diff options
author | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
commit | bc28ff95e287a6794890c75348075fa9bd7af2f7 (patch) | |
tree | 8311c91cfa435c7f0ecef9f27a277edc7ad99b96 /src/arm | |
parent | 7e332f5e005af87032decb86ac0a4bfbcc915cdc (diff) | |
download | gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.tar.gz gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.zip |
changing UNIX domain socket access control to file permissions checks, instead of UDS credentials (#2887)
Diffstat (limited to 'src/arm')
-rw-r--r-- | src/arm/gnunet-service-arm.c | 97 |
1 files changed, 57 insertions, 40 deletions
diff --git a/src/arm/gnunet-service-arm.c b/src/arm/gnunet-service-arm.c index 942534b08..7c759d0ac 100644 --- a/src/arm/gnunet-service-arm.c +++ b/src/arm/gnunet-service-arm.c | |||
@@ -582,34 +582,36 @@ create_listen_socket (struct sockaddr *sa, socklen_t addr_len, | |||
582 | static int on = 1; | 582 | static int on = 1; |
583 | struct GNUNET_NETWORK_Handle *sock; | 583 | struct GNUNET_NETWORK_Handle *sock; |
584 | struct ServiceListeningInfo *sli; | 584 | struct ServiceListeningInfo *sli; |
585 | int match_uid; | ||
586 | int match_gid; | ||
585 | 587 | ||
586 | switch (sa->sa_family) | 588 | switch (sa->sa_family) |
587 | { | 589 | { |
588 | case AF_INET: | 590 | case AF_INET: |
589 | sock = GNUNET_NETWORK_socket_create (PF_INET, SOCK_STREAM, 0); | 591 | sock = GNUNET_NETWORK_socket_create (PF_INET, SOCK_STREAM, 0); |
590 | break; | 592 | break; |
591 | case AF_INET6: | 593 | case AF_INET6: |
592 | sock = GNUNET_NETWORK_socket_create (PF_INET6, SOCK_STREAM, 0); | 594 | sock = GNUNET_NETWORK_socket_create (PF_INET6, SOCK_STREAM, 0); |
593 | break; | 595 | break; |
594 | case AF_UNIX: | 596 | case AF_UNIX: |
595 | if (strcmp (GNUNET_a2s (sa, addr_len), "@") == 0) /* Do not bind to blank UNIX path! */ | 597 | if (strcmp (GNUNET_a2s (sa, addr_len), "@") == 0) /* Do not bind to blank UNIX path! */ |
596 | return; | ||
597 | sock = GNUNET_NETWORK_socket_create (PF_UNIX, SOCK_STREAM, 0); | ||
598 | break; | ||
599 | default: | ||
600 | GNUNET_break (0); | ||
601 | sock = NULL; | ||
602 | errno = EAFNOSUPPORT; | ||
603 | break; | ||
604 | } | ||
605 | if (NULL == sock) | ||
606 | { | ||
607 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
608 | _("Unable to create socket for service `%s': %s\n"), | ||
609 | sl->name, STRERROR (errno)); | ||
610 | GNUNET_free (sa); | ||
611 | return; | 598 | return; |
612 | } | 599 | sock = GNUNET_NETWORK_socket_create (PF_UNIX, SOCK_STREAM, 0); |
600 | break; | ||
601 | default: | ||
602 | GNUNET_break (0); | ||
603 | sock = NULL; | ||
604 | errno = EAFNOSUPPORT; | ||
605 | break; | ||
606 | } | ||
607 | if (NULL == sock) | ||
608 | { | ||
609 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
610 | _("Unable to create socket for service `%s': %s\n"), | ||
611 | sl->name, STRERROR (errno)); | ||
612 | GNUNET_free (sa); | ||
613 | return; | ||
614 | } | ||
613 | if (GNUNET_NETWORK_socket_setsockopt | 615 | if (GNUNET_NETWORK_socket_setsockopt |
614 | (sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != GNUNET_OK) | 616 | (sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != GNUNET_OK) |
615 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR | GNUNET_ERROR_TYPE_BULK, | 617 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR | GNUNET_ERROR_TYPE_BULK, |
@@ -624,22 +626,37 @@ create_listen_socket (struct sockaddr *sa, socklen_t addr_len, | |||
624 | 626 | ||
625 | if (GNUNET_OK != | 627 | if (GNUNET_OK != |
626 | GNUNET_NETWORK_socket_bind (sock, (const struct sockaddr *) sa, addr_len)) | 628 | GNUNET_NETWORK_socket_bind (sock, (const struct sockaddr *) sa, addr_len)) |
627 | { | 629 | { |
628 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 630 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
629 | _ | 631 | _ |
630 | ("Unable to bind listening socket for service `%s' to address `%s': %s\n"), | 632 | ("Unable to bind listening socket for service `%s' to address `%s': %s\n"), |
631 | sl->name, GNUNET_a2s (sa, addr_len), STRERROR (errno)); | 633 | sl->name, GNUNET_a2s (sa, addr_len), STRERROR (errno)); |
632 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); | 634 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); |
633 | GNUNET_free (sa); | 635 | GNUNET_free (sa); |
634 | return; | 636 | return; |
635 | } | 637 | } |
638 | #ifndef WINDOWS | ||
639 | if (AF_UNIX == sa->sa_family) | ||
640 | { | ||
641 | match_uid = | ||
642 | GNUNET_CONFIGURATION_get_value_yesno (cfg, sl->name, | ||
643 | "UNIX_MATCH_UID"); | ||
644 | match_gid = | ||
645 | GNUNET_CONFIGURATION_get_value_yesno (cfg, sl->name, | ||
646 | "UNIX_MATCH_GID"); | ||
647 | GNUNET_DISK_fix_permissions (((const struct sockaddr_un *)sa)->sun_path, | ||
648 | match_uid, | ||
649 | match_gid); | ||
650 | |||
651 | } | ||
652 | #endif | ||
636 | if (GNUNET_NETWORK_socket_listen (sock, 5) != GNUNET_OK) | 653 | if (GNUNET_NETWORK_socket_listen (sock, 5) != GNUNET_OK) |
637 | { | 654 | { |
638 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "listen"); | 655 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "listen"); |
639 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); | 656 | GNUNET_break (GNUNET_OK == GNUNET_NETWORK_socket_close (sock)); |
640 | GNUNET_free (sa); | 657 | GNUNET_free (sa); |
641 | return; | 658 | return; |
642 | } | 659 | } |
643 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | 660 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, |
644 | _("ARM now monitors connections to service `%s' at `%s'\n"), | 661 | _("ARM now monitors connections to service `%s' at `%s'\n"), |
645 | sl->name, GNUNET_a2s (sa, addr_len)); | 662 | sl->name, GNUNET_a2s (sa, addr_len)); |