diff options
-rw-r--r-- | configure.ac | 22 | ||||
-rw-r--r-- | src/dht/dht.conf.in | 1 | ||||
-rw-r--r-- | src/dns/Makefile.am | 7 | ||||
-rw-r--r-- | src/dns/dns.conf.in | 5 | ||||
-rw-r--r-- | src/dv/dv.conf.in | 2 | ||||
-rw-r--r-- | src/transport/transport.conf.in | 1 | ||||
-rw-r--r-- | src/util/service.c | 65 | ||||
-rw-r--r-- | src/vpn/vpn.conf.in | 2 |
8 files changed, 87 insertions, 18 deletions
diff --git a/configure.ac b/configure.ac index 9dd33ef8f..108fcebcf 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -751,6 +751,28 @@ AC_ARG_WITH(sudo, | |||
751 | AC_SUBST(SUDO_BINARY) | 751 | AC_SUBST(SUDO_BINARY) |
752 | 752 | ||
753 | 753 | ||
754 | # test for gnunetdns group name | ||
755 | GNUNETDNS_GROUP=gnunetdns | ||
756 | AC_MSG_CHECKING(for gnunetdns group name) | ||
757 | AC_ARG_WITH(gnunetdns, | ||
758 | [ --with-gnunetdns=GRPNAME name for gnunetdns group], | ||
759 | [AC_MSG_RESULT("$with_gnunetdns") | ||
760 | case $with_gnunetdns in | ||
761 | no) | ||
762 | GNUNETDNS_GROUP=gnunet | ||
763 | ;; | ||
764 | yes) | ||
765 | GNUNETDNS_GROUP=gnunetdns | ||
766 | ;; | ||
767 | *) | ||
768 | GNUNETDNS_GROUP=$with_gnunetdns | ||
769 | ;; | ||
770 | esac | ||
771 | ], | ||
772 | [AC_MSG_RESULT([gnunetdns])]) | ||
773 | AC_SUBST(GNUNETDNS_GROUP) | ||
774 | |||
775 | |||
754 | # should 'make check' run tests? | 776 | # should 'make check' run tests? |
755 | AC_MSG_CHECKING(whether to run tests) | 777 | AC_MSG_CHECKING(whether to run tests) |
756 | AC_ARG_ENABLE([testruns], | 778 | AC_ARG_ENABLE([testruns], |
diff --git a/src/dht/dht.conf.in b/src/dht/dht.conf.in index c73c05688..17c13e93e 100644 --- a/src/dht/dht.conf.in +++ b/src/dht/dht.conf.in | |||
@@ -9,6 +9,7 @@ ACCEPT_FROM = 127.0.0.1; | |||
9 | ACCEPT_FROM6 = ::1; | 9 | ACCEPT_FROM6 = ::1; |
10 | BUCKET_SIZE = 4 | 10 | BUCKET_SIZE = 4 |
11 | UNIXPATH = /tmp/gnunet-service-dht.sock | 11 | UNIXPATH = /tmp/gnunet-service-dht.sock |
12 | # This could be relaxed... | ||
12 | UNIX_MATCH_UID = YES | 13 | UNIX_MATCH_UID = YES |
13 | UNIX_MATCH_GID = YES | 14 | UNIX_MATCH_GID = YES |
14 | # DISABLE_SOCKET_FORWARDING = NO | 15 | # DISABLE_SOCKET_FORWARDING = NO |
diff --git a/src/dns/Makefile.am b/src/dns/Makefile.am index f7376a111..99e78d7d6 100644 --- a/src/dns/Makefile.am +++ b/src/dns/Makefile.am | |||
@@ -20,8 +20,11 @@ HIJACKBIN = gnunet-helper-hijack-dns gnunet-helper-dns | |||
20 | install-exec-hook: | 20 | install-exec-hook: |
21 | $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-hijack-dns || true | 21 | $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-hijack-dns || true |
22 | $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-hijack-dns || true | 22 | $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-hijack-dns || true |
23 | $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-dns || true | 23 | $(SUDO_BINARY) chown root $(bindir)/gnunet-helper-dns || true |
24 | $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-dns || true | 24 | $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP) $(bindir)/gnunet-helper-dns || true |
25 | $(SUDO_BINARY) chmod 4750 $(bindir)/gnunet-helper-dns || true | ||
26 | $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP) $(bindir)/gnunet-service-dns-new || true | ||
27 | $(SUDO_BINARY) chmod 2755 $(bindir)/gnunet-helper-dns || true | ||
25 | else | 28 | else |
26 | install-exec-hook: | 29 | install-exec-hook: |
27 | endif | 30 | endif |
diff --git a/src/dns/dns.conf.in b/src/dns/dns.conf.in index cd1c2e6e3..a99f7fec3 100644 --- a/src/dns/dns.conf.in +++ b/src/dns/dns.conf.in | |||
@@ -5,10 +5,9 @@ HOSTNAME = localhost | |||
5 | HOME = $SERVICEHOME | 5 | HOME = $SERVICEHOME |
6 | CONFIG = $DEFAULTCONFIG | 6 | CONFIG = $DEFAULTCONFIG |
7 | BINARY = gnunet-service-dns | 7 | BINARY = gnunet-service-dns |
8 | ACCEPT_FROM = 127.0.0.1; | ||
9 | ACCEPT_FROM6 = ::1; | ||
10 | UNIXPATH = /tmp/gnunet-service-dns.sock | 8 | UNIXPATH = /tmp/gnunet-service-dns.sock |
11 | 9 | UNIX_MATCH_UID = YES | |
10 | UNIX_MATCH_GID = YES | ||
12 | PROVIDE_EXIT = YES | 11 | PROVIDE_EXIT = YES |
13 | IFNAME = gnunet-dns | 12 | IFNAME = gnunet-dns |
14 | 13 | ||
diff --git a/src/dv/dv.conf.in b/src/dv/dv.conf.in index fa647e31c..93278df7c 100644 --- a/src/dv/dv.conf.in +++ b/src/dv/dv.conf.in | |||
@@ -9,6 +9,8 @@ HOME = $SERVICEHOME | |||
9 | HOSTNAME = localhost | 9 | HOSTNAME = localhost |
10 | @UNIXONLY@ PORT = 2571 | 10 | @UNIXONLY@ PORT = 2571 |
11 | UNIXPATH = /tmp/gnunet-service-dv.sock | 11 | UNIXPATH = /tmp/gnunet-service-dv.sock |
12 | UNIX_MATCH_UID = YES | ||
13 | UNIX_MATCH_GID = YES | ||
12 | # ACCEPT_FROM = | 14 | # ACCEPT_FROM = |
13 | # ACCEPT_FROM6 = | 15 | # ACCEPT_FROM6 = |
14 | # REJECT_FROM = | 16 | # REJECT_FROM = |
diff --git a/src/transport/transport.conf.in b/src/transport/transport.conf.in index 213e8f5f0..ff81ff088 100644 --- a/src/transport/transport.conf.in +++ b/src/transport/transport.conf.in | |||
@@ -12,6 +12,7 @@ ACCEPT_FROM6 = ::1; | |||
12 | PLUGINS = tcp | 12 | PLUGINS = tcp |
13 | UNIXPATH = /tmp/gnunet-service-transport.sock | 13 | UNIXPATH = /tmp/gnunet-service-transport.sock |
14 | BLACKLIST_FILE = $SERVICEHOME/blacklist | 14 | BLACKLIST_FILE = $SERVICEHOME/blacklist |
15 | # This could possibly be relaxed | ||
15 | UNIX_MATCH_UID = YES | 16 | UNIX_MATCH_UID = YES |
16 | UNIX_MATCH_GID = YES | 17 | UNIX_MATCH_GID = YES |
17 | # DISABLE_SOCKET_FORWARDING = NO | 18 | # DISABLE_SOCKET_FORWARDING = NO |
diff --git a/src/util/service.c b/src/util/service.c index 8235830c9..243e7daa9 100644 --- a/src/util/service.c +++ b/src/util/service.c | |||
@@ -501,14 +501,18 @@ struct GNUNET_SERVICE_Context | |||
501 | int require_found; | 501 | int require_found; |
502 | 502 | ||
503 | /** | 503 | /** |
504 | * Do we require a matching UID for UNIX domain socket | 504 | * Do we require a matching UID for UNIX domain socket connections? |
505 | * connections? | 505 | * GNUNET_NO means that the UID does not have to match (however, |
506 | * "match_gid" may still impose other access control checks). | ||
506 | */ | 507 | */ |
507 | int match_uid; | 508 | int match_uid; |
508 | 509 | ||
509 | /** | 510 | /** |
510 | * Do we require a matching GID for UNIX domain socket | 511 | * Do we require a matching GID for UNIX domain socket connections? |
511 | * connections? | 512 | * Ignored if "match_uid" is GNUNET_YES. Note that this is about |
513 | * checking that the client's UID is in our group OR that the | ||
514 | * client's GID is our GID. If both "match_gid" and "match_uid" are | ||
515 | * "GNUNET_NO", all users on the local system have access. | ||
512 | */ | 516 | */ |
513 | int match_gid; | 517 | int match_gid; |
514 | 518 | ||
@@ -617,15 +621,50 @@ check_access (void *cls, const struct GNUNET_CONNECTION_Credentials *uc, | |||
617 | #ifndef WINDOWS | 621 | #ifndef WINDOWS |
618 | case AF_UNIX: | 622 | case AF_UNIX: |
619 | ret = GNUNET_OK; /* always OK for now */ | 623 | ret = GNUNET_OK; /* always OK for now */ |
620 | if ((sctx->match_uid == GNUNET_YES) || (sctx->match_gid == GNUNET_YES)) | 624 | if (sctx->match_uid == GNUNET_YES) |
621 | ret = GNUNET_NO; | 625 | { |
622 | if ((uc != NULL) && | 626 | /* UID match required */ |
623 | ((sctx->match_uid != GNUNET_YES) || (uc->uid == geteuid ()) || | 627 | ret = (uc != NULL) && (uc->uid == geteuid ()); |
624 | (uc->uid == getuid ())) && ((sctx->match_gid != GNUNET_YES) || | 628 | } |
625 | (uc->gid == getegid ()) || | 629 | else if (sctx->match_gid == GNUNET_YES) |
626 | (uc->gid == getgid ()))) | 630 | { |
627 | ret = GNUNET_YES; | 631 | /* group match required */ |
628 | else | 632 | if (uc == NULL) |
633 | { | ||
634 | /* no credentials, group match not possible */ | ||
635 | ret = GNUNET_NO; | ||
636 | } | ||
637 | else | ||
638 | { | ||
639 | struct group *grp; | ||
640 | unsigned int i; | ||
641 | |||
642 | if (uc->gid != getegid()) | ||
643 | { | ||
644 | /* default group did not match, but maybe the user is in our group, let's check */ | ||
645 | grp = getgrgid (getegid ()); | ||
646 | if (NULL == grp) | ||
647 | { | ||
648 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "getgrgid"); | ||
649 | return GNUNET_NO; | ||
650 | } | ||
651 | ret = GNUNET_NO; | ||
652 | for (i=0; NULL != grp->gr_mem[i]; i++) | ||
653 | { | ||
654 | struct passwd *nam = getpwnam (grp->gr_mem[i]); | ||
655 | if (NULL == nam) | ||
656 | continue; /* name in group that is not in user DB !? */ | ||
657 | if (nam->pw_uid == uc->uid) | ||
658 | { | ||
659 | /* yes, uid is in our group, allow! */ | ||
660 | ret = GNUNET_YES; | ||
661 | break; | ||
662 | } | ||
663 | } | ||
664 | } | ||
665 | } | ||
666 | } | ||
667 | if (GNUNET_NO == ret) | ||
629 | LOG (GNUNET_ERROR_TYPE_WARNING, _("Access denied to UID %d / GID %d\n"), | 668 | LOG (GNUNET_ERROR_TYPE_WARNING, _("Access denied to UID %d / GID %d\n"), |
630 | (uc == NULL) ? -1 : uc->uid, (uc == NULL) ? -1 : uc->gid); | 669 | (uc == NULL) ? -1 : uc->uid, (uc == NULL) ? -1 : uc->gid); |
631 | break; | 670 | break; |
diff --git a/src/vpn/vpn.conf.in b/src/vpn/vpn.conf.in index 411ad3fb9..f5eb22447 100644 --- a/src/vpn/vpn.conf.in +++ b/src/vpn/vpn.conf.in | |||
@@ -8,6 +8,8 @@ BINARY = gnunet-service-vpn | |||
8 | ACCEPT_FROM = 127.0.0.1; | 8 | ACCEPT_FROM = 127.0.0.1; |
9 | ACCEPT_FROM6 = ::1; | 9 | ACCEPT_FROM6 = ::1; |
10 | UNIXPATH = /tmp/gnunet-service-vpn.sock | 10 | UNIXPATH = /tmp/gnunet-service-vpn.sock |
11 | UNIX_MATCH_UID = YES | ||
12 | UNIX_MATCH_GID = YES | ||
11 | 13 | ||
12 | IPV6ADDR = 1234::1 | 14 | IPV6ADDR = 1234::1 |
13 | IPV6PREFIX = 32 | 15 | IPV6PREFIX = 32 |