diff options
-rw-r--r-- | TODO | 8 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | contrib/defaults.conf | 18 | ||||
-rw-r--r-- | src/include/gnunet_connection_lib.h | 19 | ||||
-rw-r--r-- | src/include/gnunet_network_lib.h | 1 | ||||
-rw-r--r-- | src/include/platform.h | 3 | ||||
-rw-r--r-- | src/util/connection.c | 49 | ||||
-rw-r--r-- | src/util/network.c | 9 | ||||
-rw-r--r-- | src/util/service.c | 47 |
9 files changed, 147 insertions, 11 deletions
@@ -7,13 +7,13 @@ | |||
7 | + implement UDP, HTTP/HTTPS | 7 | + implement UDP, HTTP/HTTPS |
8 | * Transport: | 8 | * Transport: |
9 | - UDP fragmentation | 9 | - UDP fragmentation |
10 | * UTIL / FS: | ||
11 | - gnunet-publish tires to connect to service even if | ||
12 | run with 'simulation' option (-s) | ||
13 | * DHT: [Nate] | 10 | * DHT: [Nate] |
14 | - track paths content travels (PUT, reply-to-get) in messages, | 11 | - track paths content travels (PUT, reply-to-get) in messages, |
15 | pass to client (client API & protocol already support this!) | 12 | pass to client (client API & protocol already support this!) |
16 | * FS: [CG] | 13 | * FS: [CG] |
14 | - gnunet-publish tires to connect to service even if | ||
15 | run with 'simulation' option (-s) | ||
16 | - gnunet-download does not *always* use inline full data (?) | ||
17 | - implement multi-peer FS performance tests | 17 | - implement multi-peer FS performance tests |
18 | + insert | 18 | + insert |
19 | + download | 19 | + download |
@@ -65,8 +65,6 @@ | |||
65 | - Remove KBlocks in gnunet-unindex (see discussion with Kenneth Almquist on gnunet-devs in 9/2009) | 65 | - Remove KBlocks in gnunet-unindex (see discussion with Kenneth Almquist on gnunet-devs in 9/2009) |
66 | - use different queue prioritization for probe-downloads vs. normal downloads | 66 | - use different queue prioritization for probe-downloads vs. normal downloads |
67 | - re-implement gnunet-auto-share | 67 | - re-implement gnunet-auto-share |
68 | * UTIL: [CG] | ||
69 | - allow limiting UNIX socket access by UID/GID | ||
70 | * GNUNET-GTK: [CG] | 68 | * GNUNET-GTK: [CG] |
71 | - add tool bar | 69 | - add tool bar |
72 | - do meaningful update to status line (starting up, peer running, #connections, shutdown, ...) | 70 | - do meaningful update to status line (starting up, peer running, #connections, shutdown, ...) |
diff --git a/configure.ac b/configure.ac index a57030a5c..7938ff1d8 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -293,7 +293,7 @@ AC_HEADER_STDC | |||
293 | AC_CHECK_HEADERS([fcntl.h math.h errno.h ctype.h limits.h stdio.h stdlib.h string.h unistd.h stdarg.h signal.h locale.h sys/stat.h sys/types.h],,AC_MSG_ERROR([Compiling GNUnet requires standard UNIX headers files])) | 293 | AC_CHECK_HEADERS([fcntl.h math.h errno.h ctype.h limits.h stdio.h stdlib.h string.h unistd.h stdarg.h signal.h locale.h sys/stat.h sys/types.h],,AC_MSG_ERROR([Compiling GNUnet requires standard UNIX headers files])) |
294 | 294 | ||
295 | # Checks for headers that are only required on some systems or opional (and where we do NOT abort if they are not there) | 295 | # Checks for headers that are only required on some systems or opional (and where we do NOT abort if they are not there) |
296 | AC_CHECK_HEADERS([langinfo.h sys/param.h sys/mount.h sys/statvfs.h sys/select.h sockLib.h sys/mman.h sys/msg.h sys/vfs.h arpa/inet.h fcntl.h libintl.h netdb.h netinet/in.h netinet/in_systm.h sys/ioctl.h sys/socket.h sys/time.h unistd.h kstat.h sys/sysinfo.h kvm.h sys/file.h sys/resource.h ifaddrs.h mach/mach.h stddef.h sys/timeb.h terminos.h argz.h]) | 296 | AC_CHECK_HEADERS([langinfo.h sys/param.h sys/mount.h sys/statvfs.h sys/select.h sockLib.h sys/mman.h sys/msg.h sys/vfs.h arpa/inet.h fcntl.h libintl.h netdb.h netinet/in.h netinet/in_systm.h sys/ioctl.h sys/socket.h sys/time.h unistd.h kstat.h sys/sysinfo.h kvm.h sys/file.h sys/resource.h ifaddrs.h mach/mach.h stddef.h sys/timeb.h terminos.h argz.h ucred.h]) |
297 | 297 | ||
298 | SAVE_LDFLAGS=$LDFLAGS | 298 | SAVE_LDFLAGS=$LDFLAGS |
299 | SAVE_CPPFLAGS=$CPPFLAGS | 299 | SAVE_CPPFLAGS=$CPPFLAGS |
@@ -664,7 +664,7 @@ AC_FUNC_VPRINTF | |||
664 | AC_HEADER_SYS_WAIT | 664 | AC_HEADER_SYS_WAIT |
665 | AC_TYPE_OFF_T | 665 | AC_TYPE_OFF_T |
666 | AC_TYPE_UID_T | 666 | AC_TYPE_UID_T |
667 | AC_CHECK_FUNCS([floor gethostname memmove rmdir strncasecmp strrchr strtol atoll dup2 fdatasync ftruncate gettimeofday memset mkdir mkfifo select socket strcasecmp strchr strdup strerror strstr clock_gettime getrusage rand uname setlocale getcwd mktime gmtime_r gmtime strlcpy strlcat ftruncate stat64 sbrk mmap mremap setrlimit sysconf gethostbyaddr initgroups getifaddrs freeifaddrs getnameinfo getaddrinfo inet_ntoa localtime_r nl_langinfo putenv realpath strndup gethostbyname2 gethostbyname]) | 667 | AC_CHECK_FUNCS([floor gethostname memmove rmdir strncasecmp strrchr strtol atoll dup2 fdatasync ftruncate gettimeofday memset mkdir mkfifo select socket strcasecmp strchr strdup strerror strstr clock_gettime getrusage rand uname setlocale getcwd mktime gmtime_r gmtime strlcpy strlcat ftruncate stat64 sbrk mmap mremap setrlimit sysconf gethostbyaddr initgroups getifaddrs freeifaddrs getnameinfo getaddrinfo inet_ntoa localtime_r nl_langinfo putenv realpath strndup gethostbyname2 gethostbyname getpeerucred getpeereid]) |
668 | 668 | ||
669 | # restore LIBS | 669 | # restore LIBS |
670 | LIBS=$SAVE_LIBS | 670 | LIBS=$SAVE_LIBS |
diff --git a/contrib/defaults.conf b/contrib/defaults.conf index 621230c73..5c54b362b 100644 --- a/contrib/defaults.conf +++ b/contrib/defaults.conf | |||
@@ -82,6 +82,8 @@ ACCEPT_FROM = 127.0.0.1; | |||
82 | ACCEPT_FROM6 = ::1; | 82 | ACCEPT_FROM6 = ::1; |
83 | DEFAULTSERVICES = topology hostlist | 83 | DEFAULTSERVICES = topology hostlist |
84 | UNIXPATH = /tmp/gnunet-service-arm.sock | 84 | UNIXPATH = /tmp/gnunet-service-arm.sock |
85 | UNIX_MATCH_UID = YES | ||
86 | UNIX_MATCH_GID = YES | ||
85 | # GLOBAL_POSTFIX = -l $SERVICEHOME/{}-logs | 87 | # GLOBAL_POSTFIX = -l $SERVICEHOME/{}-logs |
86 | # GLOBAL_PREFIX = | 88 | # GLOBAL_PREFIX = |
87 | # USERNAME = | 89 | # USERNAME = |
@@ -103,6 +105,8 @@ BINARY = gnunet-service-statistics | |||
103 | ACCEPT_FROM = 127.0.0.1; | 105 | ACCEPT_FROM = 127.0.0.1; |
104 | ACCEPT_FROM6 = ::1; | 106 | ACCEPT_FROM6 = ::1; |
105 | UNIXPATH = /tmp/gnunet-service-statistics.sock | 107 | UNIXPATH = /tmp/gnunet-service-statistics.sock |
108 | UNIX_MATCH_UID = NO | ||
109 | UNIX_MATCH_GID = YES | ||
106 | # DISABLE_SOCKET_FORWARDING = NO | 110 | # DISABLE_SOCKET_FORWARDING = NO |
107 | # USERNAME = | 111 | # USERNAME = |
108 | # MAXBUF = | 112 | # MAXBUF = |
@@ -123,6 +127,8 @@ BINARY = gnunet-service-resolver | |||
123 | ACCEPT_FROM = 127.0.0.1; | 127 | ACCEPT_FROM = 127.0.0.1; |
124 | ACCEPT_FROM6 = ::1; | 128 | ACCEPT_FROM6 = ::1; |
125 | UNIXPATH = /tmp/gnunet-service-resolver.sock | 129 | UNIXPATH = /tmp/gnunet-service-resolver.sock |
130 | UNIX_MATCH_UID = NO | ||
131 | UNIX_MATCH_GID = NO | ||
126 | # DISABLE_SOCKET_FORWARDING = NO | 132 | # DISABLE_SOCKET_FORWARDING = NO |
127 | # USERNAME = | 133 | # USERNAME = |
128 | # MAXBUF = | 134 | # MAXBUF = |
@@ -143,6 +149,8 @@ BINARY = gnunet-service-peerinfo | |||
143 | ACCEPT_FROM = 127.0.0.1; | 149 | ACCEPT_FROM = 127.0.0.1; |
144 | ACCEPT_FROM6 = ::1; | 150 | ACCEPT_FROM6 = ::1; |
145 | UNIXPATH = /tmp/gnunet-service-peerinfo.sock | 151 | UNIXPATH = /tmp/gnunet-service-peerinfo.sock |
152 | UNIX_MATCH_UID = NO | ||
153 | UNIX_MATCH_GID = YES | ||
146 | # DISABLE_SOCKET_FORWARDING = NO | 154 | # DISABLE_SOCKET_FORWARDING = NO |
147 | # USERNAME = | 155 | # USERNAME = |
148 | # MAXBUF = | 156 | # MAXBUF = |
@@ -168,6 +176,8 @@ ACCEPT_FROM6 = ::1; | |||
168 | PLUGINS = tcp | 176 | PLUGINS = tcp |
169 | UNIXPATH = /tmp/gnunet-service-transport.sock | 177 | UNIXPATH = /tmp/gnunet-service-transport.sock |
170 | BLACKLIST_FILE = $SERVICEHOME/blacklist | 178 | BLACKLIST_FILE = $SERVICEHOME/blacklist |
179 | UNIX_MATCH_UID = YES | ||
180 | UNIX_MATCH_GID = YES | ||
171 | # DISABLE_SOCKET_FORWARDING = NO | 181 | # DISABLE_SOCKET_FORWARDING = NO |
172 | # USERNAME = | 182 | # USERNAME = |
173 | # MAXBUF = | 183 | # MAXBUF = |
@@ -191,6 +201,8 @@ ACCEPT_FROM6 = ::1; | |||
191 | TOTAL_QUOTA_IN = 65536 | 201 | TOTAL_QUOTA_IN = 65536 |
192 | TOTAL_QUOTA_OUT = 65536 | 202 | TOTAL_QUOTA_OUT = 65536 |
193 | UNIXPATH = /tmp/gnunet-service-core.sock | 203 | UNIXPATH = /tmp/gnunet-service-core.sock |
204 | UNIX_MATCH_UID = YES | ||
205 | UNIX_MATCH_GID = YES | ||
194 | # DISABLE_SOCKET_FORWARDING = NO | 206 | # DISABLE_SOCKET_FORWARDING = NO |
195 | # DEBUG = YES | 207 | # DEBUG = YES |
196 | # USERNAME = | 208 | # USERNAME = |
@@ -229,6 +241,8 @@ HTTP-PROXY = | |||
229 | [datastore] | 241 | [datastore] |
230 | AUTOSTART = YES | 242 | AUTOSTART = YES |
231 | UNIXPATH = /tmp/gnunet-service-datastore.sock | 243 | UNIXPATH = /tmp/gnunet-service-datastore.sock |
244 | UNIX_MATCH_UID = YES | ||
245 | UNIX_MATCH_GID = YES | ||
232 | PORT = 2093 | 246 | PORT = 2093 |
233 | HOSTNAME = localhost | 247 | HOSTNAME = localhost |
234 | HOME = $SERVICEHOME | 248 | HOME = $SERVICEHOME |
@@ -283,6 +297,8 @@ CONTENT_CACHING = YES | |||
283 | CONTENT_PUSHING = YES | 297 | CONTENT_PUSHING = YES |
284 | 298 | ||
285 | UNIXPATH = /tmp/gnunet-service-fs.sock | 299 | UNIXPATH = /tmp/gnunet-service-fs.sock |
300 | UNIX_MATCH_UID = NO | ||
301 | UNIX_MATCH_GID = YES | ||
286 | # DISABLE_SOCKET_FORWARDING = NO | 302 | # DISABLE_SOCKET_FORWARDING = NO |
287 | # DEBUG = YES | 303 | # DEBUG = YES |
288 | MAX_PENDING_REQUESTS = 65536 | 304 | MAX_PENDING_REQUESTS = 65536 |
@@ -303,6 +319,8 @@ ACCEPT_FROM = 127.0.0.1; | |||
303 | ACCEPT_FROM6 = ::1; | 319 | ACCEPT_FROM6 = ::1; |
304 | BUCKET_SIZE = 4 | 320 | BUCKET_SIZE = 4 |
305 | UNIXPATH = /tmp/gnunet-service-dht.sock | 321 | UNIXPATH = /tmp/gnunet-service-dht.sock |
322 | UNIX_MATCH_UID = YES | ||
323 | UNIX_MATCH_GID = YES | ||
306 | # DISABLE_SOCKET_FORWARDING = NO | 324 | # DISABLE_SOCKET_FORWARDING = NO |
307 | # DEBUG = YES | 325 | # DEBUG = YES |
308 | # USERNAME = | 326 | # USERNAME = |
diff --git a/src/include/gnunet_connection_lib.h b/src/include/gnunet_connection_lib.h index 33afb0386..8d2dbb611 100644 --- a/src/include/gnunet_connection_lib.h +++ b/src/include/gnunet_connection_lib.h | |||
@@ -53,15 +53,34 @@ struct GNUNET_CONNECTION_Handle; | |||
53 | 53 | ||
54 | 54 | ||
55 | /** | 55 | /** |
56 | * Credentials for UNIX domain sockets. | ||
57 | */ | ||
58 | struct GNUNET_CONNECTION_Credentials | ||
59 | { | ||
60 | /** | ||
61 | * UID of the other end of the connection. | ||
62 | */ | ||
63 | uid_t uid; | ||
64 | |||
65 | /** | ||
66 | * GID of the other end of the connection. | ||
67 | */ | ||
68 | gid_t gid; | ||
69 | }; | ||
70 | |||
71 | |||
72 | /** | ||
56 | * Function to call for access control checks. | 73 | * Function to call for access control checks. |
57 | * | 74 | * |
58 | * @param cls closure | 75 | * @param cls closure |
76 | * @param ucred credentials, if available, otherwise NULL | ||
59 | * @param addr address | 77 | * @param addr address |
60 | * @param addrlen length of address | 78 | * @param addrlen length of address |
61 | * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR | 79 | * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR |
62 | * for unknown address family (will be denied). | 80 | * for unknown address family (will be denied). |
63 | */ | 81 | */ |
64 | typedef int (*GNUNET_CONNECTION_AccessCheck) (void *cls, | 82 | typedef int (*GNUNET_CONNECTION_AccessCheck) (void *cls, |
83 | const struct GNUNET_CONNECTION_Credentials *ucred, | ||
65 | const struct sockaddr * addr, | 84 | const struct sockaddr * addr, |
66 | socklen_t addrlen); | 85 | socklen_t addrlen); |
67 | 86 | ||
diff --git a/src/include/gnunet_network_lib.h b/src/include/gnunet_network_lib.h index 73303689a..34cb7bc32 100644 --- a/src/include/gnunet_network_lib.h +++ b/src/include/gnunet_network_lib.h | |||
@@ -309,6 +309,7 @@ void GNUNET_NETWORK_fdset_add (struct GNUNET_NETWORK_FDSet *dst, | |||
309 | void GNUNET_NETWORK_fdset_copy (struct GNUNET_NETWORK_FDSet *to, | 309 | void GNUNET_NETWORK_fdset_copy (struct GNUNET_NETWORK_FDSet *to, |
310 | const struct GNUNET_NETWORK_FDSet *from); | 310 | const struct GNUNET_NETWORK_FDSet *from); |
311 | 311 | ||
312 | |||
312 | /** | 313 | /** |
313 | * Return file descriptor for this network handle | 314 | * Return file descriptor for this network handle |
314 | * | 315 | * |
diff --git a/src/include/platform.h b/src/include/platform.h index cc2aa03ae..230031307 100644 --- a/src/include/platform.h +++ b/src/include/platform.h | |||
@@ -156,6 +156,9 @@ | |||
156 | #include <sys/loadavg.h> | 156 | #include <sys/loadavg.h> |
157 | #include <semaphore.h> | 157 | #include <semaphore.h> |
158 | #endif | 158 | #endif |
159 | #if HAVE_UCRED_H | ||
160 | #include <ucred.h> | ||
161 | #endif | ||
159 | #ifdef CYGWIN | 162 | #ifdef CYGWIN |
160 | #include <windows.h> | 163 | #include <windows.h> |
161 | #include <cygwin/if.h> | 164 | #include <cygwin/if.h> |
diff --git a/src/util/connection.c b/src/util/connection.c index aa5db91bf..12969b3ba 100644 --- a/src/util/connection.c +++ b/src/util/connection.c | |||
@@ -346,6 +346,12 @@ GNUNET_CONNECTION_create_from_accept (GNUNET_CONNECTION_AccessCheck access, | |||
346 | struct sockaddr_in6 *v6; | 346 | struct sockaddr_in6 *v6; |
347 | struct sockaddr *sa; | 347 | struct sockaddr *sa; |
348 | void *uaddr; | 348 | void *uaddr; |
349 | struct GNUNET_CONNECTION_Credentials *gcp; | ||
350 | struct GNUNET_CONNECTION_Credentials gc; | ||
351 | #ifdef SO_PEERCRED | ||
352 | struct ucred uc; | ||
353 | socklen_t olen; | ||
354 | #endif | ||
349 | 355 | ||
350 | addrlen = sizeof (addr); | 356 | addrlen = sizeof (addr); |
351 | sock = | 357 | sock = |
@@ -384,9 +390,50 @@ GNUNET_CONNECTION_create_from_accept (GNUNET_CONNECTION_AccessCheck access, | |||
384 | uaddr = GNUNET_malloc (addrlen); | 390 | uaddr = GNUNET_malloc (addrlen); |
385 | memcpy (uaddr, addr, addrlen); | 391 | memcpy (uaddr, addr, addrlen); |
386 | } | 392 | } |
393 | gcp = NULL; | ||
394 | gc.uid = 0; | ||
395 | gc.gid = 0; | ||
396 | if (sa->sa_family == AF_UNIX) | ||
397 | { | ||
398 | #if HAVE_GETPEEREID | ||
399 | /* most BSDs */ | ||
400 | if (0 == getpeereid (GNUNET_NETWORK_get_fd (sock), | ||
401 | &gc.uid, | ||
402 | &gc.gid)) | ||
403 | gcp = &gc; | ||
404 | #else | ||
405 | #ifdef SO_PEERCRED | ||
406 | /* largely traditional GNU/Linux */ | ||
407 | olen = sizeof (uc); | ||
408 | if ( (0 == | ||
409 | getsockopt (GNUNET_NETWORK_get_fd (sock), | ||
410 | SOL_SOCKET, SO_PEERCRED, &uc, &olen)) && | ||
411 | (olen == sizeof (uc)) ) | ||
412 | { | ||
413 | gc.uid = uc.uid; | ||
414 | gc.gid = uc.gid; | ||
415 | gcp = &gc; | ||
416 | } | ||
417 | #else | ||
418 | #if HAVE_GETPEERUCRED | ||
419 | /* this is for Solaris 10 */ | ||
420 | ucred_t *uc; | ||
421 | |||
422 | uc = NULL; | ||
423 | if (0 == getpeerucred (GNUNET_NETWORK_get_fd (sock), &uc)) | ||
424 | { | ||
425 | gc.uid = ucred_geteuid (uc); | ||
426 | gc.gid = ucred_getegid (uc); | ||
427 | gcp = &gc; | ||
428 | } | ||
429 | ucred_free (uc); | ||
430 | #endif | ||
431 | #endif | ||
432 | #endif | ||
433 | } | ||
387 | 434 | ||
388 | if ((access != NULL) && | 435 | if ((access != NULL) && |
389 | (GNUNET_YES != (aret = access (access_cls, uaddr, addrlen)))) | 436 | (GNUNET_YES != (aret = access (access_cls, gcp, uaddr, addrlen)))) |
390 | { | 437 | { |
391 | if (aret == GNUNET_NO) | 438 | if (aret == GNUNET_NO) |
392 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, | 439 | GNUNET_log (GNUNET_ERROR_TYPE_INFO, |
diff --git a/src/util/network.c b/src/util/network.c index 9e85a3be9..f7c1e53c1 100644 --- a/src/util/network.c +++ b/src/util/network.c | |||
@@ -451,6 +451,7 @@ GNUNET_NETWORK_socket_recvfrom_amount (const struct GNUNET_NETWORK_Handle | |||
451 | return GNUNET_NO; | 451 | return GNUNET_NO; |
452 | } | 452 | } |
453 | 453 | ||
454 | |||
454 | /** | 455 | /** |
455 | * Read data from a connected socket (always non-blocking). | 456 | * Read data from a connected socket (always non-blocking). |
456 | * @param desc socket | 457 | * @param desc socket |
@@ -774,12 +775,20 @@ GNUNET_NETWORK_fdset_copy (struct GNUNET_NETWORK_FDSet *to, | |||
774 | #endif | 775 | #endif |
775 | } | 776 | } |
776 | 777 | ||
778 | |||
779 | /** | ||
780 | * Return file descriptor for this network handle | ||
781 | * | ||
782 | * @param desc wrapper to process | ||
783 | * @return POSIX file descriptor | ||
784 | */ | ||
777 | int | 785 | int |
778 | GNUNET_NETWORK_get_fd (struct GNUNET_NETWORK_Handle *desc) | 786 | GNUNET_NETWORK_get_fd (struct GNUNET_NETWORK_Handle *desc) |
779 | { | 787 | { |
780 | return desc->fd; | 788 | return desc->fd; |
781 | } | 789 | } |
782 | 790 | ||
791 | |||
783 | /** | 792 | /** |
784 | * Copy a native fd set | 793 | * Copy a native fd set |
785 | * | 794 | * |
diff --git a/src/util/service.c b/src/util/service.c index ac90eb93b..0594149d9 100644 --- a/src/util/service.c +++ b/src/util/service.c | |||
@@ -512,6 +512,18 @@ struct GNUNET_SERVICE_Context | |||
512 | int require_found; | 512 | int require_found; |
513 | 513 | ||
514 | /** | 514 | /** |
515 | * Do we require a matching UID for UNIX domain socket | ||
516 | * connections? | ||
517 | */ | ||
518 | int match_uid; | ||
519 | |||
520 | /** | ||
521 | * Do we require a matching GID for UNIX domain socket | ||
522 | * connections? | ||
523 | */ | ||
524 | int match_gid; | ||
525 | |||
526 | /** | ||
515 | * Our options. | 527 | * Our options. |
516 | */ | 528 | */ |
517 | enum GNUNET_SERVICE_Options options; | 529 | enum GNUNET_SERVICE_Options options; |
@@ -579,9 +591,18 @@ static const struct GNUNET_SERVER_MessageHandler defhandlers[] = { | |||
579 | 591 | ||
580 | /** | 592 | /** |
581 | * Check if access to the service is allowed from the given address. | 593 | * Check if access to the service is allowed from the given address. |
594 | * | ||
595 | * @param cls closure | ||
596 | * @param uc credentials, if available, otherwise NULL | ||
597 | * @param addr address | ||
598 | * @param addrlen length of address | ||
599 | * @return GNUNET_YES to allow, GNUNET_NO to deny, GNUNET_SYSERR | ||
600 | * for unknown address family (will be denied). | ||
582 | */ | 601 | */ |
583 | static int | 602 | static int |
584 | check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) | 603 | check_access (void *cls, |
604 | const struct GNUNET_CONNECTION_Credentials *uc, | ||
605 | const struct sockaddr *addr, socklen_t addrlen) | ||
585 | { | 606 | { |
586 | struct GNUNET_SERVICE_Context *sctx = cls; | 607 | struct GNUNET_SERVICE_Context *sctx = cls; |
587 | const struct sockaddr_in *i4; | 608 | const struct sockaddr_in *i4; |
@@ -609,8 +630,23 @@ check_access (void *cls, const struct sockaddr *addr, socklen_t addrlen) | |||
609 | (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr))); | 630 | (!check_ipv6_listed (sctx->v6_denied, &i6->sin6_addr))); |
610 | break; | 631 | break; |
611 | case AF_UNIX: | 632 | case AF_UNIX: |
612 | /* FIXME: support checking UID/GID in the future... */ | ||
613 | ret = GNUNET_OK; /* always OK for now */ | 633 | ret = GNUNET_OK; /* always OK for now */ |
634 | if ( (sctx->match_uid == GNUNET_YES) || | ||
635 | (sctx->match_gid == GNUNET_YES) ) | ||
636 | ret = GNUNET_NO; | ||
637 | if ( (uc != NULL) && | ||
638 | ( (sctx->match_uid != GNUNET_YES) || | ||
639 | (uc->uid == geteuid()) || | ||
640 | (uc->uid == getuid()) ) && | ||
641 | ( (sctx->match_gid != GNUNET_YES) || | ||
642 | (uc->gid == getegid()) || | ||
643 | (uc->gid == getgid())) ) | ||
644 | ret = GNUNET_YES; | ||
645 | else | ||
646 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
647 | _("Access denied to UID %d / GID %d\n"), | ||
648 | (uc == NULL) ? -1 : uc->uid, | ||
649 | (uc == NULL) ? -1 : uc->gid); | ||
614 | break; | 650 | break; |
615 | default: | 651 | default: |
616 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | 652 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, |
@@ -1187,7 +1223,12 @@ setup_service (struct GNUNET_SERVICE_Context *sctx) | |||
1187 | &sctx->addrlens)) ) | 1223 | &sctx->addrlens)) ) |
1188 | return GNUNET_SYSERR; | 1224 | return GNUNET_SYSERR; |
1189 | sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES; | 1225 | sctx->require_found = tolerant ? GNUNET_NO : GNUNET_YES; |
1190 | 1226 | sctx->match_uid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, | |
1227 | sctx->serviceName, | ||
1228 | "UNIX_MATCH_UID"); | ||
1229 | sctx->match_gid = GNUNET_CONFIGURATION_get_value_yesno (sctx->cfg, | ||
1230 | sctx->serviceName, | ||
1231 | "UNIX_MATCH_GID"); | ||
1191 | process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM"); | 1232 | process_acl4 (&sctx->v4_denied, sctx, "REJECT_FROM"); |
1192 | process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM"); | 1233 | process_acl4 (&sctx->v4_allowed, sctx, "ACCEPT_FROM"); |
1193 | process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6"); | 1234 | process_acl6 (&sctx->v6_denied, sctx, "REJECT_FROM6"); |