emo/ndhc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Convert to using shared ncmlib.

Browse Source
This commit is contained in:
Nicholas J. Kain
2010-11-12 05:42:07 -05:00
parent b42eeb8847
commit b882669f85
31 changed files with 149 additions and 716 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ifchd/CMakeLists.txt
View File

@@ -5,13 +5,7 @@ cmake_minimum_required (VERSION 2.6)
set(IFCHD_SRCS
ifchd.c
linux.c
strlist.c
signals.c
pidfile.c
chroot.c
nstrl.c
log.c
)
add_executable(ifchd ${IFCHD_SRCS})
#target_link_libraries(ifchd ncmlib)
target_link_libraries(ifchd ncmlib)

14
ifchd/README.ifchd
View File

@@ -181,11 +181,11 @@ usually requiring calls to the catch-all ioctl(), and will almost certainly
require platform-dependent code.
Some standard C libraries include a native implementation of strlcpy() and
strlcat(). Such defines may conflict with my implementations in
nstrl.c/nstrl.h. It is up to the user whether the standard C library
implementations should be used. Note that some machines implement strlcpy()
and strlcat() with nonstandard semantics (notably Solaris). On these systems,
using the system-provided implementations may lead to security problems. Such
problems are the fault of the vendor. If you are unsure whether your system is
correct or not, I suggest using the implementation that I provide.
strlcat(). Such defines may conflict with my implementations in strl.c/strl.h.
It is up to the user whether the standard C library implementations should be
used. Note that some machines implement strlcpy() and strlcat() with
nonstandard semantics (notably Solaris). On these systems, using the
system-provided implementations may lead to security problems. Such problems
are the fault of the vendor. If you are unsure whether your system is correct
or not, I suggest using the implementation that I provide.

42
ifchd/chroot.c
View File

@@ -1,42 +0,0 @@
/* chroot.c - chroots ncron jobs
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <unistd.h>
#include <stdlib.h>
#include "log.h"
void imprison(char *path)
{
int ret;
if (path == NULL)
return;
ret = chdir(path);
if (ret) {
log_line("Failed to chdir(%s). Not invoking job.", path);
exit(EXIT_FAILURE);
}
ret = chroot(path);
if (ret) {
log_line("Failed to chroot(%s). Not invoking job.", path);
exit(EXIT_FAILURE);
}
}

21
ifchd/chroot.h
View File

@@ -1,21 +0,0 @@
/* chroot.h - include file for chroot.c
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#ifndef NJK_CHROOT_H_
#define NJK_CHROOT_H_ 1
void imprison(char *path);
#endif

80
ifchd/ifchd.c
View File

@@ -1,5 +1,5 @@
/* ifchd.c - interface change daemon
* Time-stamp: <2010-11-12 04:28:47 njk>
* Time-stamp: <2010-11-12 05:14:29 njk>
*
* (C) 2004 Nicholas J. Kain <njk@aerifal.cx>
*
@@ -41,13 +41,14 @@
#include <getopt.h>
#include "defines.h"
#include "malloc.h"
#include "log.h"
#include "chroot.h"
#include "pidfile.h"
#include "signals.h"
#include "strlist.h"
#include "ifproto.h"
#include "nstrl.h"
#include "strl.h"
#include "linux.h"
enum states {
@@ -117,21 +118,12 @@ static void fix_signals(void) {
hook_signal(SIGTERM, sighandler, 0);
}
static void suicide(char *errmsg, const char *perrmsg, int status)
{
if (errmsg)
log_line(errmsg);
if (!gflags_detach && perrmsg)
perror(perrmsg);
exit(status);
}
static void die_nulstr(strlist_t *p)
{
if (!p)
suicide("FATAL - NULL passed to die_nulstr\n", NULL, EXIT_FAILURE);
suicide("FATAL - NULL passed to die_nulstr");
if (!p->str)
suicide("FATAL - NULL string in strlist\n", NULL, EXIT_FAILURE);
suicide("FATAL - NULL string in strlist");
}
static void safe_write(int fd, const char *buf, int len)
@@ -144,7 +136,7 @@ static void safe_write(int fd, const char *buf, int len)
if (errno == EINTR)
goto retry;
else
suicide("write returned error\n", NULL, EXIT_FAILURE);
suicide("write returned error");
} else {
len -= r;
goto retry;
@@ -230,7 +222,7 @@ static void parse_list(int idx, char *str, strlist_t **toplist,
n[i] = *p;
if (*p == ' ')
++p;
add_to_strlist(n, &newn);
add_to_strlist(&newn, n);
}
if (newn) {
@@ -352,11 +344,7 @@ static int stream_onto_list(int i)
s = e + 1;
continue;
}
curl[i] = malloc(sizeof(strlist_t));
if (curl[i] == NULL)
suicide("FATAL - malloc failed\n", "malloc",
EXIT_FAILURE);
curl[i] = xmalloc(sizeof(strlist_t));
if (head[i] == NULL) {
head[i] = curl[i];
@@ -367,11 +355,7 @@ static int stream_onto_list(int i)
if (last[i] != NULL)
last[i]->next = curl[i];
curl[i]->str = malloc(e - s + 1);
if (curl[i]->str == NULL)
suicide("FATAL - malloc failed\n", "malloc",
EXIT_FAILURE);
curl[i]->str = xmalloc(e - s + 1);
strlcpy(curl[i]->str, ibuf[i] + s, e - s);
last[i] = curl[i];
@@ -539,24 +523,20 @@ static int get_listen(void)
lsock = socket(PF_UNIX, SOCK_STREAM, 0);
if (lsock == -1)
suicide("FATAL - failed to create socket\n",
"dispatch_work - socket", EXIT_FAILURE);
suicide("dispatch_work - failed to create socket");
fcntl(lsock, F_SETFL, O_NONBLOCK);
(void) unlink(COMM_SOCKET_PATH);
ret = bind(lsock, (struct sockaddr *) &lsock_addr, sizeof(lsock_addr));
if (ret)
suicide("FATAL - failed to bind socket\n",
"dispatch_work - bind", EXIT_FAILURE);
suicide("dispatch_work - failed to bind socket");
ret = chmod(COMM_SOCKET_PATH, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
if (ret)
suicide("FATAL - failed to chmod socket\n",
"dispatch_work - chmod", EXIT_FAILURE);
suicide("dispatch_work - failed to chmod socket");
ret = listen(lsock, SOCK_QUEUE);
if (ret)
suicide("FATAL - failed to listen on socket\n",
"dispatch_work - listen", EXIT_FAILURE);
suicide("dispatch_work - failed to listen on socket");
return lsock;
}
@@ -652,8 +632,7 @@ static void dispatch_work(void)
case -1:
if (pending_exit == 1)
return;
suicide("FATAL - select returned an error!\n",
"dispatch_work - select", EXIT_FAILURE);
suicide("dispatch_work - select returned an error!");
break;
}
@@ -725,7 +704,9 @@ dispatch_work_read_again:
}
int main(int argc, char** argv) {
int c, t, uid = 0, gid = 0;
int c, t;
uid_t uid = 0;
gid_t gid = 0;
char pidfile[MAX_PATH_LENGTH] = PID_FILE_DEFAULT;
char chrootd[MAX_PATH_LENGTH] = "";
char resolv_conf_d[MAX_PATH_LENGTH] = "";
@@ -832,8 +813,7 @@ int main(int argc, char** argv) {
uid = (int)pws->pw_uid;
if (!gid)
gid = (int)pws->pw_gid;
} else suicide("FATAL - Invalid uid specified.\n", NULL,
EXIT_FAILURE);
} else suicide("FATAL - Invalid uid specified.");
} else
uid = t;
break;
@@ -844,8 +824,8 @@ int main(int argc, char** argv) {
grp = getgrnam(optarg);
if (grp) {
gid = (int)grp->gr_gid;
} else suicide("FATAL - Invalid gid specified.\n", NULL,
EXIT_FAILURE);
} else
suicide("FATAL - Invalid gid specified.");
} else
gid = t;
break;
@@ -858,8 +838,8 @@ int main(int argc, char** argv) {
peer_uid = (int)pws->pw_uid;
if (!peer_gid)
peer_gid = (int)pws->pw_gid;
} else suicide("FATAL - Invalid uid specified.\n", NULL,
EXIT_FAILURE);
} else
suicide("FATAL - Invalid uid specified.");
} else
peer_uid = t;
break;
@@ -870,8 +850,8 @@ int main(int argc, char** argv) {
grp = getgrnam(optarg);
if (grp) {
peer_gid = (int)grp->gr_gid;
} else suicide("FATAL - Invalid gid specified.\n", NULL,
EXIT_FAILURE);
} else
suicide("FATAL - Invalid gid specified.");
} else
peer_gid = t;
break;
@@ -889,8 +869,7 @@ int main(int argc, char** argv) {
}
if (getuid())
suicide("FATAL - I need root for CAP_NET_ADMIN and chroot!\n",
NULL, EXIT_FAILURE);
suicide("FATAL - I need root for CAP_NET_ADMIN and chroot!");
if (gflags_detach)
if (daemon(0,0)) {
@@ -916,18 +895,17 @@ int main(int argc, char** argv) {
resolv_conf_fd = open(resolv_conf_d, O_RDWR | O_CREAT, 644);
umask(077);
if (resolv_conf_fd == -1) {
suicide("FATAL - unable to open resolv.conf\n",
"main - open", EXIT_FAILURE);
suicide("FATAL - unable to open resolv.conf");
}
}
if (!strncmp(chrootd, "", MAX_PATH_LENGTH))
suicide("FATAL - No chroot path specified. Refusing to run.\n",
NULL, EXIT_FAILURE);
suicide("FATAL - No chroot path specified. Refusing to run.");
/* Note that failure cases are handled by called fns. */
imprison(chrootd);
drop_root(uid, gid, "cap_net_admin=ep");
set_cap(uid, gid, "cap_net_admin=ep");
drop_root(uid, gid);
/* Cover our tracks... */
memset(chrootd, '\0', sizeof(chrootd));

29
ifchd/linux.c
View File

@@ -1,5 +1,5 @@
/* linux.c - ifchd Linux-specific functions
* Time-stamp: <2004-06-14 njk>
* Time-stamp: <2010-11-12 05:14:52 njk>
*
* (C) 2004 Nicholas J. Kain <njk@aerifal.cx>
*
@@ -44,7 +44,7 @@
#include "log.h"
#include "strlist.h"
#include "ifproto.h"
#include "nstrl.h"
#include "strl.h"
/* Symbolic name of the interface associated with a connection. */
static char ifnam[SOCK_QUEUE][IFNAMSIZ];
@@ -70,7 +70,7 @@ void add_permitted_if(char *s)
{
if (!s)
return;
add_to_strlist(s, &okif);
add_to_strlist(&okif, s);
}
/* Checks if changes are permitted to a given interface. 1 == allowed */
@@ -334,7 +334,7 @@ void perform_broadcast(int idx, char *str)
close(fd);
}
static void set_cap(uid_t uid, gid_t gid, char *captxt)
void set_cap(uid_t uid, gid_t gid, char *captxt)
{
cap_t caps;
@@ -371,24 +371,3 @@ static void set_cap(uid_t uid, gid_t gid, char *captxt)
cap_free(caps);
}
void drop_root(uid_t uid, gid_t gid, char *captxt)
{
if (!captxt) {
log_line("FATAL - drop_root: captxt == NULL\n");
exit(EXIT_FAILURE);
}
if (uid == 0 || gid == 0) {
log_line("FATAL - drop_root: attempt to drop root to root?\n");
exit(EXIT_FAILURE);
}
set_cap(uid, gid, captxt);
if (setregid(gid, gid) == -1 || setreuid(uid, uid) == -1) {
log_line("FATAL - drop_root: failed to drop root!\n");
exit(EXIT_FAILURE);
}
}

4
ifchd/linux.h
View File

@@ -1,5 +1,5 @@
/* linux.h - ifchd Linux-specific functions include
* Time-stamp: <2004-06-13 njk>
* Time-stamp: <2010-11-12 04:59:01 njk>
*
* (C) 2004 Nicholas J. Kain <njk@aerifal.cx>
*
@@ -31,6 +31,6 @@ void perform_subnet(int idx, char *str);
void perform_router(int idx, char *str);
void perform_mtu(int idx, char *str);
void perform_broadcast(int idx, char *str);
void drop_root(uid_t uid, gid_t gid, char *captxt);
void set_cap(uid_t uid, gid_t gid, char *captxt);
#endif

46
ifchd/log.c
View File

@@ -1,46 +0,0 @@
/* log.c - simple logging support for ncron
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <stdio.h>
#include <strings.h>
#include <syslog.h>
#include <stdarg.h>
#include "defines.h"
/* global logging flags */
int gflags_quiet = 0;
int gflags_detach = 1;
void log_line(char *format, ...) {
va_list argp;
if (format == NULL || gflags_quiet)
return;
if (gflags_detach) {
openlog("ifchd", LOG_PID, LOG_DAEMON);
va_start(argp, format);
vsyslog(LOG_ERR | LOG_DAEMON, format, argp);
va_end(argp);
closelog();
} else {
va_start(argp, format);
vfprintf(stderr, format, argp);
va_end(argp);
}
closelog();
}

26
ifchd/log.h
View File

@@ -1,26 +0,0 @@
/* log.h - simple logging support for ncron
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#ifndef NJK_LOG_H_
#define NJK_LOG_H_ 1
extern int gflags_quiet;
extern int gflags_detach;
void log_line(char* format, ...);
#endif

46
ifchd/nstrl.c
View File

@@ -1,46 +0,0 @@
/* nstrl.c - strlcpy/strlcat implementation
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <unistd.h>
#ifndef HAVE_STRLCPY
size_t strlcpy (char *dest, char *src, size_t size)
{
register char *d = dest, *s = src;
for (; *s != '\0' && size > 0; size--, d++, s++)
*d = *s;
*d = '\0';
return (d - dest) + (s - src);
}
size_t strlcat (char *dest, char *src, size_t size)
{
register char *d = dest, *s = src;
for (; size > 0 && *d != '\0'; size--, d++);
for (; *s != '\0' && size > 0; size--, d++, s++)
*d = *s;
*d = '\0';
return (d - dest) + (s - src);
}
#endif

23
ifchd/nstrl.h
View File

@@ -1,23 +0,0 @@
/* nstrl.h - header file for strlcpy/strlcat implementation
(C) 2003 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#ifndef NJK_HAVE_STRL_
#define NJK_HAVE_STRL_ 1
size_t strlcpy (char *dest, char *src, size_t size);
size_t strlcat (char *dest, char *src, size_t size);
#endif

45
ifchd/pidfile.c
View File

@@ -1,45 +0,0 @@
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
#include "defines.h"
#include "log.h"
void write_pid(char *file) {
FILE *f;
char buf[MAXLINE];
if (!file)
return;
f = fopen(file, "w");
if (f == NULL) {
log_line("FATAL - failed to open pid file \"%s\"!\n", file);
exit(EXIT_FAILURE);
}
snprintf(buf, sizeof buf, "%i", (unsigned int)getpid());
fwrite(buf, sizeof (char), strlen(buf), f);
if (fclose(f) != 0) {
log_line("FATAL - failed to close pid file \"%s\"!\n", file);
exit(EXIT_FAILURE);
}
}
/* Return 0 on success, -1 on failure. */
int file_exists(char *file, char *mode) {
FILE *f;
if (file == NULL || mode == NULL)
return -1;
f = fopen(file, mode);
if (f == NULL)
return -1;
fclose(f);
return 0;
}

6
ifchd/pidfile.h
View File

@@ -1,6 +0,0 @@
#ifndef NJK_PIDFILE_H_
#define NJK_PIDFILE_H_ 1
void write_pid(char *file);
int file_exists(char *file, char *mode);
#endif

46
ifchd/signals.c
View File

@@ -1,46 +0,0 @@
/* signals.c - abstracts signal handling
(C) 2004 Nicholas J. Kain <njk@aerifal.cx>
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <unistd.h>
#include <signal.h>
#include <stdlib.h>
#include "log.h"
void hook_signal(int signum, void (*fn)(int), int flags) {
struct sigaction new_action;
new_action.sa_handler = fn;
sigemptyset(&new_action.sa_mask);
new_action.sa_flags = flags;
if (sigaction(signum, &new_action, NULL)) {
log_line("FATAL - failed to hook signal %i\n", signum);
exit(EXIT_FAILURE);
}
}
void disable_signal(int signum) {
struct sigaction new_action;
new_action.sa_handler = SIG_IGN;
sigemptyset(&new_action.sa_mask);
if (sigaction(signum, &new_action, NULL)) {
log_line("FATAL - failed to ignore signal %i\n", signum);
exit(EXIT_FAILURE);
}
}

6
ifchd/signals.h
View File

@@ -1,6 +0,0 @@
#ifndef NJK_SIGNALS_H_
#define NJK_SIGNALS_H_ 1
void hook_signal(int signum, void (*fn)(int), int flags);
void disable_signal(int signum);
#endif

71
ifchd/strlist.c
View File

@@ -1,71 +0,0 @@
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include "nstrl.h"
#include "strlist.h"
void add_to_strlist(char *name, strlist_t **list)
{
strlist_t *item, *t;
char *s;
unsigned int len;
if (!list || !name)
return;
len = strlen(name);
if (!len)
return;
s = malloc(len + 1);
if (!s)
return;
strlcpy(s, name, len + 1);
item = malloc(sizeof (strlist_t));
if (!item)
goto out0;
item->str = s;
item->next = NULL;
if (!*list) {
*list = item;
return;
}
for (t = *list; t->next; t = t->next)
if (!t->next) {
t->next = item;
return;
}
free(item); /* should be impossible, but hey */
out0:
free(s);
return;
}
void free_strlist(strlist_t *head)
{
strlist_t *p = head, *q = NULL;
while (p != NULL) {
free(p->str);
q = p;
p = q->next;
free(q);
}
}
void free_stritem(strlist_t **p)
{
strlist_t *q;
if (!p || !*p)
return;
q = (*p)->next;
free((*p)->str);
free(*p);
*p = q;
}

14
ifchd/strlist.h
View File

@@ -1,14 +0,0 @@
#ifndef NJK_STRLIST_H_
#define NJK_STRLIST_H_ 1
typedef struct
{
char *str;
void *next;
} strlist_t;
void add_to_strlist(char *name, strlist_t **list);
void free_strlist(strlist_t *head);
void free_stritem(strlist_t **p);
#endif