diff options
author | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2013-10-09 20:03:31 +0000 |
commit | bc28ff95e287a6794890c75348075fa9bd7af2f7 (patch) | |
tree | 8311c91cfa435c7f0ecef9f27a277edc7ad99b96 /src/util/network.c | |
parent | 7e332f5e005af87032decb86ac0a4bfbcc915cdc (diff) | |
download | gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.tar.gz gnunet-bc28ff95e287a6794890c75348075fa9bd7af2f7.zip |
changing UNIX domain socket access control to file permissions checks, instead of UDS credentials (#2887)
Diffstat (limited to 'src/util/network.c')
-rw-r--r-- | src/util/network.c | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/src/util/network.c b/src/util/network.c index 7a4b2a0b3..03dfcddd6 100644 --- a/src/util/network.c +++ b/src/util/network.c | |||
@@ -87,8 +87,8 @@ GNUNET_NETWORK_test_pf (int pf) | |||
87 | { | 87 | { |
88 | if (EAFNOSUPPORT == errno) | 88 | if (EAFNOSUPPORT == errno) |
89 | return GNUNET_NO; | 89 | return GNUNET_NO; |
90 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 90 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
91 | "Failed to create test socket: %s\n", | 91 | "Failed to create test socket: %s\n", |
92 | STRERROR (errno)); | 92 | STRERROR (errno)); |
93 | return GNUNET_SYSERR; | 93 | return GNUNET_SYSERR; |
94 | } | 94 | } |
@@ -400,11 +400,14 @@ GNUNET_NETWORK_socket_bind (struct GNUNET_NETWORK_Handle *desc, | |||
400 | { | 400 | { |
401 | const struct sockaddr_un *address_un = (const struct sockaddr_un *)address; | 401 | const struct sockaddr_un *address_un = (const struct sockaddr_un *)address; |
402 | if (address_un->sun_path[0] == '\0') | 402 | if (address_un->sun_path[0] == '\0') |
403 | { | ||
403 | bind_address_len = \ | 404 | bind_address_len = \ |
404 | sizeof (struct sockaddr_un) \ | 405 | sizeof (struct sockaddr_un) \ |
405 | - sizeof (address_un->sun_path) \ | 406 | - sizeof (address_un->sun_path) \ |
406 | + strnlen (address_un->sun_path + 1, sizeof (address_un->sun_path) - 1) \ | 407 | + strnlen (address_un->sun_path + 1, sizeof (address_un->sun_path) - 1) \ |
407 | + 1; | 408 | + 1; |
409 | GNUNET_break (0); | ||
410 | } | ||
408 | } | 411 | } |
409 | #endif | 412 | #endif |
410 | 413 | ||
@@ -413,7 +416,7 @@ GNUNET_NETWORK_socket_bind (struct GNUNET_NETWORK_Handle *desc, | |||
413 | { | 416 | { |
414 | const int on = 1; | 417 | const int on = 1; |
415 | 418 | ||
416 | if (desc->af == AF_INET6) | 419 | if (AF_INET6 == desc->af) |
417 | if (setsockopt (desc->fd, IPPROTO_IPV6, IPV6_V6ONLY, | 420 | if (setsockopt (desc->fd, IPPROTO_IPV6, IPV6_V6ONLY, |
418 | (const void *) &on, | 421 | (const void *) &on, |
419 | sizeof (on))) | 422 | sizeof (on))) |
@@ -431,7 +434,22 @@ GNUNET_NETWORK_socket_bind (struct GNUNET_NETWORK_Handle *desc, | |||
431 | LOG_STRERROR (GNUNET_ERROR_TYPE_DEBUG, "setsockopt"); | 434 | LOG_STRERROR (GNUNET_ERROR_TYPE_DEBUG, "setsockopt"); |
432 | } | 435 | } |
433 | #endif | 436 | #endif |
434 | ret = bind (desc->fd, address, bind_address_len); | 437 | #ifndef WINDOWS |
438 | { | ||
439 | /* set permissions of newly created UNIX domain socket to "user-only"; applications | ||
440 | can choose to relax this later */ | ||
441 | mode_t old_mask; | ||
442 | |||
443 | if (AF_UNIX == address->sa_family) | ||
444 | old_mask = umask (S_IWGRP | S_IRGRP | S_IXGRP | S_IWOTH | S_IROTH | S_IXOTH); | ||
445 | #endif | ||
446 | |||
447 | ret = bind (desc->fd, address, bind_address_len); | ||
448 | #ifndef WINDOWS | ||
449 | if (AF_UNIX == address->sa_family) | ||
450 | (void) umask (old_mask); | ||
451 | } | ||
452 | #endif | ||
435 | #ifdef MINGW | 453 | #ifdef MINGW |
436 | if (SOCKET_ERROR == ret) | 454 | if (SOCKET_ERROR == ret) |
437 | SetErrnoFromWinsockError (WSAGetLastError ()); | 455 | SetErrnoFromWinsockError (WSAGetLastError ()); |
@@ -477,8 +495,8 @@ GNUNET_NETWORK_socket_close (struct GNUNET_NETWORK_Handle *desc) | |||
477 | const struct sockaddr_un *un = (const struct sockaddr_un *) desc->addr; | 495 | const struct sockaddr_un *un = (const struct sockaddr_un *) desc->addr; |
478 | 496 | ||
479 | if (0 != unlink (un->sun_path)) | 497 | if (0 != unlink (un->sun_path)) |
480 | LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, | 498 | LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, |
481 | "unlink", | 499 | "unlink", |
482 | un->sun_path); | 500 | un->sun_path); |
483 | } | 501 | } |
484 | #endif | 502 | #endif |
@@ -550,12 +568,15 @@ GNUNET_NETWORK_socket_connect (const struct GNUNET_NETWORK_Handle *desc, | |||
550 | if (address->sa_family == AF_UNIX) | 568 | if (address->sa_family == AF_UNIX) |
551 | { | 569 | { |
552 | const struct sockaddr_un *address_un = (const struct sockaddr_un *)address; | 570 | const struct sockaddr_un *address_un = (const struct sockaddr_un *)address; |
553 | if(address_un->sun_path[0] == '\0') | 571 | if (address_un->sun_path[0] == '\0') |
554 | address_len = \ | 572 | { |
573 | address_len = \ | ||
555 | sizeof (struct sockaddr_un) \ | 574 | sizeof (struct sockaddr_un) \ |
556 | - sizeof (address_un->sun_path) \ | 575 | - sizeof (address_un->sun_path) \ |
557 | + strnlen (address_un->sun_path + 1, sizeof (address_un->sun_path) - 1) \ | 576 | + strnlen (address_un->sun_path + 1, sizeof (address_un->sun_path) - 1) \ |
558 | + 1; | 577 | + 1; |
578 | GNUNET_break (0); | ||
579 | } | ||
559 | } | 580 | } |
560 | #endif | 581 | #endif |
561 | ret = connect (desc->fd, address, address_len); | 582 | ret = connect (desc->fd, address, address_len); |