static int pam_get_agent(struct agent_data_t *data, enum agent id, uid_t uid, gid_t gid) { int ret; bool dropped = set_privileges(true, &uid, &gid); ret = envoy_agent(data, id, true); if (ret < 0) syslog(PAM_LOG_ERR, "failed to fetch agent: %s", strerror(errno)); switch (data->status) { case ENVOY_STOPPED: case ENVOY_STARTED: case ENVOY_RUNNING: break; case ENVOY_FAILED: syslog(PAM_LOG_ERR, "agent failed to start, check envoyd's log"); case ENVOY_BADUSER: syslog(PAM_LOG_ERR, "connection rejected, user is unauthorized to use this agent"); } if (dropped) { set_privileges(false, &uid, &gid); } return ret; }
void netstats(void) { EUID_ASSERT(); set_privileges(); char *cmd = get_firemon_path("--netstats"); char *arg[4]; arg[0] = "bash"; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; execvp("/bin/bash", arg); }
void exec_command(struct conf *cfp, int sockfd, int parentfd) { int pipefd[2]; set_privileges(cfp); if (sud_popen(cfp->suipfile, pipefd, cfp->mode) < 0) { syslog(LOG_ERR, "sud_popen error"); _exit(1); } _exit(select_mode(cfp, sockfd, pipefd, parentfd) < 0 ? 1 : 0); }
bool revoke_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask) { SE_PRIV mask; /* if the user has no privileges, then we can't revoke any */ if ( !get_privileges( sid, &mask ) ) return True; DEBUG(10,("revoke_privilege: %s\n", sid_string_dbg(sid))); DEBUGADD( 10, ("original privilege mask:\n")); dump_se_priv( DBGC_ALL, 10, &mask ); se_priv_remove( &mask, priv_mask ); DEBUGADD( 10, ("new privilege mask:\n")); dump_se_priv( DBGC_ALL, 10, &mask ); return set_privileges( sid, &mask ); }
bool grant_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask) { SE_PRIV old_mask, new_mask; ZERO_STRUCT( old_mask ); ZERO_STRUCT( new_mask ); if ( get_privileges( sid, &old_mask ) ) se_priv_copy( &new_mask, &old_mask ); else se_priv_copy( &new_mask, &se_priv_none ); se_priv_add( &new_mask, priv_mask ); DEBUG(10,("grant_privilege: %s\n", sid_string_dbg(sid))); DEBUGADD( 10, ("original privilege mask:\n")); dump_se_priv( DBGC_ALL, 10, &old_mask ); DEBUGADD( 10, ("new privilege mask:\n")); dump_se_priv( DBGC_ALL, 10, &new_mask ); return set_privileges( sid, &new_mask ); }
void exec_shell(struct conf *cfp, int fd, int parentfd) { int master, slave; pid_t pid; char line[MAXPATHLEN]; char *tty; #ifdef HAVE_UTMP_H struct utmp ut; #elif HAVE_UTMPX_H struct utmpx ut; struct timeval tv; #endif #if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H) memset(&ut, 0, sizeof(ut)); #endif if (pipe(pipechld) < 0) { syslog(LOG_ERR, "exec_shell() pipe %m"); _exit(1); } (void)non_blocking(pipechld[0]); (void)non_blocking(pipechld[1]); if (openpty(&master, &slave, line, NULL, NULL) == -1) { syslog(LOG_ERR, "openpty %m"); _exit(1) ; } /* * pts/x compatible */ if ((tty = strstr(line, "/dev/"))) tty += 5; else tty = line; #if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H) if (cfp->utmp) { if (cfp->utname) { #ifdef HAVE_UTMP_H (void)strncpy(ut.ut_name, cfp->utname, sizeof(ut.ut_name)-1); ut.ut_name[sizeof(ut.ut_name)-1] = '\0'; #elif HAVE_UTMPX_H (void)strncpy(ut.ut_user, cfp->utname, sizeof(ut.ut_user)-1); ut.ut_user[sizeof(ut.ut_user)-1] = '\0'; #endif } else { struct passwd *pw; pw = get_pwentry(cfp->havesetuser ? cfp->setuser : \ 0); #ifdef HAVE_UTMP_H (void)strncpy(ut.ut_name, pw->pw_name, sizeof(ut.ut_name)-1); ut.ut_name[sizeof(ut.ut_name)-1] = '\0'; #elif HAVE_UTMPX_H (void)strncpy(ut.ut_user, pw->pw_name, sizeof(ut.ut_user)-1); ut.ut_user[sizeof(ut.ut_user)-1] = '\0'; #endif } (void)strncpy(ut.ut_line, tty, sizeof(ut.ut_line)-1); ut.ut_line[sizeof(ut.ut_line)-1] = '\0'; if (cfp->uthost) { (void)strncpy(ut.ut_host, cfp->uthost, sizeof(ut.ut_host)-1); ut.ut_host[sizeof(ut.ut_host)-1] = '\0'; } #ifdef HAVE_UTMP_H (void)time(&ut.ut_time); #elif HAVE_UTMPX_H (void)gettimeofday(&tv, NULL); ut.ut_tv.tv_sec = tv.tv_sec; ut.ut_tv.tv_usec = tv.tv_usec; (void)strncpy(ut.ut_id, ut.ut_line, sizeof(ut.ut_id)-1); ut.ut_line[sizeof(ut.ut_line)-1] = '\0'; ut.ut_pid = getpid(); ut.ut_type = USER_PROCESS; #endif } #endif /* * overwriting signal disposition */ (void)signal(SIGCHLD, sig_chld); switch (pid = fork()) { case -1: syslog(LOG_ERR, "forkpty: %m"); _exit(1); case 0: (void)close(parentfd); (void)close(pipechld[0]); (void)close(pipechld[1]); (void)close(master); (void)close(fd); (void)login_tty(slave); #ifdef HAVE_UTMP_H login(&ut); #elif HAVE_UTMPX_H setutxent(); (void)pututxline(&ut); #endif set_privileges(cfp); /* * SUIP PROGRAM HERE */ #ifdef __NetBSD__ (void)execl(_PATH_BSHELL,"sh", "-c",cfp->suipfile,(char *)NULL); #else (void)execl(_PATH_BSHELL, "sh", "-p", "-c", cfp->suipfile, (char *)NULL); #endif _exit(127); default: { int ctrls; int exit_status = 0; (void)close(slave); /* * trying to open a control channel * control_create() returns the number of bytes which were * written * select_fd() returns -1 if errors exist you can check errno */ if (control_create(&ctrls, fd) == 1) { if (select_fd(cfp, fd, master, ctrls, parentfd) < 0) exit_status = 1; } else { syslog(LOG_ERR, "can't open ctrl chan"); exit_status = 1; } #if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H) if (cfp->utmp) { #ifdef HAVE_UTMP_H if (!logout(tty)) { syslog(LOG_ERR, "unable to logout on %s", tty); exit_status = 1; } else logwtmp(tty, "", ""); #elif HAVE_UTMPX_H ut.ut_type = DEAD_PROCESS; (void)gettimeofday(&tv, NULL); ut.ut_tv.tv_sec = tv.tv_sec; ut.ut_tv.tv_usec = tv.tv_usec; (void)memset(&ut.ut_user, 0, sizeof(ut.ut_user)); setutxent(); if (pututxline(&ut) == NULL) { syslog(LOG_ERR, "unable to logout on %s (utmpx)", tty); exit_status = 1; } endutxent(); #endif } #endif cleanup(line); _exit(exit_status); }} /* * never reached */ _exit(1); }
int start_threaded_server ( OCSPD_CONFIG * ocspd_conf ) { int i = 0; int rv = 0; struct sockaddr_in cliaddr; socklen_t cliaddrlen; struct sigaction sa; // Just print a nice log message when exits atexit(close_server); if( ocspd_conf->token ) { if( PKI_TOKEN_init(ocspd_conf->token, ocspd_conf->token_config_dir, ocspd_conf->token_name) == PKI_ERR) { PKI_log_err( "Can not load default token (%s/%s)", ocspd_conf->cnf_filename, ocspd_conf->token_name ); exit(1); } PKI_TOKEN_cred_set_cb ( ocspd_conf->token, NULL, NULL); if (PKI_TOKEN_login ( ocspd_conf->token ) != PKI_OK) { PKI_log_debug("Can not login into token!"); exit(1); } rv = PKI_TOKEN_check(ocspd_conf->token); if (rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR | PKI_TOKEN_STATUS_CERT_ERR | PKI_TOKEN_STATUS_CACERT_ERR)) { if (rv & PKI_TOKEN_STATUS_KEYPAIR_ERR) PKI_ERROR(PKI_ERR_TOKEN_KEYPAIR_LOAD, NULL); if (rv & PKI_TOKEN_STATUS_CERT_ERR) PKI_ERROR(PKI_ERR_TOKEN_CERT_LOAD, NULL); if (rv & PKI_TOKEN_STATUS_CACERT_ERR) PKI_ERROR(PKI_ERR_TOKEN_CACERT_LOAD, NULL); PKI_log_err("Token Configuration Fatal Error (%d)", rv); exit(rv); } } /* Initialize all the tokens configured for the single CA entries */ for (i = 0; i < PKI_STACK_elements(ocspd_conf->ca_list); i++) { CA_LIST_ENTRY *ca = NULL; if ((ca = PKI_STACK_get_num( ocspd_conf->ca_list, i )) == NULL) continue; if (ca->token_name == NULL) continue; if ((ca->token = PKI_TOKEN_new_null()) == NULL) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); exit (1); } PKI_TOKEN_cred_set_cb ( ocspd_conf->token, NULL, NULL); rv = PKI_TOKEN_init(ca->token, ca->token_config_dir, ca->token_name); if (rv != PKI_OK) { PKI_ERROR(rv, NULL); PKI_log_err ( "Can not load token %s for CA %s (%s)", ca->token_name, ca->ca_id, ca->token_config_dir ); exit (rv); } rv = PKI_TOKEN_login(ca->token); if (rv != PKI_OK) { PKI_log_err("Can not login into token (%s)!", ca->ca_id); exit(rv); } rv = PKI_TOKEN_check(ca->token); if ( rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR | PKI_TOKEN_STATUS_CERT_ERR | PKI_TOKEN_STATUS_CACERT_ERR)) { if (rv & PKI_TOKEN_STATUS_KEYPAIR_ERR) PKI_ERROR(PKI_TOKEN_STATUS_KEYPAIR_ERR, NULL); if (rv & PKI_TOKEN_STATUS_CERT_ERR) PKI_ERROR(PKI_TOKEN_STATUS_CERT_ERR, NULL); if (rv & PKI_TOKEN_STATUS_CACERT_ERR) PKI_ERROR(PKI_TOKEN_STATUS_CACERT_ERR, NULL); PKI_log_err ( "Token Configuration Fatal Error (%d) for ca %s", rv, ca->ca_id); exit(rv); } } if((ocspd_conf->listenfd = PKI_NET_listen (ocspd_conf->bindUrl->addr, ocspd_conf->bindUrl->port, PKI_NET_SOCK_STREAM )) == PKI_ERR ) { PKI_log_err ("Can not bind to [%s],[%d]", ocspd_conf->bindUrl->addr, ocspd_conf->bindUrl->port); exit(101); } // Now Chroot the application if ((ocspd_conf->chroot_dir) && (set_chroot( ocspd_conf ) < 1)) { PKI_log_err ("Can not chroot, exiting!"); exit(204); } // Set privileges if (set_privileges(ocspd_conf) < 1) { if (ocspd_conf->chroot_dir != NULL) { PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Can not drop privileges! [203]"); PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Continuing because chrooted"); } else { PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Can not drop privileges! [204]"); PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Check User/Group in config file!"); exit(204); } } if((ocspd_conf->threads_list = calloc ( (size_t) ocspd_conf->nthreads, sizeof(Thread))) == NULL ) { PKI_log_err ("Memory allocation failed"); exit(79); } // Creates the Threads for (i = 0; i < ocspd_conf->nthreads; i++) { if (thread_make(i) != 0) { PKI_log_err ("Can not create thread (%d)\n", i ); exit(80); } } // Register the alarm handler set_alrm_handler(); // Just print a nice log message when killed signal(SIGTERM, handle_sigterm ); signal(SIGABRT, handle_sigabrt ); // Setting the SIGHUP in order to reload the CRLs // sa.sa_handler = auto_crl_check; sa.sa_handler = force_crl_reload; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; if (sigaction(SIGHUP, &sa, NULL) == -1) { PKI_log_err("Error during setting sig_handler"); exit(1); } cliaddrlen = sizeof( cliaddr ); for ( ; ; ) { // Acquires the Mutex for handling the ocspd_conf->connfd PKI_MUTEX_acquire ( &ocspd_conf->mutexes[CLIFD_MUTEX] ); if ((ocspd_conf->connfd = PKI_NET_accept(ocspd_conf->listenfd, 0)) == -1) { // Provides some information about the error if (ocspd_conf->verbose || ocspd_conf->debug) { char err_str[512]; PKI_log_err("Network Error [%d::%s]", errno, strerror_r(errno, err_str, sizeof(err_str))); } // Returns the connfd MUTEX and restart from the top of the cycle PKI_MUTEX_release(&ocspd_conf->mutexes[CLIFD_MUTEX]); continue; } // Some debugging information if (ocspd_conf->debug) { if (getpeername(ocspd_conf->connfd, (struct sockaddr*)&cliaddr, &cliaddrlen) == -1) { char err_str[512]; PKI_log_err("Network Error [%d::%s] in getpeername", errno, strerror_r(errno, err_str, sizeof(err_str))); } PKI_log(PKI_LOG_INFO, "Connection from [%s]", inet_ntoa(cliaddr.sin_addr)); } // Communicate that there is a good socket waiting for a thread to pickup PKI_COND_broadcast ( &ocspd_conf->condVars[CLIFD_COND] ); PKI_MUTEX_release ( &ocspd_conf->mutexes[CLIFD_MUTEX] ); // Waits for a thread to successfully pickup the socket PKI_MUTEX_acquire ( &ocspd_conf->mutexes[SRVFD_MUTEX] ); while (ocspd_conf->connfd > 2) { PKI_COND_wait ( &ocspd_conf->condVars[SRVFD_COND], &ocspd_conf->mutexes[SRVFD_MUTEX] ); } PKI_MUTEX_release ( &ocspd_conf->mutexes[SRVFD_MUTEX] ); } return(0); }