mirror of
https://github.com/openbsd/src.git
synced 2024-12-22 07:27:59 -08:00
c1f8818c70
If DNS lookup for a remote loghost configured in syslog.conf did not work at startup, the entry was ignored. Better retry the lookup in intervals until it succeeds. Improve debug output to print IP address after resolution. Unify retry code that resolves DNS for UDP and connects to TCP server. testing and feedback from Paul de Weerd; OK deraadt@
918 lines
23 KiB
C
918 lines
23 KiB
C
/* $OpenBSD: privsep.c,v 1.77 2023/10/12 22:36:54 bluhm Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2003 Anil Madhavapeddy <anil@recoil.org>
|
|
* Copyright (c) 2016 Alexander Bluhm <bluhm@openbsd.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
#include <sys/queue.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/wait.h>
|
|
|
|
#include <err.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <limits.h>
|
|
#include <netdb.h>
|
|
#include <paths.h>
|
|
#include <pwd.h>
|
|
#include <signal.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <utmp.h>
|
|
|
|
#include "log.h"
|
|
#include "syslogd.h"
|
|
|
|
/*
|
|
* syslogd can only go forward in these states; each state should represent
|
|
* less privilege. After STATE_INIT, the child is allowed to parse its
|
|
* config file once, and communicate the information regarding what logfiles
|
|
* it needs access to back to the parent. When that is done, it sends a
|
|
* message to the priv parent revoking this access, moving to STATE_RUNNING.
|
|
* In this state, any log-files not in the access list are rejected.
|
|
*
|
|
* This allows a HUP signal to the child to reopen its log files, and
|
|
* the config file to be parsed if it hasn't been changed (this is still
|
|
* useful to force resolution of remote syslog servers again).
|
|
* If the config file has been modified, then the child dies, and
|
|
* the priv parent restarts itself.
|
|
*/
|
|
enum priv_state {
|
|
STATE_INIT, /* just started up */
|
|
STATE_CONFIG, /* parsing config file for first time */
|
|
STATE_RUNNING, /* running and accepting network traffic */
|
|
STATE_QUIT /* shutting down */
|
|
};
|
|
|
|
enum cmd_types {
|
|
PRIV_OPEN_TTY, /* open terminal or console device */
|
|
PRIV_OPEN_LOG, /* open logfile for appending */
|
|
PRIV_OPEN_PIPE, /* fork & exec child that gets logs on stdin */
|
|
PRIV_OPEN_UTMP, /* open utmp for reading only */
|
|
PRIV_OPEN_CONFIG, /* open config file for reading only */
|
|
PRIV_CONFIG_MODIFIED, /* check if config file has been modified */
|
|
PRIV_GETADDRINFO, /* resolve host/service names */
|
|
PRIV_GETNAMEINFO, /* resolve numeric address into hostname */
|
|
PRIV_DONE_CONFIG_PARSE /* signal that initial config parse is done */
|
|
};
|
|
|
|
static int priv_fd = -1;
|
|
static volatile pid_t child_pid = -1;
|
|
static volatile sig_atomic_t cur_state = STATE_INIT;
|
|
|
|
/* Queue for the allowed logfiles */
|
|
struct logname {
|
|
char path[PATH_MAX];
|
|
TAILQ_ENTRY(logname) next;
|
|
};
|
|
static TAILQ_HEAD(, logname) lognames;
|
|
|
|
static void check_log_name(char *, size_t);
|
|
static int open_file(char *);
|
|
static int open_pipe(char *);
|
|
static void check_tty_name(char *, size_t);
|
|
static void increase_state(int);
|
|
static void sig_pass_to_chld(int);
|
|
static void sig_got_chld(int);
|
|
static void must_read(int, void *, size_t);
|
|
static void must_write(int, void *, size_t);
|
|
static int may_read(int, void *, size_t);
|
|
|
|
static struct passwd *pw;
|
|
|
|
void
|
|
priv_init(int lockfd, int nullfd, int argc, char *argv[])
|
|
{
|
|
int i, socks[2];
|
|
char *execpath, childnum[11], **privargv;
|
|
|
|
/* Create sockets */
|
|
if (socketpair(AF_LOCAL, SOCK_STREAM, PF_UNSPEC, socks) == -1)
|
|
err(1, "socketpair() failed");
|
|
|
|
pw = getpwnam("_syslogd");
|
|
if (pw == NULL)
|
|
errx(1, "unknown user _syslogd");
|
|
|
|
child_pid = fork();
|
|
if (child_pid == -1)
|
|
err(1, "fork() failed");
|
|
|
|
if (!child_pid) {
|
|
/* Child - drop privileges and return */
|
|
if (chroot(pw->pw_dir) != 0)
|
|
err(1, "chroot %s", pw->pw_dir);
|
|
if (chdir("/") != 0)
|
|
err(1, "chdir %s", pw->pw_dir);
|
|
|
|
if (setgroups(1, &pw->pw_gid) == -1)
|
|
err(1, "setgroups() failed");
|
|
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1)
|
|
err(1, "setresgid() failed");
|
|
if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
|
|
err(1, "setresuid() failed");
|
|
close(socks[0]);
|
|
priv_fd = socks[1];
|
|
return;
|
|
}
|
|
close(socks[1]);
|
|
|
|
if (strchr(argv[0], '/') == NULL)
|
|
execpath = argv[0];
|
|
else if ((execpath = realpath(argv[0], NULL)) == NULL)
|
|
err(1, "realpath %s", argv[0]);
|
|
if (chdir("/") != 0)
|
|
err(1, "chdir /");
|
|
|
|
if (!Debug) {
|
|
close(lockfd);
|
|
dup2(nullfd, STDIN_FILENO);
|
|
dup2(nullfd, STDOUT_FILENO);
|
|
dup2(nullfd, STDERR_FILENO);
|
|
}
|
|
if (nullfd > 2)
|
|
close(nullfd);
|
|
|
|
if (dup3(socks[0], 3, 0) == -1)
|
|
err(1, "dup3 priv sock failed");
|
|
if (closefrom(4) == -1)
|
|
err(1, "closefrom 4 failed");
|
|
|
|
snprintf(childnum, sizeof(childnum), "%d", child_pid);
|
|
if ((privargv = reallocarray(NULL, argc + 3, sizeof(char *))) == NULL)
|
|
err(1, "alloc priv argv failed");
|
|
privargv[0] = execpath;
|
|
for (i = 1; i < argc; i++)
|
|
privargv[i] = argv[i];
|
|
privargv[i++] = "-P";
|
|
privargv[i++] = childnum;
|
|
privargv[i++] = NULL;
|
|
execvp(privargv[0], privargv);
|
|
err(1, "exec priv '%s' failed", privargv[0]);
|
|
}
|
|
|
|
__dead void
|
|
priv_exec(char *conf, int numeric, int child, int argc, char *argv[])
|
|
{
|
|
int i, fd, sock, cmd, addr_len, result, restart;
|
|
size_t path_len, protoname_len, hostname_len, servname_len;
|
|
char path[PATH_MAX], protoname[5];
|
|
char hostname[NI_MAXHOST], servname[NI_MAXSERV];
|
|
struct sockaddr_storage addr;
|
|
struct stat cf_info, cf_stat;
|
|
struct addrinfo hints, *res0;
|
|
struct sigaction sa;
|
|
sigset_t sigmask;
|
|
|
|
/* Redo the password lookup after re-exec of the privsep parent. */
|
|
pw = getpwnam("_syslogd");
|
|
if (pw == NULL)
|
|
errx(1, "unknown user _syslogd");
|
|
|
|
if (unveil(conf, "r") == -1)
|
|
err(1, "unveil %s", conf);
|
|
if (unveil(_PATH_UTMP, "r") == -1)
|
|
err(1, "unveil %s", _PATH_UTMP);
|
|
if (unveil(_PATH_DEV, "rw") == -1)
|
|
err(1, "unveil %s", _PATH_DEV);
|
|
if (unveil(_PATH_LOGPID, "c") == -1)
|
|
err(1, "unveil %s", _PATH_LOGPID);
|
|
|
|
/* for pipes */
|
|
if (unveil(_PATH_BSHELL, "x") == -1)
|
|
err(1, "unveil %s", _PATH_BSHELL);
|
|
|
|
/* For HUP / re-exec */
|
|
if (unveil("/usr/sbin/syslogd", "x") == -1)
|
|
err(1, "unveil /usr/sbin/syslogd");
|
|
if (argv[0][0] == '/')
|
|
if (unveil(argv[0], "x") == -1)
|
|
err(1, "unveil %s", argv[0]);
|
|
|
|
if (pledge("stdio unveil rpath wpath cpath dns sendfd id proc exec",
|
|
NULL) == -1)
|
|
err(1, "pledge priv");
|
|
|
|
if (argc <= 2 || strcmp("-P", argv[argc - 2]) != 0)
|
|
errx(1, "exec without priv");
|
|
argv[argc -= 2] = NULL;
|
|
|
|
sock = 3;
|
|
closefrom(4);
|
|
|
|
child_pid = child;
|
|
|
|
memset(&sa, 0, sizeof(sa));
|
|
sigemptyset(&sa.sa_mask);
|
|
sa.sa_flags = SA_RESTART;
|
|
sa.sa_handler = SIG_DFL;
|
|
for (i = 1; i < _NSIG; i++)
|
|
sigaction(i, &sa, NULL);
|
|
|
|
/* Pass TERM/HUP/INT/QUIT through to child, and accept CHLD */
|
|
sa.sa_handler = sig_pass_to_chld;
|
|
sigaction(SIGTERM, &sa, NULL);
|
|
sigaction(SIGHUP, &sa, NULL);
|
|
sigaction(SIGINT, &sa, NULL);
|
|
sigaction(SIGQUIT, &sa, NULL);
|
|
sa.sa_handler = sig_got_chld;
|
|
sa.sa_flags |= SA_NOCLDSTOP;
|
|
sigaction(SIGCHLD, &sa, NULL);
|
|
|
|
setproctitle("[priv]");
|
|
log_debug("[priv]: fork+exec done");
|
|
|
|
sigemptyset(&sigmask);
|
|
if (sigprocmask(SIG_SETMASK, &sigmask, NULL) == -1)
|
|
err(1, "sigprocmask priv");
|
|
|
|
if (stat(conf, &cf_info) == -1)
|
|
err(1, "stat config file failed");
|
|
|
|
TAILQ_INIT(&lognames);
|
|
increase_state(STATE_CONFIG);
|
|
restart = 0;
|
|
|
|
while (cur_state < STATE_QUIT) {
|
|
if (may_read(sock, &cmd, sizeof(int)))
|
|
break;
|
|
switch (cmd) {
|
|
case PRIV_OPEN_TTY:
|
|
log_debug("[priv]: msg PRIV_OPEN_TTY received");
|
|
/* Expecting: length, path */
|
|
must_read(sock, &path_len, sizeof(size_t));
|
|
if (path_len == 0 || path_len > sizeof(path))
|
|
_exit(1);
|
|
must_read(sock, &path, path_len);
|
|
path[path_len - 1] = '\0';
|
|
check_tty_name(path, sizeof(path));
|
|
fd = open(path, O_WRONLY|O_NONBLOCK);
|
|
send_fd(sock, fd);
|
|
if (fd == -1)
|
|
warnx("priv_open_tty failed");
|
|
else
|
|
close(fd);
|
|
break;
|
|
|
|
case PRIV_OPEN_LOG:
|
|
case PRIV_OPEN_PIPE:
|
|
log_debug("[priv]: msg PRIV_OPEN_%s received",
|
|
cmd == PRIV_OPEN_PIPE ? "PIPE" : "LOG");
|
|
/* Expecting: length, path */
|
|
must_read(sock, &path_len, sizeof(size_t));
|
|
if (path_len == 0 || path_len > sizeof(path))
|
|
_exit(1);
|
|
must_read(sock, &path, path_len);
|
|
path[path_len - 1] = '\0';
|
|
check_log_name(path, sizeof(path));
|
|
|
|
if (cmd == PRIV_OPEN_LOG)
|
|
fd = open_file(path);
|
|
else if (cmd == PRIV_OPEN_PIPE)
|
|
fd = open_pipe(path);
|
|
else
|
|
errx(1, "invalid cmd");
|
|
|
|
send_fd(sock, fd);
|
|
if (fd == -1)
|
|
warnx("priv_open_log failed");
|
|
else
|
|
close(fd);
|
|
break;
|
|
|
|
case PRIV_OPEN_UTMP:
|
|
log_debug("[priv]: msg PRIV_OPEN_UTMP received");
|
|
fd = open(_PATH_UTMP, O_RDONLY|O_NONBLOCK);
|
|
send_fd(sock, fd);
|
|
if (fd == -1)
|
|
warnx("priv_open_utmp failed");
|
|
else
|
|
close(fd);
|
|
break;
|
|
|
|
case PRIV_OPEN_CONFIG:
|
|
log_debug("[priv]: msg PRIV_OPEN_CONFIG received");
|
|
stat(conf, &cf_info);
|
|
fd = open(conf, O_RDONLY|O_NONBLOCK);
|
|
send_fd(sock, fd);
|
|
if (fd == -1)
|
|
warnx("priv_open_config failed");
|
|
else
|
|
close(fd);
|
|
break;
|
|
|
|
case PRIV_CONFIG_MODIFIED:
|
|
log_debug("[priv]: msg PRIV_CONFIG_MODIFIED received");
|
|
if (stat(conf, &cf_stat) == -1 ||
|
|
timespeccmp(&cf_info.st_mtim,
|
|
&cf_stat.st_mtim, <) ||
|
|
cf_info.st_size != cf_stat.st_size) {
|
|
log_debug("config file modified: restarting");
|
|
restart = result = 1;
|
|
must_write(sock, &result, sizeof(int));
|
|
} else {
|
|
result = 0;
|
|
must_write(sock, &result, sizeof(int));
|
|
}
|
|
break;
|
|
|
|
case PRIV_DONE_CONFIG_PARSE:
|
|
if (pledge("stdio rpath wpath cpath dns sendfd id proc exec",
|
|
NULL) == -1)
|
|
err(1, "pledge done config");
|
|
log_debug("[priv]: msg PRIV_DONE_CONFIG_PARSE "
|
|
"received");
|
|
increase_state(STATE_RUNNING);
|
|
break;
|
|
|
|
case PRIV_GETADDRINFO:
|
|
log_debug("[priv]: msg PRIV_GETADDRINFO received");
|
|
/* Expecting: len, proto, len, host, len, serv */
|
|
must_read(sock, &protoname_len, sizeof(size_t));
|
|
if (protoname_len == 0 ||
|
|
protoname_len > sizeof(protoname))
|
|
_exit(1);
|
|
must_read(sock, &protoname, protoname_len);
|
|
protoname[protoname_len - 1] = '\0';
|
|
|
|
must_read(sock, &hostname_len, sizeof(size_t));
|
|
if (hostname_len == 0 ||
|
|
hostname_len > sizeof(hostname))
|
|
_exit(1);
|
|
must_read(sock, &hostname, hostname_len);
|
|
hostname[hostname_len - 1] = '\0';
|
|
|
|
must_read(sock, &servname_len, sizeof(size_t));
|
|
if (servname_len == 0 ||
|
|
servname_len > sizeof(servname))
|
|
_exit(1);
|
|
must_read(sock, &servname, servname_len);
|
|
servname[servname_len - 1] = '\0';
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
switch (strlen(protoname)) {
|
|
case 3:
|
|
hints.ai_family = AF_UNSPEC;
|
|
break;
|
|
case 4:
|
|
switch (protoname[3]) {
|
|
case '4':
|
|
hints.ai_family = AF_INET;
|
|
break;
|
|
case '6':
|
|
hints.ai_family = AF_INET6;
|
|
break;
|
|
default:
|
|
errx(1, "bad ip version %s", protoname);
|
|
}
|
|
break;
|
|
default:
|
|
errx(1, "bad protocol length %s", protoname);
|
|
}
|
|
if (strncmp(protoname, "udp", 3) == 0) {
|
|
hints.ai_socktype = SOCK_DGRAM;
|
|
hints.ai_protocol = IPPROTO_UDP;
|
|
} else if (strncmp(protoname, "tcp", 3) == 0) {
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
hints.ai_protocol = IPPROTO_TCP;
|
|
} else {
|
|
errx(1, "unknown protocol %s", protoname);
|
|
}
|
|
i = getaddrinfo(hostname, servname, &hints, &res0);
|
|
if (i != 0 || res0 == NULL) {
|
|
addr_len = 0;
|
|
must_write(sock, &addr_len, sizeof(int));
|
|
} else {
|
|
/* Just send the first address */
|
|
i = res0->ai_addrlen;
|
|
must_write(sock, &i, sizeof(int));
|
|
must_write(sock, res0->ai_addr, i);
|
|
freeaddrinfo(res0);
|
|
}
|
|
break;
|
|
|
|
case PRIV_GETNAMEINFO:
|
|
log_debug("[priv]: msg PRIV_GETNAMEINFO received");
|
|
if (numeric)
|
|
errx(1, "rejected attempt to getnameinfo");
|
|
/* Expecting: length, sockaddr */
|
|
must_read(sock, &addr_len, sizeof(int));
|
|
if (addr_len <= 0 || (size_t)addr_len > sizeof(addr))
|
|
_exit(1);
|
|
must_read(sock, &addr, addr_len);
|
|
if (getnameinfo((struct sockaddr *)&addr, addr_len,
|
|
hostname, sizeof(hostname), NULL, 0,
|
|
NI_NOFQDN|NI_NAMEREQD|NI_DGRAM) != 0) {
|
|
addr_len = 0;
|
|
must_write(sock, &addr_len, sizeof(int));
|
|
} else {
|
|
addr_len = strlen(hostname) + 1;
|
|
must_write(sock, &addr_len, sizeof(int));
|
|
must_write(sock, hostname, addr_len);
|
|
}
|
|
break;
|
|
default:
|
|
errx(1, "unknown command %d", cmd);
|
|
break;
|
|
}
|
|
}
|
|
|
|
close(sock);
|
|
|
|
if (restart) {
|
|
int status;
|
|
|
|
waitpid(child_pid, &status, 0);
|
|
sigemptyset(&sigmask);
|
|
sigaddset(&sigmask, SIGHUP);
|
|
if (sigprocmask(SIG_SETMASK, &sigmask, NULL) == -1)
|
|
err(1, "sigprocmask exec");
|
|
execvp(argv[0], argv);
|
|
err(1, "exec restart '%s' failed", argv[0]);
|
|
}
|
|
unlink(_PATH_LOGPID);
|
|
exit(0);
|
|
}
|
|
|
|
static int
|
|
open_file(char *path)
|
|
{
|
|
/* must not start with | */
|
|
if (path[0] == '|')
|
|
return (-1);
|
|
|
|
return (open(path, O_WRONLY|O_APPEND|O_NONBLOCK));
|
|
}
|
|
|
|
static int
|
|
open_pipe(char *cmd)
|
|
{
|
|
char *argp[] = {"sh", "-c", NULL, NULL};
|
|
int fd[2];
|
|
int bsize, flags;
|
|
pid_t pid;
|
|
|
|
/* skip over leading | and whitespace */
|
|
if (cmd[0] != '|')
|
|
return (-1);
|
|
for (cmd++; *cmd && *cmd == ' '; cmd++)
|
|
; /* nothing */
|
|
if (!*cmd)
|
|
return (-1);
|
|
|
|
argp[2] = cmd;
|
|
|
|
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, fd) == -1) {
|
|
warnx("open_pipe");
|
|
return (-1);
|
|
}
|
|
|
|
/* make the fd on syslogd's side nonblocking */
|
|
if ((flags = fcntl(fd[1], F_GETFL)) == -1) {
|
|
warnx("fcntl");
|
|
return (-1);
|
|
}
|
|
flags |= O_NONBLOCK;
|
|
if ((flags = fcntl(fd[1], F_SETFL, flags)) == -1) {
|
|
warnx("fcntl");
|
|
return (-1);
|
|
}
|
|
|
|
switch (pid = fork()) {
|
|
case -1:
|
|
warnx("fork error");
|
|
return (-1);
|
|
case 0:
|
|
break;
|
|
default:
|
|
close(fd[0]);
|
|
return (fd[1]);
|
|
}
|
|
|
|
close(fd[1]);
|
|
|
|
/* grow receive buffer */
|
|
bsize = 65535;
|
|
while (bsize > 0 && setsockopt(fd[0], SOL_SOCKET, SO_RCVBUF,
|
|
&bsize, sizeof(bsize)) == -1)
|
|
bsize /= 2;
|
|
|
|
if (setgroups(1, &pw->pw_gid) == -1 ||
|
|
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1 ||
|
|
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) == -1)
|
|
err(1, "failure dropping privs");
|
|
|
|
if (dup2(fd[0], STDIN_FILENO) == -1)
|
|
err(1, "dup2 failed");
|
|
closefrom(STDERR_FILENO + 1);
|
|
if (execv("/bin/sh", argp) == -1)
|
|
err(1, "execv %s", cmd);
|
|
/* NOTREACHED */
|
|
return (-1);
|
|
}
|
|
|
|
/* Check that the terminal device is ok, and if not, rewrite to /dev/null.
|
|
* Either /dev/console or /dev/tty* are allowed.
|
|
*/
|
|
static void
|
|
check_tty_name(char *tty, size_t ttysize)
|
|
{
|
|
const char ttypre[] = "/dev/tty";
|
|
char *p;
|
|
|
|
/* Any path containing '..' is invalid. */
|
|
for (p = tty; p + 1 < tty + ttysize && *p; p++)
|
|
if (*p == '.' && *(p + 1) == '.')
|
|
goto bad_path;
|
|
|
|
if (strcmp(_PATH_CONSOLE, tty) && strncmp(tty, ttypre, strlen(ttypre)))
|
|
goto bad_path;
|
|
return;
|
|
|
|
bad_path:
|
|
warnx ("%s: invalid attempt to open %s: rewriting to /dev/null",
|
|
"check_tty_name", tty);
|
|
strlcpy(tty, "/dev/null", ttysize);
|
|
}
|
|
|
|
/* If we are in the initial configuration state, accept a logname and add
|
|
* it to the list of acceptable logfiles. Otherwise, check against this list
|
|
* and rewrite to /dev/null if it's a bad path.
|
|
*/
|
|
static void
|
|
check_log_name(char *lognam, size_t logsize)
|
|
{
|
|
struct logname *lg;
|
|
char *p;
|
|
|
|
/* Any path containing '..' is invalid. */
|
|
for (p = lognam; p + 1 < lognam + logsize && *p; p++)
|
|
if (*p == '.' && *(p + 1) == '.')
|
|
goto bad_path;
|
|
|
|
switch (cur_state) {
|
|
case STATE_CONFIG:
|
|
lg = malloc(sizeof(struct logname));
|
|
if (!lg)
|
|
err(1, "check_log_name() malloc");
|
|
strlcpy(lg->path, lognam, PATH_MAX);
|
|
TAILQ_INSERT_TAIL(&lognames, lg, next);
|
|
if (lognam[0] != '|') {
|
|
if (unveil(lognam, "w") == -1)
|
|
goto bad_path;
|
|
}
|
|
break;
|
|
case STATE_RUNNING:
|
|
TAILQ_FOREACH(lg, &lognames, next)
|
|
if (!strcmp(lg->path, lognam))
|
|
return;
|
|
goto bad_path;
|
|
break;
|
|
default:
|
|
/* Any other state should just refuse the request */
|
|
goto bad_path;
|
|
break;
|
|
}
|
|
return;
|
|
|
|
bad_path:
|
|
warnx("%s: invalid attempt to open %s: rewriting to /dev/null",
|
|
"check_log_name", lognam);
|
|
strlcpy(lognam, "/dev/null", logsize);
|
|
}
|
|
|
|
/* Crank our state into less permissive modes */
|
|
static void
|
|
increase_state(int state)
|
|
{
|
|
if (state <= cur_state)
|
|
errx(1, "attempt to decrease or match current state");
|
|
if (state < STATE_INIT || state > STATE_QUIT)
|
|
errx(1, "attempt to switch to invalid state");
|
|
cur_state = state;
|
|
}
|
|
|
|
/* Open console or a terminal device for writing */
|
|
int
|
|
priv_open_tty(const char *tty)
|
|
{
|
|
char path[PATH_MAX];
|
|
int cmd, fd;
|
|
size_t path_len;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
if (strlcpy(path, tty, sizeof path) >= sizeof(path))
|
|
return -1;
|
|
path_len = strlen(path) + 1;
|
|
|
|
cmd = PRIV_OPEN_TTY;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
must_write(priv_fd, &path_len, sizeof(size_t));
|
|
must_write(priv_fd, path, path_len);
|
|
fd = receive_fd(priv_fd);
|
|
return fd;
|
|
}
|
|
|
|
/* Open log-file */
|
|
int
|
|
priv_open_log(const char *lognam)
|
|
{
|
|
char path[PATH_MAX];
|
|
int cmd, fd;
|
|
size_t path_len;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged child", __func__);
|
|
|
|
if (strlcpy(path, lognam, sizeof path) >= sizeof(path))
|
|
return -1;
|
|
path_len = strlen(path) + 1;
|
|
|
|
if (lognam[0] == '|')
|
|
cmd = PRIV_OPEN_PIPE;
|
|
else
|
|
cmd = PRIV_OPEN_LOG;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
must_write(priv_fd, &path_len, sizeof(size_t));
|
|
must_write(priv_fd, path, path_len);
|
|
fd = receive_fd(priv_fd);
|
|
return fd;
|
|
}
|
|
|
|
/* Open utmp for reading */
|
|
FILE *
|
|
priv_open_utmp(void)
|
|
{
|
|
int cmd, fd;
|
|
FILE *fp;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
cmd = PRIV_OPEN_UTMP;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
fd = receive_fd(priv_fd);
|
|
if (fd < 0)
|
|
return NULL;
|
|
|
|
fp = fdopen(fd, "r");
|
|
if (!fp) {
|
|
warn("priv_open_utmp: fdopen() failed");
|
|
close(fd);
|
|
return NULL;
|
|
}
|
|
|
|
return fp;
|
|
}
|
|
|
|
/* Open syslog config file for reading */
|
|
FILE *
|
|
priv_open_config(void)
|
|
{
|
|
int cmd, fd;
|
|
FILE *fp;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
cmd = PRIV_OPEN_CONFIG;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
fd = receive_fd(priv_fd);
|
|
if (fd < 0)
|
|
return NULL;
|
|
|
|
fp = fdopen(fd, "r");
|
|
if (!fp) {
|
|
warn("priv_open_config: fdopen() failed");
|
|
close(fd);
|
|
return NULL;
|
|
}
|
|
|
|
return fp;
|
|
}
|
|
|
|
/* Ask if config file has been modified since last attempt to read it */
|
|
int
|
|
priv_config_modified(void)
|
|
{
|
|
int cmd, res;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
cmd = PRIV_CONFIG_MODIFIED;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
|
|
/* Expect back integer signalling 1 for modification */
|
|
must_read(priv_fd, &res, sizeof(int));
|
|
return res;
|
|
}
|
|
|
|
/* Child can signal that its initial parsing is done, so that parent
|
|
* can revoke further logfile permissions. This call only works once. */
|
|
void
|
|
priv_config_parse_done(void)
|
|
{
|
|
int cmd;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
cmd = PRIV_DONE_CONFIG_PARSE;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
}
|
|
|
|
/* Name/service to address translation. Response is placed into addr.
|
|
* Return 0 for success or < 0 for error like getaddrinfo(3) */
|
|
int
|
|
priv_getaddrinfo(const char *proto, const char *host, const char *serv,
|
|
struct sockaddr *addr, size_t addr_len)
|
|
{
|
|
char protocpy[5], hostcpy[NI_MAXHOST], servcpy[NI_MAXSERV];
|
|
int cmd, ret_len;
|
|
size_t protoname_len, hostname_len, servname_len;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s: called from privileged portion", __func__);
|
|
|
|
if (strlcpy(protocpy, proto, sizeof(protocpy)) >= sizeof(protocpy))
|
|
errx(1, "%s: overflow attempt in protoname", __func__);
|
|
protoname_len = strlen(protocpy) + 1;
|
|
if (strlcpy(hostcpy, host, sizeof(hostcpy)) >= sizeof(hostcpy))
|
|
errx(1, "%s: overflow attempt in hostname", __func__);
|
|
hostname_len = strlen(hostcpy) + 1;
|
|
if (strlcpy(servcpy, serv, sizeof(servcpy)) >= sizeof(servcpy))
|
|
errx(1, "%s: overflow attempt in servname", __func__);
|
|
servname_len = strlen(servcpy) + 1;
|
|
|
|
cmd = PRIV_GETADDRINFO;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
must_write(priv_fd, &protoname_len, sizeof(size_t));
|
|
must_write(priv_fd, protocpy, protoname_len);
|
|
must_write(priv_fd, &hostname_len, sizeof(size_t));
|
|
must_write(priv_fd, hostcpy, hostname_len);
|
|
must_write(priv_fd, &servname_len, sizeof(size_t));
|
|
must_write(priv_fd, servcpy, servname_len);
|
|
|
|
/* Expect back an integer size, and then a string of that length */
|
|
must_read(priv_fd, &ret_len, sizeof(int));
|
|
|
|
/* Check there was no error (indicated by a return of 0) */
|
|
if (!ret_len)
|
|
return (-1);
|
|
|
|
/* Make sure we aren't overflowing the passed in buffer */
|
|
if (ret_len < 0 || (size_t)ret_len > addr_len)
|
|
errx(1, "%s: overflow attempt in return", __func__);
|
|
|
|
/* Read the resolved address and make sure we got all of it */
|
|
memset(addr, '\0', addr_len);
|
|
must_read(priv_fd, addr, ret_len);
|
|
|
|
return (0);
|
|
}
|
|
|
|
/* Reverse address resolution; response is placed into host.
|
|
* Return 0 for success or < 0 for error like getnameinfo(3) */
|
|
int
|
|
priv_getnameinfo(struct sockaddr *sa, socklen_t salen, char *host,
|
|
size_t hostlen)
|
|
{
|
|
int cmd, ret_len;
|
|
|
|
if (priv_fd < 0)
|
|
errx(1, "%s called from privileged portion", __func__);
|
|
|
|
cmd = PRIV_GETNAMEINFO;
|
|
must_write(priv_fd, &cmd, sizeof(int));
|
|
must_write(priv_fd, &salen, sizeof(int));
|
|
must_write(priv_fd, sa, salen);
|
|
|
|
/* Expect back an integer size, and then a string of that length */
|
|
must_read(priv_fd, &ret_len, sizeof(int));
|
|
|
|
/* Check there was no error (indicated by a return of 0) */
|
|
if (!ret_len)
|
|
return (-1);
|
|
|
|
/* Check we don't overflow the passed in buffer */
|
|
if (ret_len < 0 || (size_t)ret_len > hostlen)
|
|
errx(1, "%s: overflow attempt in return", __func__);
|
|
|
|
/* Read the resolved hostname */
|
|
must_read(priv_fd, host, ret_len);
|
|
return (0);
|
|
}
|
|
|
|
/* Pass the signal through to child */
|
|
static void
|
|
sig_pass_to_chld(int sig)
|
|
{
|
|
int save_errno = errno;
|
|
|
|
if (child_pid != -1)
|
|
kill(child_pid, sig);
|
|
errno = save_errno;
|
|
}
|
|
|
|
/* When child dies, move into the shutdown state */
|
|
static void
|
|
sig_got_chld(int sig)
|
|
{
|
|
int save_errno = errno;
|
|
pid_t pid;
|
|
|
|
do {
|
|
pid = waitpid(WAIT_ANY, NULL, WNOHANG);
|
|
if (pid == child_pid && cur_state < STATE_QUIT)
|
|
cur_state = STATE_QUIT;
|
|
} while (pid > 0 || (pid == -1 && errno == EINTR));
|
|
errno = save_errno;
|
|
}
|
|
|
|
/* Read all data or return 1 for error. */
|
|
static int
|
|
may_read(int fd, void *buf, size_t n)
|
|
{
|
|
char *s = buf;
|
|
ssize_t res;
|
|
size_t pos = 0;
|
|
|
|
while (n > pos) {
|
|
res = read(fd, s + pos, n - pos);
|
|
switch (res) {
|
|
case -1:
|
|
if (errno == EINTR || errno == EAGAIN)
|
|
continue;
|
|
case 0:
|
|
return (1);
|
|
default:
|
|
pos += res;
|
|
}
|
|
}
|
|
return (0);
|
|
}
|
|
|
|
/* Read data with the assertion that it all must come through, or
|
|
* else abort the process. Based on atomicio() from openssh. */
|
|
static void
|
|
must_read(int fd, void *buf, size_t n)
|
|
{
|
|
char *s = buf;
|
|
ssize_t res;
|
|
size_t pos = 0;
|
|
|
|
while (n > pos) {
|
|
res = read(fd, s + pos, n - pos);
|
|
switch (res) {
|
|
case -1:
|
|
if (errno == EINTR || errno == EAGAIN)
|
|
continue;
|
|
case 0:
|
|
_exit(1);
|
|
default:
|
|
pos += res;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* Write data with the assertion that it all has to be written, or
|
|
* else abort the process. Based on atomicio() from openssh. */
|
|
static void
|
|
must_write(int fd, void *buf, size_t n)
|
|
{
|
|
char *s = buf;
|
|
ssize_t res;
|
|
size_t pos = 0;
|
|
|
|
while (n > pos) {
|
|
res = write(fd, s + pos, n - pos);
|
|
switch (res) {
|
|
case -1:
|
|
if (errno == EINTR || errno == EAGAIN)
|
|
continue;
|
|
case 0:
|
|
_exit(1);
|
|
default:
|
|
pos += res;
|
|
}
|
|
}
|
|
}
|