw->pw_gid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "initgroups", strerror(errno)); + return false; + } + endgrent(); + endpwent(); + } + if (do_chroot) { + tzset(); /* for proper timestamps in logs */ + if (chroot(confbase) != 0 || chdir("/") != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "chroot", strerror(errno)); + return false; + } + free(confbase); + confbase = xstrdup(""); + } + if (switchuser) + if (setuid(uid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "setuid", strerror(errno)); + return false; + } +#endif + return true; +} + int main(int argc, char **argv) { program_name = argv[0]; @@ -408,7 +501,7 @@ int main(int argc, char **argv) if(show_version) { printf(_("%s version %s (built %s %s, protocol %d)\n"), PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf(_("Copyright (C) 1998-2006 Ivo Timmermans, Guus Sliepen and others.\n" + printf(_("Copyright (C) 1998-2009 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -427,20 +520,6 @@ int main(int argc, char **argv) openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR); - /* Lock all pages into memory if requested */ - - if(do_mlock) -#ifdef HAVE_MLOCKALL - if(mlockall(MCL_CURRENT | MCL_FUTURE)) { - logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", - strerror(errno)); -#else - { - logger(LOG_ERR, _("mlockall() not supported on this platform!")); -#endif - return -1; - } - g_argv = argv; init_configuration(&config_tree); @@ -485,24 +564,42 @@ int main2(int argc, char **argv) if(!detach()) return 1; - + +#ifdef HAVE_MLOCKALL + /* Lock all pages into memory if requested. + * This has to be done after daemon()/fork() so it works for child. + * No need to do that in parent as it's very short-lived. */ + if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", + strerror(errno)); + return 1; + } +#endif /* Setup sockets and open device. */ - if(!setup_network_connections()) + if(!setup_network()) goto end; + /* drop privileges */ + if (!drop_privs()) + goto end; + + /* Initiate all outgoing connections. */ + + try_outgoing_connections(); + /* Start main loop. It only exits when tinc is killed. */ status = main_loop(); /* Shutdown properly. */ - close_network_connections(); - ifdebug(CONNECTIONS) dump_device_stats(); + close_network_connections(); + end: logger(LOG_NOTICE, _("Terminating")); @@ -511,6 +608,13 @@ end: #endif EVP_cleanup(); - + ENGINE_cleanup(); + CRYPTO_cleanup_all_ex_data(); + ERR_remove_state(0); + ERR_free_strings(); + + exit_configuration(&config_tree); + free_names(); + return status; }