diff options
author | Christian Grothoff <christian@grothoff.org> | 2011-01-24 12:03:32 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2011-01-24 12:03:32 +0000 |
commit | 48718834d4fb6c411ff5b00b86662a3dee3ac6cc (patch) | |
tree | a5651f8f3066fb0e68bfc87cbd23be1c0dea6ba5 /src/util/service.c | |
parent | 1b97726713d88e1ec485aa1e827365a707ebc02f (diff) | |
download | gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.tar.gz gnunet-48718834d4fb6c411ff5b00b86662a3dee3ac6cc.zip |
UNIX domain socket authentication support added
Diffstat (limited to 'src/util/service.c')
-rw-r--r-- | src/util/service.c | 47 |
1 files changed, 44 insertions, 3 deletions
diff --git a/src/util/service.c b/src/util/service.c index ac90eb93b..0594149d9 100644 --- a/src/util/service.c +++ b/src/util/service.c | |||
@@ -512,6 +512,18 @@ struct GNUNET_SERVICE_Context | |||
512 | int require_found; | 512 | int require_found; |
513 | 513 | ||
514 | /** | 514 | /** |
515 | * Do we require a matching UID for UNIX domain socket | ||
516 | * connections? | ||
517 | */ | ||
518 | int match_uid; | ||
519 | |||
520 | /** | ||
521 | * Do we require a matching GID for UNIX domain socket | ||
522 | * connections? | ||
523 | */ | ||
524 | int match_gid; | ||
525 | |||
526 | /** | ||
515 | * Our options. | 527 | * Our options. |
516 | */ | 528 | */ |
517 | enum GNUNET_SERVICE_Options options; | 529 | enum GNUNET_SERVICE_Options options; |
@@ -579,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = { | |||
579 | 591 | ||
580 | /** | 592 | /** |
581 | * Check if access to the service is allowed from the given address. | 593 | * Check if access to the service is allowed from the given address. |
594 | * | ||
595 | * @param cls closure | ||
596 | * @param uc credentials, if available, otherwise NULL | ||
597 | * @param addr address | ||
598 | * @param addrlen length of address | ||
599 | * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR | ||
600 | * for unknown address family (will be denied). | ||
582 | */ | 601 | */ |
583 | static int | 602 | static int |
584 | check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) | 603 | check_access (void *cls, |
604 | const struct GNUNET_CONNECTION_Credentials *uc, | ||
605 | const struct sockaddr *addr, socklen_t addrlen) | ||
585 | { | 606 | { |
586 | struct GNUNET_SERVICE_Context *sctx = cls; | 607 | struct GNUNET_SERVICE_Context *sctx = cls; |
587 | const struct sockaddr_in *i4; | 608 | const struct sockaddr_in *i4; |
@@ -609,8 +630,23 @@ check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) | |||
609 | (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr))); | 630 | (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr))); |
610 | break; | 631 | break; |
611 | case AF_UNIX: | 632 | case AF_UNIX: |
612 | /* FIXME: support checking UID/GID in the future... */ | ||
613 | ret = GNUNET_OK; /* always OK for now */ | 633 | ret = GNUNET_OK; /* always OK for now */ |
634 | if ( (sctx->match_uid == GNUNET_YES) || | ||
635 | (sctx->match_gid == GNUNET_YES) ) | ||
636 | ret = GNUNET_NO; | ||
637 | if ( (uc != NULL) && | ||
638 | ( (sctx->match_uid != GNUNET_YES) || | ||
639 | (uc->uid == geteuid()) || | ||
640 | (uc->uid == getuid()) ) && | ||
641 | ( (sctx->match_gid != GNUNET_YES) || | ||
642 | (uc->gid == getegid()) || | ||
643 | (uc->gid == getgid())) ) | ||
644 | ret = GNUNET_YES; | ||
645 | else | ||
646 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
647 | _("Access denied to UID %d / GID %d\n"), | ||
648 | (uc == NULL) ? -1 : uc->uid, | ||
649 | (uc == NULL) ? -1 : uc->gid); | ||
614 | break; | 650 | break; |
615 | default: | 651 | default: |
616 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 652 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
@@ -1187,7 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) | |||
1187 | &sctx->addrlens)) ) | 1223 | &sctx->addrlens)) ) |
1188 | return GNUNET_SYSERR; | 1224 | return GNUNET_SYSERR; |
1189 | sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES; | 1225 | sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES; |
1190 | 1226 | sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, | |
1227 | sctx->serviceName, | ||
1228 | "UNIX_MATCH_UID"); | ||
1229 | sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, | ||
1230 | sctx->serviceName, | ||
1231 | "UNIX_MATCH_GID"); | ||
1191 | process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM"); | 1232 | process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM"); |
1192 | process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM"); | 1233 | process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM"); |
1193 | process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6"); | 1234 | process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6"); |