UNIX domain socket authentication support added

author: Christian Grothoff <christian@grothoff.org> 2011-01-24 12:03:32 +0000
committer: Christian Grothoff <christian@grothoff.org> 2011-01-24 12:03:32 +0000
commit: 48718834d4fb6c411ff5b00b86662a3dee3ac6cc (patch)
tree: a5651f8f3066fb0e68bfc87cbd23be1c0dea6ba5 /src/util/service.c
parent: 1b97726713d88e1ec485aa1e827365a707ebc02f (diff)
download: gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.tar.gz
gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.zip
1 files changed, 44 insertions, 3 deletions
diff --git a/src/util/service.c b/src/util/service.c
index ac90eb93b..0594149d9 100644
--- a/src/util/service.c
+++ b/src/util/service.c
@@ -512,6 +512,18 @@ struct GNUNET_SERVICE_Context
  int require_found;
  /**
+   * Do we require a matching UID for UNIX domain socket
+   * connections?
+   */
+  int match_uid;
+  /**
+   * Do we require a matching GID for UNIX domain socket
+   * connections?
+   */
+  int match_gid;
+  /**
   * Our options.
   */
  enum GNUNET_SERVICE_Options options;
@@ -579,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = {
 /**
 * Check if access to the service is allowed from the given address.
+ *
+ * @param cls closure
+ * @param uc credentials, if available, otherwise NULL
+ * @param addr address
+ * @param addrlen length of address
+ * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR
+ *   for unknown address family (will be denied).
 */
 static int
-check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen)
+check_access (void *cls, 
+              const struct GNUNET_CONNECTION_Credentials *uc,
+              const struct sockaddr *addr, socklen_t addrlen)
 {
  struct GNUNET_SERVICE_Context *sctx = cls;
  const struct sockaddr_in *i4;
@@ -609,8 +630,23 @@ check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen)
            (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr)));
      break;
    case AF_UNIX:
-      /* FIXME: support checking UID/GID in the future... */
      ret = GNUNET_OK; /* always OK for now */
+      if ( (sctx->match_uid == GNUNET_YES) ||
+           (sctx->match_gid == GNUNET_YES) )
+        ret = GNUNET_NO;
+      if ( (uc != NULL) &&
+           ( (sctx->match_uid != GNUNET_YES) ||
+             (uc->uid == geteuid()) ||
+             (uc->uid == getuid()) ) &&
+           ( (sctx->match_gid != GNUNET_YES) ||
+             (uc->gid == getegid()) ||
+             (uc->gid == getgid())) )
+        ret = GNUNET_YES;
+      else
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    _("Access denied to UID %d / GID %d\n"), 
+                    (uc == NULL) ? -1 : uc->uid,
+                    (uc == NULL) ? -1 : uc->gid);       
      break;
    default:
      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
@@ -1187,7 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx)
                                             &sctx->addrlens)) )
    return GNUNET_SYSERR;
  sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES;
+  sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
+                                                          sctx->serviceName,
+                                                          "UNIX_MATCH_UID");
+  sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
+                                                          sctx->serviceName,
+                                                          "UNIX_MATCH_GID");
  process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM");
  process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM");
  process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6");
author	Christian Grothoff <christian@grothoff.org>	2011-01-24 12:03:32 +0000
committer	Christian Grothoff <christian@grothoff.org>	2011-01-24 12:03:32 +0000
commit	48718834d4fb6c411ff5b00b86662a3dee3ac6cc (patch)
tree	a5651f8f3066fb0e68bfc87cbd23be1c0dea6ba5 /src/util/service.c
parent	1b97726713d88e1ec485aa1e827365a707ebc02f (diff)
download	gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.tar.gz gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.zip

diff --git a/src/util/service.c b/src/util/service.c index ac90eb93b..0594149d9 100644 --- a/src/util/service.c +++ b/src/util/service.c
@@ -512,6 +512,18 @@ struct GNUNET_SERVICE_Context
512	int require_found;	512	int require_found;
513		513
514	/**	514	/**
		515	* Do we require a matching UID for UNIX domain socket
		516	* connections?
		517	*/
		518	int match_uid;
		519
		520	/**
		521	* Do we require a matching GID for UNIX domain socket
		522	* connections?
		523	*/
		524	int match_gid;
		525
		526	/**
515	* Our options.	527	* Our options.
516	*/	528	*/
517	enum GNUNET_SERVICE_Options options;	529	enum GNUNET_SERVICE_Options options;
@@ -579,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = {
579		591
580	/**	592	/**
581	* Check if access to the service is allowed from the given address.	593	* Check if access to the service is allowed from the given address.
		594	*
		595	* @param cls closure
		596	* @param uc credentials, if available, otherwise NULL
		597	* @param addr address
		598	* @param addrlen length of address
		599	* @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR
		600	* for unknown address family (will be denied).
582	*/	601	*/
583	static int	602	static int
584	check_access (void cls, const struct sockaddr addr, socklen_t addrlen)	603	check_access (void *cls,
		604	const struct GNUNET_CONNECTION_Credentials *uc,
		605	const struct sockaddr *addr, socklen_t addrlen)
585	{	606	{
586	struct GNUNET_SERVICE_Context *sctx = cls;	607	struct GNUNET_SERVICE_Context *sctx = cls;
587	const struct sockaddr_in *i4;	608	const struct sockaddr_in *i4;
@@ -609,8 +630,23 @@ check_access (void cls, const struct sockaddr addr, socklen_t addrlen)
609	(!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr)));	630	(!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr)));
610	break;	631	break;
611	case AF_UNIX:	632	case AF_UNIX:
612	/* FIXME: support checking UID/GID in the future... */
613	ret = GNUNET_OK; /* always OK for now */	633	ret = GNUNET_OK; /* always OK for now */
		634	if ( (sctx->match_uid == GNUNET_YES) \|\|
		635	(sctx->match_gid == GNUNET_YES) )
		636	ret = GNUNET_NO;
		637	if ( (uc != NULL) &&
		638	( (sctx->match_uid != GNUNET_YES) \|\|
		639	(uc->uid == geteuid()) \|\|
		640	(uc->uid == getuid()) ) &&
		641	( (sctx->match_gid != GNUNET_YES) \|\|
		642	(uc->gid == getegid()) \|\|
		643	(uc->gid == getgid())) )
		644	ret = GNUNET_YES;
		645	else
		646	GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
		647	_("Access denied to UID %d / GID %d\n"),
		648	(uc == NULL) ? -1 : uc->uid,
		649	(uc == NULL) ? -1 : uc->gid);
614	break;	650	break;
615	default:	651	default:
616	GNUNET_log (GNUNET_ERROR_TYPE_WARNING,	652	GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
@@ -1187,7 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx)
1187	&sctx->addrlens)) )	1223	&sctx->addrlens)) )
1188	return GNUNET_SYSERR;	1224	return GNUNET_SYSERR;
1189	sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES;	1225	sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES;
1190		1226	sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
		1227	sctx->serviceName,
		1228	"UNIX_MATCH_UID");
		1229	sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg,
		1230	sctx->serviceName,
		1231	"UNIX_MATCH_GID");
1191	process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM");	1232	process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM");
1192	process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM");	1233	process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM");
1193	process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6");	1234	process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6");