diff options
author | Christian Grothoff <christian@grothoff.org> | 2012-02-07 16:24:08 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2012-02-07 16:24:08 +0000 |
commit | 770f379eb23e8344b82431483613eaa72478bcdc (patch) | |
tree | bdd74b2985d8089acb5ce7c6f3e95b67a05388f4 /src/dns/gnunet-helper-dns.c | |
parent | 78bdb61823b4bc4939b1fc51d66e48638d9726b2 (diff) | |
download | gnunet-770f379eb23e8344b82431483613eaa72478bcdc.tar.gz gnunet-770f379eb23e8344b82431483613eaa72478bcdc.zip |
-updating DNS code to use GID match instead of source port match, introduce source port randomization
Diffstat (limited to 'src/dns/gnunet-helper-dns.c')
-rw-r--r-- | src/dns/gnunet-helper-dns.c | 39 |
1 files changed, 14 insertions, 25 deletions
diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c index 5e603ceb8..2b8ce2cc9 100644 --- a/src/dns/gnunet-helper-dns.c +++ b/src/dns/gnunet-helper-dns.c | |||
@@ -35,7 +35,9 @@ | |||
35 | * administrators must take care to not cause conflicts with these | 35 | * administrators must take care to not cause conflicts with these |
36 | * values (it was deemed safest to hardcode them as passing these | 36 | * values (it was deemed safest to hardcode them as passing these |
37 | * values as arguments might permit messing with arbitrary firewall | 37 | * values as arguments might permit messing with arbitrary firewall |
38 | * rules, which would be dangerous). | 38 | * rules, which would be dangerous). Traffic coming from the same |
39 | * group ID as the effective group ID that this process is running | ||
40 | * as is not intercepted. | ||
39 | * | 41 | * |
40 | * The code first sets up the virtual interface, then begins to | 42 | * The code first sets up the virtual interface, then begins to |
41 | * redirect the DNS traffic to it, and then on errors or SIGTERM shuts | 43 | * redirect the DNS traffic to it, and then on errors or SIGTERM shuts |
@@ -659,7 +661,6 @@ PROCESS_BUFFER: | |||
659 | * 3: IPv6 netmask length in bits ("64") | 661 | * 3: IPv6 netmask length in bits ("64") |
660 | * 4: IPv4 address for the tunnel ("1.2.3.4") | 662 | * 4: IPv4 address for the tunnel ("1.2.3.4") |
661 | * 5: IPv4 netmask ("255.255.0.0") | 663 | * 5: IPv4 netmask ("255.255.0.0") |
662 | * 6: PORT to not hijack ("55533") | ||
663 | * @return 0 on success, otherwise code indicating type of error: | 664 | * @return 0 on success, otherwise code indicating type of error: |
664 | * 1 wrong number of arguments | 665 | * 1 wrong number of arguments |
665 | * 2 invalid arguments (i.e. port number / prefix length wrong) | 666 | * 2 invalid arguments (i.e. port number / prefix length wrong) |
@@ -678,13 +679,12 @@ PROCESS_BUFFER: | |||
678 | int | 679 | int |
679 | main (int argc, char *const*argv) | 680 | main (int argc, char *const*argv) |
680 | { | 681 | { |
681 | unsigned int port; | ||
682 | char localport[6]; | ||
683 | int r; | 682 | int r; |
684 | char dev[IFNAMSIZ]; | 683 | char dev[IFNAMSIZ]; |
684 | char mygid[32]; | ||
685 | int fd_tun; | 685 | int fd_tun; |
686 | 686 | ||
687 | if (7 != argc) | 687 | if (6 != argc) |
688 | { | 688 | { |
689 | fprintf (stderr, "Fatal: must supply 6 arguments!\n"); | 689 | fprintf (stderr, "Fatal: must supply 6 arguments!\n"); |
690 | return 1; | 690 | return 1; |
@@ -714,20 +714,8 @@ main (int argc, char *const*argv) | |||
714 | return 4; | 714 | return 4; |
715 | } | 715 | } |
716 | 716 | ||
717 | /* validate port number */ | 717 | /* setup 'mygid' string */ |
718 | port = atoi (argv[6]); | 718 | snprintf (mygid, sizeof (mygid), "%d", (int) getegid()); |
719 | if ( (port == 0) || (port >= 65536) ) | ||
720 | { | ||
721 | fprintf (stderr, | ||
722 | "Port `%u' is invalid\n", | ||
723 | port); | ||
724 | return 2; | ||
725 | } | ||
726 | /* print port number to string for command-line use*/ | ||
727 | (void) snprintf (localport, | ||
728 | sizeof (localport), | ||
729 | "%u", | ||
730 | port); | ||
731 | 719 | ||
732 | /* do not die on SIGPIPE */ | 720 | /* do not die on SIGPIPE */ |
733 | if (SIG_ERR == signal (SIGPIPE, SIG_IGN)) | 721 | if (SIG_ERR == signal (SIGPIPE, SIG_IGN)) |
@@ -827,14 +815,15 @@ main (int argc, char *const*argv) | |||
827 | } | 815 | } |
828 | 816 | ||
829 | /* update routing tables -- next part why we need SUID! */ | 817 | /* update routing tables -- next part why we need SUID! */ |
830 | /* Forward everything from the given local port (with destination | 818 | /* Forward everything from our EGID (which should only be held |
831 | to port 53, and only for UDP) without hijacking */ | 819 | by the 'gnunet-service-dns') and with destination |
820 | to port 53 on UDP, without hijacking */ | ||
832 | r = 8; /* failed to fully setup routing table */ | 821 | r = 8; /* failed to fully setup routing table */ |
833 | { | 822 | { |
834 | char *const mangle_args[] = | 823 | char *const mangle_args[] = |
835 | { | 824 | { |
836 | "iptables", "-t", "mangle", "-I", "OUTPUT", "1", "-p", | 825 | "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p", |
837 | "udp", "--sport", localport, "--dport", DNS_PORT, "-j", | 826 | "udp", "!", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", |
838 | "ACCEPT", NULL | 827 | "ACCEPT", NULL |
839 | }; | 828 | }; |
840 | if (0 != fork_and_exec (sbin_iptables, mangle_args)) | 829 | if (0 != fork_and_exec (sbin_iptables, mangle_args)) |
@@ -948,8 +937,8 @@ main (int argc, char *const*argv) | |||
948 | { | 937 | { |
949 | char *const mangle_clean_args[] = | 938 | char *const mangle_clean_args[] = |
950 | { | 939 | { |
951 | "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | 940 | "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", |
952 | "--sport", localport, "--dport", DNS_PORT, "-j", "ACCEPT", | 941 | "!", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", |
953 | NULL | 942 | NULL |
954 | }; | 943 | }; |
955 | if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) | 944 | if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) |