diff options
author | Christian Grothoff <christian@grothoff.org> | 2012-09-28 16:53:51 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2012-09-28 16:53:51 +0000 |
commit | 16fe3b976a5c0d42817c4d8ed886efbc0759922f (patch) | |
tree | 7d74821b9b255243493a3ddf5b86b1348897fc60 /src | |
parent | 27f51b6ce1882d8e800f7188cfa00b8c76e9c224 (diff) | |
download | gnunet-16fe3b976a5c0d42817c4d8ed886efbc0759922f.tar.gz gnunet-16fe3b976a5c0d42817c4d8ed886efbc0759922f.zip |
-do not close stdin/stdout for standard system progs
Diffstat (limited to 'src')
-rw-r--r-- | src/dns/gnunet-helper-dns.c | 48 | ||||
-rw-r--r-- | src/pt/test_gns_vpn.c | 48 |
2 files changed, 88 insertions, 8 deletions
diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c index 1fb1dcfbb..c230ec544 100644 --- a/src/dns/gnunet-helper-dns.c +++ b/src/dns/gnunet-helper-dns.c | |||
@@ -155,6 +155,33 @@ signal_handler (int signal) | |||
155 | 155 | ||
156 | 156 | ||
157 | /** | 157 | /** |
158 | * Open '/dev/null' and make the result the given | ||
159 | * file descriptor. | ||
160 | * | ||
161 | * @param target_fd desired FD to point to /dev/null | ||
162 | * @param flags open flags (O_RDONLY, O_WRONLY) | ||
163 | */ | ||
164 | static void | ||
165 | open_dev_null (int target_fd, | ||
166 | int flags) | ||
167 | { | ||
168 | int fd; | ||
169 | |||
170 | fd = open ("/dev/null", flags); | ||
171 | if (-1 == fd) | ||
172 | abort (); | ||
173 | if (fd == target_fd) | ||
174 | return; | ||
175 | if (-1 == dup2 (fd, target_fd)) | ||
176 | { | ||
177 | (void) close (fd); | ||
178 | abort (); | ||
179 | } | ||
180 | (void) close (fd); | ||
181 | } | ||
182 | |||
183 | |||
184 | /** | ||
158 | * Run the given command and wait for it to complete. | 185 | * Run the given command and wait for it to complete. |
159 | * | 186 | * |
160 | * @param file name of the binary to run | 187 | * @param file name of the binary to run |
@@ -183,7 +210,9 @@ fork_and_exec (const char *file, | |||
183 | /* close stdin/stdout to not cause interference | 210 | /* close stdin/stdout to not cause interference |
184 | with the helper's main protocol! */ | 211 | with the helper's main protocol! */ |
185 | (void) close (0); | 212 | (void) close (0); |
213 | open_dev_null (0, O_RDONLY); | ||
186 | (void) close (1); | 214 | (void) close (1); |
215 | open_dev_null (1, O_WRONLY); | ||
187 | (void) execv (file, cmd); | 216 | (void) execv (file, cmd); |
188 | /* can only get here on error */ | 217 | /* can only get here on error */ |
189 | fprintf (stderr, | 218 | fprintf (stderr, |
@@ -683,6 +712,7 @@ PROCESS_BUFFER: | |||
683 | * 25-39 failed to drop privs and then failed to undo some changes to routing table | 712 | * 25-39 failed to drop privs and then failed to undo some changes to routing table |
684 | * 40 failed to regain privs | 713 | * 40 failed to regain privs |
685 | * 41-55 failed to regain prisv and then failed to undo some changes to routing table | 714 | * 41-55 failed to regain prisv and then failed to undo some changes to routing table |
715 | * 254 insufficient priviledges | ||
686 | * 255 failed to handle kill signal properly | 716 | * 255 failed to handle kill signal properly |
687 | */ | 717 | */ |
688 | int | 718 | int |
@@ -692,6 +722,7 @@ main (int argc, char *const*argv) | |||
692 | char dev[IFNAMSIZ]; | 722 | char dev[IFNAMSIZ]; |
693 | char mygid[32]; | 723 | char mygid[32]; |
694 | int fd_tun; | 724 | int fd_tun; |
725 | uid_t uid; | ||
695 | 726 | ||
696 | if (6 != argc) | 727 | if (6 != argc) |
697 | { | 728 | { |
@@ -699,6 +730,22 @@ main (int argc, char *const*argv) | |||
699 | return 1; | 730 | return 1; |
700 | } | 731 | } |
701 | 732 | ||
733 | /* assert privs so we can modify the firewall rules! */ | ||
734 | uid = getuid (); | ||
735 | #ifdef HAVE_SETRESUID | ||
736 | if (0 != setresuid (uid, 0, 0)) | ||
737 | { | ||
738 | fprintf (stderr, "Failed to setresuid to root: %s\n", strerror (errno)); | ||
739 | return 254; | ||
740 | } | ||
741 | #else | ||
742 | if (0 != seteuid (0)) | ||
743 | { | ||
744 | fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno)); | ||
745 | return 254; | ||
746 | } | ||
747 | #endif | ||
748 | |||
702 | /* verify that the binaries were care about are executable */ | 749 | /* verify that the binaries were care about are executable */ |
703 | if (0 == access ("/sbin/iptables", X_OK)) | 750 | if (0 == access ("/sbin/iptables", X_OK)) |
704 | sbin_iptables = "/sbin/iptables"; | 751 | sbin_iptables = "/sbin/iptables"; |
@@ -899,7 +946,6 @@ main (int argc, char *const*argv) | |||
899 | 946 | ||
900 | /* drop privs *except* for the saved UID; this is not perfect, but better | 947 | /* drop privs *except* for the saved UID; this is not perfect, but better |
901 | than doing nothing */ | 948 | than doing nothing */ |
902 | uid_t uid = getuid (); | ||
903 | #ifdef HAVE_SETRESUID | 949 | #ifdef HAVE_SETRESUID |
904 | if (0 != setresuid (uid, uid, 0)) | 950 | if (0 != setresuid (uid, uid, 0)) |
905 | { | 951 | { |
diff --git a/src/pt/test_gns_vpn.c b/src/pt/test_gns_vpn.c index 9789ce7d9..faff03cf3 100644 --- a/src/pt/test_gns_vpn.c +++ b/src/pt/test_gns_vpn.c | |||
@@ -239,6 +239,7 @@ curl_main () | |||
239 | NULL); | 239 | NULL); |
240 | } | 240 | } |
241 | 241 | ||
242 | |||
242 | static void | 243 | static void |
243 | start_curl (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) | 244 | start_curl (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) |
244 | { | 245 | { |
@@ -261,12 +262,14 @@ start_curl (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) | |||
261 | curl_main (); | 262 | curl_main (); |
262 | } | 263 | } |
263 | 264 | ||
265 | |||
264 | static void | 266 | static void |
265 | disco_ns (void* cls, const struct GNUNET_SCHEDULER_TaskContext *tc) | 267 | disco_ns (void* cls, const struct GNUNET_SCHEDULER_TaskContext *tc) |
266 | { | 268 | { |
267 | GNUNET_NAMESTORE_disconnect (namestore); | 269 | GNUNET_NAMESTORE_disconnect (namestore); |
268 | } | 270 | } |
269 | 271 | ||
272 | |||
270 | /** | 273 | /** |
271 | * Callback invoked from the namestore service once record is | 274 | * Callback invoked from the namestore service once record is |
272 | * created. | 275 | * created. |
@@ -354,6 +357,7 @@ mhd_main () | |||
354 | NULL); | 357 | NULL); |
355 | } | 358 | } |
356 | 359 | ||
360 | |||
357 | static void | 361 | static void |
358 | run (void *cls, | 362 | run (void *cls, |
359 | const struct GNUNET_CONFIGURATION_Handle *cfg, | 363 | const struct GNUNET_CONFIGURATION_Handle *cfg, |
@@ -438,6 +442,33 @@ test_af (int af) | |||
438 | 442 | ||
439 | 443 | ||
440 | /** | 444 | /** |
445 | * Open '/dev/null' and make the result the given | ||
446 | * file descriptor. | ||
447 | * | ||
448 | * @param target_fd desired FD to point to /dev/null | ||
449 | * @param flags open flags (O_RDONLY, O_WRONLY) | ||
450 | */ | ||
451 | static void | ||
452 | open_dev_null (int target_fd, | ||
453 | int flags) | ||
454 | { | ||
455 | int fd; | ||
456 | |||
457 | fd = open ("/dev/null", flags); | ||
458 | if (-1 == fd) | ||
459 | abort (); | ||
460 | if (fd == target_fd) | ||
461 | return; | ||
462 | if (-1 == dup2 (fd, target_fd)) | ||
463 | { | ||
464 | (void) close (fd); | ||
465 | abort (); | ||
466 | } | ||
467 | (void) close (fd); | ||
468 | } | ||
469 | |||
470 | |||
471 | /** | ||
441 | * Run the given command and wait for it to complete. | 472 | * Run the given command and wait for it to complete. |
442 | * | 473 | * |
443 | * @param file name of the binary to run | 474 | * @param file name of the binary to run |
@@ -466,7 +497,9 @@ fork_and_exec (const char *file, | |||
466 | /* close stdin/stdout to not cause interference | 497 | /* close stdin/stdout to not cause interference |
467 | with the helper's main protocol! */ | 498 | with the helper's main protocol! */ |
468 | (void) close (0); | 499 | (void) close (0); |
500 | open_dev_null (0, O_RDONLY); | ||
469 | (void) close (1); | 501 | (void) close (1); |
502 | open_dev_null (1, O_WRONLY); | ||
470 | (void) execv (file, cmd); | 503 | (void) execv (file, cmd); |
471 | /* can only get here on error */ | 504 | /* can only get here on error */ |
472 | fprintf (stderr, | 505 | fprintf (stderr, |
@@ -515,7 +548,7 @@ main (int argc, char *const *argv) | |||
515 | if (0 != fork_and_exec (sbin_iptables, iptables_args)) | 548 | if (0 != fork_and_exec (sbin_iptables, iptables_args)) |
516 | { | 549 | { |
517 | fprintf (stderr, | 550 | fprintf (stderr, |
518 | "IPtables not available, Skipping.\n"); | 551 | "Failed to run `iptables -t mangle -L -v'. Skipping test.\n"); |
519 | return 0; | 552 | return 0; |
520 | } | 553 | } |
521 | 554 | ||
@@ -529,12 +562,13 @@ main (int argc, char *const *argv) | |||
529 | return 0; | 562 | return 0; |
530 | } | 563 | } |
531 | 564 | ||
532 | if ( (GNUNET_YES != | 565 | if ( (0 != geteuid ()) && |
533 | GNUNET_OS_check_helper_binary ("gnunet-helper-vpn")) || | 566 | ( (GNUNET_YES != |
534 | (GNUNET_YES != | 567 | GNUNET_OS_check_helper_binary ("gnunet-helper-vpn")) || |
535 | GNUNET_OS_check_helper_binary ("gnunet-helper-exit")) || | 568 | (GNUNET_YES != |
536 | (GNUNET_YES != | 569 | GNUNET_OS_check_helper_binary ("gnunet-helper-exit")) || |
537 | GNUNET_OS_check_helper_binary ("gnunet-helper-dns"))) | 570 | (GNUNET_YES != |
571 | GNUNET_OS_check_helper_binary ("gnunet-helper-dns"))) ) | ||
538 | { | 572 | { |
539 | fprintf (stderr, | 573 | fprintf (stderr, |
540 | "WARNING: gnunet-helper-{exit,vpn,dns} binaries in $PATH are not SUID, refusing to run test (as it would have to fail).\n"); | 574 | "WARNING: gnunet-helper-{exit,vpn,dns} binaries in $PATH are not SUID, refusing to run test (as it would have to fail).\n"); |