aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2012-01-13 22:10:16 +0000
committerChristian Grothoff <christian@grothoff.org>2012-01-13 22:10:16 +0000
commitfb1390dfeb7e98a404207988f13341522f3692b6 (patch)
tree8568f457c1f6cecf4486b6cedea839c39758e0a0 /src
parent8f2925beae5b4791ff1c0a592d10ad69f249bc7d (diff)
downloadgnunet-fb1390dfeb7e98a404207988f13341522f3692b6.tar.gz
gnunet-fb1390dfeb7e98a404207988f13341522f3692b6.zip
improving code and build system to be in line with gnunet access control model for services as described at https://gnunet.org/gnunet-access-control-model
Diffstat (limited to 'src')
-rw-r--r--src/dht/dht.conf.in1
-rw-r--r--src/dns/Makefile.am7
-rw-r--r--src/dns/dns.conf.in5
-rw-r--r--src/dv/dv.conf.in2
-rw-r--r--src/transport/transport.conf.in1
-rw-r--r--src/util/service.c65
-rw-r--r--src/vpn/vpn.conf.in2
7 files changed, 65 insertions, 18 deletions
diff --git a/src/dht/dht.conf.in b/src/dht/dht.conf.in
index c73c05688..17c13e93e 100644
--- a/src/dht/dht.conf.in
+++ b/src/dht/dht.conf.in
@@ -9,6 +9,7 @@ ACCEPT_FROM = 127.0.0.1;
9ACCEPT_FROM6 = ::1; 9ACCEPT_FROM6 = ::1;
10BUCKET_SIZE = 4 10BUCKET_SIZE = 4
11UNIXPATH = /tmp/gnunet-service-dht.sock 11UNIXPATH = /tmp/gnunet-service-dht.sock
12# This could be relaxed...
12UNIX_MATCH_UID = YES 13UNIX_MATCH_UID = YES
13UNIX_MATCH_GID = YES 14UNIX_MATCH_GID = YES
14# DISABLE_SOCKET_FORWARDING = NO 15# DISABLE_SOCKET_FORWARDING = NO
diff --git a/src/dns/Makefile.am b/src/dns/Makefile.am
index f7376a111..99e78d7d6 100644
--- a/src/dns/Makefile.am
+++ b/src/dns/Makefile.am
@@ -20,8 +20,11 @@ HIJACKBIN = gnunet-helper-hijack-dns gnunet-helper-dns
20install-exec-hook: 20install-exec-hook:
21 $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-hijack-dns || true 21 $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-hijack-dns || true
22 $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-hijack-dns || true 22 $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-hijack-dns || true
23 $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-dns || true 23 $(SUDO_BINARY) chown root $(bindir)/gnunet-helper-dns || true
24 $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-dns || true 24 $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP) $(bindir)/gnunet-helper-dns || true
25 $(SUDO_BINARY) chmod 4750 $(bindir)/gnunet-helper-dns || true
26 $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP) $(bindir)/gnunet-service-dns-new || true
27 $(SUDO_BINARY) chmod 2755 $(bindir)/gnunet-helper-dns || true
25else 28else
26install-exec-hook: 29install-exec-hook:
27endif 30endif
diff --git a/src/dns/dns.conf.in b/src/dns/dns.conf.in
index cd1c2e6e3..a99f7fec3 100644
--- a/src/dns/dns.conf.in
+++ b/src/dns/dns.conf.in
@@ -5,10 +5,9 @@ HOSTNAME = localhost
5HOME = $SERVICEHOME 5HOME = $SERVICEHOME
6CONFIG = $DEFAULTCONFIG 6CONFIG = $DEFAULTCONFIG
7BINARY = gnunet-service-dns 7BINARY = gnunet-service-dns
8ACCEPT_FROM = 127.0.0.1;
9ACCEPT_FROM6 = ::1;
10UNIXPATH = /tmp/gnunet-service-dns.sock 8UNIXPATH = /tmp/gnunet-service-dns.sock
11 9UNIX_MATCH_UID = YES
10UNIX_MATCH_GID = YES
12PROVIDE_EXIT = YES 11PROVIDE_EXIT = YES
13IFNAME = gnunet-dns 12IFNAME = gnunet-dns
14 13
diff --git a/src/dv/dv.conf.in b/src/dv/dv.conf.in
index fa647e31c..93278df7c 100644
--- a/src/dv/dv.conf.in
+++ b/src/dv/dv.conf.in
@@ -9,6 +9,8 @@ HOME = $SERVICEHOME
9HOSTNAME = localhost 9HOSTNAME = localhost
10@UNIXONLY@ PORT = 2571 10@UNIXONLY@ PORT = 2571
11UNIXPATH = /tmp/gnunet-service-dv.sock 11UNIXPATH = /tmp/gnunet-service-dv.sock
12UNIX_MATCH_UID = YES
13UNIX_MATCH_GID = YES
12# ACCEPT_FROM = 14# ACCEPT_FROM =
13# ACCEPT_FROM6 = 15# ACCEPT_FROM6 =
14# REJECT_FROM = 16# REJECT_FROM =
diff --git a/src/transport/transport.conf.in b/src/transport/transport.conf.in
index 213e8f5f0..ff81ff088 100644
--- a/src/transport/transport.conf.in
+++ b/src/transport/transport.conf.in
@@ -12,6 +12,7 @@ ACCEPT_FROM6 = ::1;
12PLUGINS = tcp 12PLUGINS = tcp
13UNIXPATH = /tmp/gnunet-service-transport.sock 13UNIXPATH = /tmp/gnunet-service-transport.sock
14BLACKLIST_FILE = $SERVICEHOME/blacklist 14BLACKLIST_FILE = $SERVICEHOME/blacklist
15# This could possibly be relaxed
15UNIX_MATCH_UID = YES 16UNIX_MATCH_UID = YES
16UNIX_MATCH_GID = YES 17UNIX_MATCH_GID = YES
17# DISABLE_SOCKET_FORWARDING = NO 18# DISABLE_SOCKET_FORWARDING = NO
diff --git a/src/util/service.c b/src/util/service.c
index 8235830c9..243e7daa9 100644
--- a/src/util/service.c
+++ b/src/util/service.c
@@ -501,14 +501,18 @@ struct GNUNET_SERVICE_Context
501 int require_found; 501 int require_found;
502 502
503 /** 503 /**
504 * Do we require a matching UID for UNIX domain socket 504 * Do we require a matching UID for UNIX domain socket connections?
505 * connections? 505 * GNUNET_NO means that the UID does not have to match (however,
506 * "match_gid" may still impose other access control checks).
506 */ 507 */
507 int match_uid; 508 int match_uid;
508 509
509 /** 510 /**
510 * Do we require a matching GID for UNIX domain socket 511 * Do we require a matching GID for UNIX domain socket connections?
511 * connections? 512 * Ignored if "match_uid" is GNUNET_YES. Note that this is about
513 * checking that the client's UID is in our group OR that the
514 * client's GID is our GID. If both "match_gid" and "match_uid" are
515 * "GNUNET_NO", all users on the local system have access.
512 */ 516 */
513 int match_gid; 517 int match_gid;
514 518
@@ -617,15 +621,50 @@ check_access (void *cls, const struct GNUNET_CONNECTION_Credentials *uc,
617#ifndef WINDOWS 621#ifndef WINDOWS
618 case AF_UNIX: 622 case AF_UNIX:
619 ret = GNUNET_OK; /* always OK for now */ 623 ret = GNUNET_OK; /* always OK for now */
620 if ((sctx->match_uid == GNUNET_YES) || (sctx->match_gid == GNUNET_YES)) 624 if (sctx->match_uid == GNUNET_YES)
621 ret = GNUNET_NO; 625 {
622 if ((uc != NULL) && 626 /* UID match required */
623 ((sctx->match_uid != GNUNET_YES) || (uc->uid == geteuid ()) || 627 ret = (uc != NULL) && (uc->uid == geteuid ());
624 (uc->uid == getuid ())) && ((sctx->match_gid != GNUNET_YES) || 628 }
625 (uc->gid == getegid ()) || 629 else if (sctx->match_gid == GNUNET_YES)
626 (uc->gid == getgid ()))) 630 {
627 ret = GNUNET_YES; 631 /* group match required */
628 else 632 if (uc == NULL)
633 {
634 /* no credentials, group match not possible */
635 ret = GNUNET_NO;
636 }
637 else
638 {
639 struct group *grp;
640 unsigned int i;
641
642 if (uc->gid != getegid())
643 {
644 /* default group did not match, but maybe the user is in our group, let's check */
645 grp = getgrgid (getegid ());
646 if (NULL == grp)
647 {
648 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "getgrgid");
649 return GNUNET_NO;
650 }
651 ret = GNUNET_NO;
652 for (i=0; NULL != grp->gr_mem[i]; i++)
653 {
654 struct passwd *nam = getpwnam (grp->gr_mem[i]);
655 if (NULL == nam)
656 continue; /* name in group that is not in user DB !? */
657 if (nam->pw_uid == uc->uid)
658 {
659 /* yes, uid is in our group, allow! */
660 ret = GNUNET_YES;
661 break;
662 }
663 }
664 }
665 }
666 }
667 if (GNUNET_NO == ret)
629 LOG (GNUNET_ERROR_TYPE_WARNING, _("Access denied to UID %d / GID %d\n"), 668 LOG (GNUNET_ERROR_TYPE_WARNING, _("Access denied to UID %d / GID %d\n"),
630 (uc == NULL) ? -1 : uc->uid, (uc == NULL) ? -1 : uc->gid); 669 (uc == NULL) ? -1 : uc->uid, (uc == NULL) ? -1 : uc->gid);
631 break; 670 break;
diff --git a/src/vpn/vpn.conf.in b/src/vpn/vpn.conf.in
index 411ad3fb9..f5eb22447 100644
--- a/src/vpn/vpn.conf.in
+++ b/src/vpn/vpn.conf.in
@@ -8,6 +8,8 @@ BINARY = gnunet-service-vpn
8ACCEPT_FROM = 127.0.0.1; 8ACCEPT_FROM = 127.0.0.1;
9ACCEPT_FROM6 = ::1; 9ACCEPT_FROM6 = ::1;
10UNIXPATH = /tmp/gnunet-service-vpn.sock 10UNIXPATH = /tmp/gnunet-service-vpn.sock
11UNIX_MATCH_UID = YES
12UNIX_MATCH_GID = YES
11 13
12IPV6ADDR = 1234::1 14IPV6ADDR = 1234::1
13IPV6PREFIX = 32 15IPV6PREFIX = 32