diff options
| author | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
| commit | bc28ff95e287a6794890c75348075fa9bd7af2f7 (patch) | |
| tree | 8311c91cfa435c7f0ecef9f27a277edc7ad99b96 /src/arm | |
| parent | 7e332f5e005af87032decb86ac0a4bfbcc915cdc (diff) | |
| download | gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.tar.gz gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.zip | |
changing UNIX domain socket access control to file permissions checks, instead of UDS credentials (#2887)
Diffstat (limited to 'src/arm')
| -rw-r--r-- | src/arm/gnunet-service-arm.c | 97 |
1 files changed, 57 insertions, 40 deletions
diff --git a/src/arm/gnunet-service-arm.c b/src/arm/gnunet-service-arm.c index 942534b08..7c759d0ac 100644 --- a/src/arm/gnunet-service-arm.c +++ b/src/arm/gnunet-service-arm.c | |||
| @@ -582,34 +582,36 @@ create_listen_socket (struct sockaddr *sa, socklen_t addr_len, | |||
| 582 | static int on = 1; | 582 | static int on = 1; |
| 583 | struct GNUNET_NETWORK_Handle *sock; | 583 | struct GNUNET_NETWORK_Handle *sock; |
| 584 | struct ServiceListeningInfo *sli; | 584 | struct ServiceListeningInfo *sli; |
| 585 | int match_uid; | ||
| 586 | int match_gid; | ||
| 585 | 587 | ||
| 586 | switch (sa->sa_family) | 588 | switch (sa->sa_family) |
| 587 | { | 589 | { |
| 588 | case AF_INET: | 590 | case AF_INET: |
| 589 | sock = GNUNET_NETWORK_socket_create (PF_INET, SOCK_STREAM, 0); | 591 | sock = GNUNET_NETWORK_socket_create (PF_INET, SOCK_STREAM, 0); |
| 590 | break; | 592 | break; |
| 591 | case AF_INET6: | 593 | case AF_INET6: |
| 592 | sock = GNUNET_NETWORK_socket_create (PF_INET6, SOCK_STREAM, 0); | 594 | sock = GNUNET_NETWORK_socket_create (PF_INET6, SOCK_STREAM, 0); |
| 593 | break; | 595 | break; |
| 594 | case AF_UNIX: | 596 | case AF_UNIX: |
| 595 | if (strcmp (GNUNET_a2s (sa, addr_len), "@") == 0) /* Do not bind to blank UNIX path! */ | 597 | if (strcmp (GNUNET_a2s (sa, addr_len), "@") == 0) /* Do not bind to blank UNIX path! */ |
| 596 | return; | ||
| 597 | sock = GNUNET_NETWORK_socket_create (PF_UNIX, SOCK_STREAM, 0); | ||
| 598 | break; | ||
| 599 | default: | ||
| 600 | GNUNET_break (0); | ||
| 601 | sock = NULL; | ||
| 602 | errno = EAFNOSUPPORT; | ||
| 603 | break; | ||
| 604 | } | ||
| 605 | if (NULL == sock) | ||
| 606 | { | ||
| 607 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
| 608 | _("Unable to create socket for service `%s': %s\n"), | ||
| 609 | sl->name, STRERROR (errno)); | ||
| 610 | GNUNET_free (sa); | ||
| 611 | return; | 598 | return; |
| 612 | } | 599 | sock = GNUNET_NETWORK_socket_create (PF_UNIX, SOCK_STREAM, 0); |
| 600 | break; | ||
| 601 | default: | ||
| 602 | GNUNET_break (0); | ||
| 603 | sock = NULL; | ||
| 604 | errno = EAFNOSUPPORT; | ||
| 605 | break; | ||
| 606 | } | ||
| 607 | if (NULL == sock) | ||
| 608 | { | ||
| 609 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
| 610 | _("Unable to create socket for service `%s': %s\n"), | ||
| 611 | sl->name, STRERROR (errno)); | ||
| 612 | GNUNET_free (sa); | ||
| 613 | return; | ||
| 614 | } | ||
| 613 | if (GNUNET_NETWORK_socket_setsockopt | 615 | if (GNUNET_NETWORK_socket_setsockopt |
| 614 | (sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != GNUNET_OK) | 616 | (sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != GNUNET_OK) |
| 615 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR | GNUNET_ERROR_TYPE_BULK, | 617 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR | GNUNET_ERROR_TYPE_BULK, |
| @@ -624,22 +626,37 @@ create_listen_socket (struct sockaddr *sa, socklen_t addr_len, | |||
| 624 | 626 | ||
| 625 | if (GNUNET_OK != | 627 | if (GNUNET_OK != |
| 626 | GNUNET_NETWORK_socket_bind (sock, (const struct sockaddr *) sa, addr_len)) | 628 | GNUNET_NETWORK_socket_bind (sock, (const struct sockaddr *) sa, addr_len)) |
| 627 | { | 629 | { |
| 628 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 630 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
| 629 | _ | 631 | _ |
| 630 | ("Unable to bind listening socket for service `%s' to address `%s': %s\n"), | 632 | ("Unable to bind listening socket for service `%s' to address `%s': %s\n"), |
| 631 | sl->name, GNUNET_a2s (sa, addr_len), STRERROR (errno)); | 633 | sl->name, GNUNET_a2s (sa, addr_len), STRERROR (errno)); |
| 632 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); | 634 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); |
| 633 | GNUNET_free (sa); | 635 | GNUNET_free (sa); |
| 634 | return; | 636 | return; |
| 635 | } | 637 | } |
| 638 | #ifndef WINDOWS | ||
| 639 | if (AF_UNIX == sa->sa_family) | ||
| 640 | { | ||
| 641 | match_uid = | ||
| 642 | GNUNET_CONFIGURATION_get_value_yesno (cfg, sl->name, | ||
| 643 | "UNIX_MATCH_UID"); | ||
| 644 | match_gid = | ||
| 645 | GNUNET_CONFIGURATION_get_value_yesno (cfg, sl->name, | ||
| 646 | "UNIX_MATCH_GID"); | ||
| 647 | GNUNET_DISK_fix_permissions (((const struct sockaddr_un *)sa)->sun_path, | ||
| 648 | match_uid, | ||
| 649 | match_gid); | ||
| 650 | |||
| 651 | } | ||
| 652 | #endif | ||
| 636 | if (GNUNET_NETWORK_socket_listen (sock, 5) != GNUNET_OK) | 653 | if (GNUNET_NETWORK_socket_listen (sock, 5) != GNUNET_OK) |
| 637 | { | 654 | { |
| 638 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "listen"); | 655 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "listen"); |
| 639 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); | 656 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); |
| 640 | GNUNET_free (sa); | 657 | GNUNET_free (sa); |
| 641 | return; | 658 | return; |
| 642 | } | 659 | } |
| 643 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | 660 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, |
| 644 | _("ARM now monitors connections to service `%s' at `%s'\n"), | 661 | _("ARM now monitors connections to service `%s' at `%s'\n"), |
| 645 | sl->name, GNUNET_a2s (sa, addr_len)); | 662 | sl->name, GNUNET_a2s (sa, addr_len)); |