static int pam_get_agent(struct agent_data_t *data, enum agent id, uid_t uid, gid_t gid)
{
int ret;
bool dropped = set_privileges(true, &uid, &gid);
ret = envoy_agent(data, id, true);
if (ret < 0)
syslog(PAM_LOG_ERR, "failed to fetch agent: %s", strerror(errno));
switch (data->status) {
case ENVOY_STOPPED:
case ENVOY_STARTED:
case ENVOY_RUNNING:
break;
case ENVOY_FAILED:
syslog(PAM_LOG_ERR, "agent failed to start, check envoyd's log");
case ENVOY_BADUSER:
syslog(PAM_LOG_ERR, "connection rejected, user is unauthorized to use this agent");
}
if (dropped) {
set_privileges(false, &uid, &gid);
}
return ret;
}
void netstats(void) {
EUID_ASSERT();
set_privileges();
char *cmd = get_firemon_path("--netstats");
char *arg[4];
arg[0] = "bash";
arg[1] = "-c";
arg[2] = cmd;
arg[3] = NULL;
execvp("/bin/bash", arg);
}
void
exec_command(struct conf *cfp, int sockfd, int parentfd)
{
int pipefd[2];
set_privileges(cfp);
if (sud_popen(cfp->suipfile, pipefd, cfp->mode) < 0) {
syslog(LOG_ERR, "sud_popen error");
_exit(1);
}
_exit(select_mode(cfp, sockfd, pipefd, parentfd) < 0 ? 1 : 0);
}
bool revoke_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
{
SE_PRIV mask;
/* if the user has no privileges, then we can't revoke any */
if ( !get_privileges( sid, &mask ) )
return True;
DEBUG(10,("revoke_privilege: %s\n", sid_string_dbg(sid)));
DEBUGADD( 10, ("original privilege mask:\n"));
dump_se_priv( DBGC_ALL, 10, &mask );
se_priv_remove( &mask, priv_mask );
DEBUGADD( 10, ("new privilege mask:\n"));
dump_se_priv( DBGC_ALL, 10, &mask );
return set_privileges( sid, &mask );
}
bool grant_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
{
SE_PRIV old_mask, new_mask;
ZERO_STRUCT( old_mask );
ZERO_STRUCT( new_mask );
if ( get_privileges( sid, &old_mask ) )
se_priv_copy( &new_mask, &old_mask );
else
se_priv_copy( &new_mask, &se_priv_none );
se_priv_add( &new_mask, priv_mask );
DEBUG(10,("grant_privilege: %s\n", sid_string_dbg(sid)));
DEBUGADD( 10, ("original privilege mask:\n"));
dump_se_priv( DBGC_ALL, 10, &old_mask );
DEBUGADD( 10, ("new privilege mask:\n"));
dump_se_priv( DBGC_ALL, 10, &new_mask );
return set_privileges( sid, &new_mask );
}
void
exec_shell(struct conf *cfp, int fd, int parentfd)
{
int master, slave;
pid_t pid;
char line[MAXPATHLEN];
char *tty;
#ifdef HAVE_UTMP_H
struct utmp ut;
#elif HAVE_UTMPX_H
struct utmpx ut;
struct timeval tv;
#endif
#if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H)
memset(&ut, 0, sizeof(ut));
#endif
if (pipe(pipechld) < 0) {
syslog(LOG_ERR, "exec_shell() pipe %m");
_exit(1);
}
(void)non_blocking(pipechld[0]);
(void)non_blocking(pipechld[1]);
if (openpty(&master, &slave, line, NULL, NULL) == -1) {
syslog(LOG_ERR, "openpty %m");
_exit(1) ;
}
/*
* pts/x compatible
*/
if ((tty = strstr(line, "/dev/")))
tty += 5;
else
tty = line;
#if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H)
if (cfp->utmp) {
if (cfp->utname) {
#ifdef HAVE_UTMP_H
(void)strncpy(ut.ut_name, cfp->utname,
sizeof(ut.ut_name)-1);
ut.ut_name[sizeof(ut.ut_name)-1] = '\0';
#elif HAVE_UTMPX_H
(void)strncpy(ut.ut_user, cfp->utname,
sizeof(ut.ut_user)-1);
ut.ut_user[sizeof(ut.ut_user)-1] = '\0';
#endif
} else {
struct passwd *pw;
pw = get_pwentry(cfp->havesetuser ? cfp->setuser : \
0);
#ifdef HAVE_UTMP_H
(void)strncpy(ut.ut_name, pw->pw_name,
sizeof(ut.ut_name)-1);
ut.ut_name[sizeof(ut.ut_name)-1] = '\0';
#elif HAVE_UTMPX_H
(void)strncpy(ut.ut_user, pw->pw_name,
sizeof(ut.ut_user)-1);
ut.ut_user[sizeof(ut.ut_user)-1] = '\0';
#endif
}
(void)strncpy(ut.ut_line, tty, sizeof(ut.ut_line)-1);
ut.ut_line[sizeof(ut.ut_line)-1] = '\0';
if (cfp->uthost) {
(void)strncpy(ut.ut_host, cfp->uthost,
sizeof(ut.ut_host)-1);
ut.ut_host[sizeof(ut.ut_host)-1] = '\0';
}
#ifdef HAVE_UTMP_H
(void)time(&ut.ut_time);
#elif HAVE_UTMPX_H
(void)gettimeofday(&tv, NULL);
ut.ut_tv.tv_sec = tv.tv_sec;
ut.ut_tv.tv_usec = tv.tv_usec;
(void)strncpy(ut.ut_id, ut.ut_line, sizeof(ut.ut_id)-1);
ut.ut_line[sizeof(ut.ut_line)-1] = '\0';
ut.ut_pid = getpid();
ut.ut_type = USER_PROCESS;
#endif
}
#endif
/*
* overwriting signal disposition
*/
(void)signal(SIGCHLD, sig_chld);
switch (pid = fork()) {
case -1:
syslog(LOG_ERR, "forkpty: %m");
_exit(1);
case 0:
(void)close(parentfd);
(void)close(pipechld[0]);
(void)close(pipechld[1]);
(void)close(master);
(void)close(fd);
(void)login_tty(slave);
#ifdef HAVE_UTMP_H
login(&ut);
#elif HAVE_UTMPX_H
setutxent();
(void)pututxline(&ut);
#endif
set_privileges(cfp);
/*
* SUIP PROGRAM HERE
*/
#ifdef __NetBSD__
(void)execl(_PATH_BSHELL,"sh", "-c",cfp->suipfile,(char *)NULL);
#else
(void)execl(_PATH_BSHELL, "sh", "-p", "-c", cfp->suipfile,
(char *)NULL);
#endif
_exit(127);
default:
{
int ctrls;
int exit_status = 0;
(void)close(slave);
/*
* trying to open a control channel
* control_create() returns the number of bytes which were
* written
* select_fd() returns -1 if errors exist you can check errno
*/
if (control_create(&ctrls, fd) == 1) {
if (select_fd(cfp, fd, master, ctrls, parentfd) < 0)
exit_status = 1;
} else {
syslog(LOG_ERR, "can't open ctrl chan");
exit_status = 1;
}
#if defined(HAVE_UTMP_H) || defined(HAVE_UTMPX_H)
if (cfp->utmp) {
#ifdef HAVE_UTMP_H
if (!logout(tty)) {
syslog(LOG_ERR, "unable to logout on %s", tty);
exit_status = 1;
} else
logwtmp(tty, "", "");
#elif HAVE_UTMPX_H
ut.ut_type = DEAD_PROCESS;
(void)gettimeofday(&tv, NULL);
ut.ut_tv.tv_sec = tv.tv_sec;
ut.ut_tv.tv_usec = tv.tv_usec;
(void)memset(&ut.ut_user, 0, sizeof(ut.ut_user));
setutxent();
if (pututxline(&ut) == NULL) {
syslog(LOG_ERR,
"unable to logout on %s (utmpx)",
tty);
exit_status = 1;
}
endutxent();
#endif
}
#endif
cleanup(line);
_exit(exit_status);
}}
/*
* never reached
*/
_exit(1);
}
int start_threaded_server ( OCSPD_CONFIG * ocspd_conf )
{
int i = 0;
int rv = 0;
struct sockaddr_in cliaddr;
socklen_t cliaddrlen;
struct sigaction sa;
// Just print a nice log message when exits
atexit(close_server);
if( ocspd_conf->token ) {
if( PKI_TOKEN_init(ocspd_conf->token,
ocspd_conf->token_config_dir, ocspd_conf->token_name)
== PKI_ERR)
{
PKI_log_err( "Can not load default token (%s/%s)",
ocspd_conf->cnf_filename, ocspd_conf->token_name );
exit(1);
}
PKI_TOKEN_cred_set_cb ( ocspd_conf->token, NULL, NULL);
if (PKI_TOKEN_login ( ocspd_conf->token ) != PKI_OK)
{
PKI_log_debug("Can not login into token!");
exit(1);
}
rv = PKI_TOKEN_check(ocspd_conf->token);
if (rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR |
PKI_TOKEN_STATUS_CERT_ERR |
PKI_TOKEN_STATUS_CACERT_ERR))
{
if (rv & PKI_TOKEN_STATUS_KEYPAIR_ERR) PKI_ERROR(PKI_ERR_TOKEN_KEYPAIR_LOAD, NULL);
if (rv & PKI_TOKEN_STATUS_CERT_ERR) PKI_ERROR(PKI_ERR_TOKEN_CERT_LOAD, NULL);
if (rv & PKI_TOKEN_STATUS_CACERT_ERR) PKI_ERROR(PKI_ERR_TOKEN_CACERT_LOAD, NULL);
PKI_log_err("Token Configuration Fatal Error (%d)", rv);
exit(rv);
}
}
/* Initialize all the tokens configured for the single CA entries */
for (i = 0; i < PKI_STACK_elements(ocspd_conf->ca_list); i++)
{
CA_LIST_ENTRY *ca = NULL;
if ((ca = PKI_STACK_get_num( ocspd_conf->ca_list, i )) == NULL)
continue;
if (ca->token_name == NULL)
continue;
if ((ca->token = PKI_TOKEN_new_null()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
exit (1);
}
PKI_TOKEN_cred_set_cb ( ocspd_conf->token, NULL, NULL);
rv = PKI_TOKEN_init(ca->token, ca->token_config_dir, ca->token_name);
if (rv != PKI_OK)
{
PKI_ERROR(rv, NULL);
PKI_log_err ( "Can not load token %s for CA %s (%s)",
ca->token_name, ca->ca_id, ca->token_config_dir );
exit (rv);
}
rv = PKI_TOKEN_login(ca->token);
if (rv != PKI_OK)
{
PKI_log_err("Can not login into token (%s)!", ca->ca_id);
exit(rv);
}
rv = PKI_TOKEN_check(ca->token);
if ( rv & (PKI_TOKEN_STATUS_KEYPAIR_ERR |
PKI_TOKEN_STATUS_CERT_ERR |
PKI_TOKEN_STATUS_CACERT_ERR))
{
if (rv & PKI_TOKEN_STATUS_KEYPAIR_ERR) PKI_ERROR(PKI_TOKEN_STATUS_KEYPAIR_ERR, NULL);
if (rv & PKI_TOKEN_STATUS_CERT_ERR) PKI_ERROR(PKI_TOKEN_STATUS_CERT_ERR, NULL);
if (rv & PKI_TOKEN_STATUS_CACERT_ERR) PKI_ERROR(PKI_TOKEN_STATUS_CACERT_ERR, NULL);
PKI_log_err ( "Token Configuration Fatal Error (%d) for ca %s", rv, ca->ca_id);
exit(rv);
}
}
if((ocspd_conf->listenfd = PKI_NET_listen (ocspd_conf->bindUrl->addr,
ocspd_conf->bindUrl->port, PKI_NET_SOCK_STREAM )) == PKI_ERR ) {
PKI_log_err ("Can not bind to [%s],[%d]",
ocspd_conf->bindUrl->addr, ocspd_conf->bindUrl->port);
exit(101);
}
// Now Chroot the application
if ((ocspd_conf->chroot_dir) && (set_chroot( ocspd_conf ) < 1))
{
PKI_log_err ("Can not chroot, exiting!");
exit(204);
}
// Set privileges
if (set_privileges(ocspd_conf) < 1)
{
if (ocspd_conf->chroot_dir != NULL)
{
PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Can not drop privileges! [203]");
PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Continuing because chrooted");
}
else
{
PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Can not drop privileges! [204]");
PKI_log(PKI_LOG_ALWAYS, "SECURITY:: Check User/Group in config file!");
exit(204);
}
}
if((ocspd_conf->threads_list = calloc ( (size_t) ocspd_conf->nthreads,
sizeof(Thread))) == NULL )
{
PKI_log_err ("Memory allocation failed");
exit(79);
}
// Creates the Threads
for (i = 0; i < ocspd_conf->nthreads; i++)
{
if (thread_make(i) != 0)
{
PKI_log_err ("Can not create thread (%d)\n", i );
exit(80);
}
}
// Register the alarm handler
set_alrm_handler();
// Just print a nice log message when killed
signal(SIGTERM, handle_sigterm );
signal(SIGABRT, handle_sigabrt );
// Setting the SIGHUP in order to reload the CRLs
// sa.sa_handler = auto_crl_check;
sa.sa_handler = force_crl_reload;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if (sigaction(SIGHUP, &sa, NULL) == -1)
{
PKI_log_err("Error during setting sig_handler");
exit(1);
}
cliaddrlen = sizeof( cliaddr );
for ( ; ; )
{
// Acquires the Mutex for handling the ocspd_conf->connfd
PKI_MUTEX_acquire ( &ocspd_conf->mutexes[CLIFD_MUTEX] );
if ((ocspd_conf->connfd = PKI_NET_accept(ocspd_conf->listenfd, 0)) == -1)
{
// Provides some information about the error
if (ocspd_conf->verbose || ocspd_conf->debug)
{
char err_str[512];
PKI_log_err("Network Error [%d::%s]", errno,
strerror_r(errno, err_str, sizeof(err_str)));
}
// Returns the connfd MUTEX and restart from the top of the cycle
PKI_MUTEX_release(&ocspd_conf->mutexes[CLIFD_MUTEX]);
continue;
}
// Some debugging information
if (ocspd_conf->debug)
{
if (getpeername(ocspd_conf->connfd, (struct sockaddr*)&cliaddr, &cliaddrlen) == -1)
{
char err_str[512];
PKI_log_err("Network Error [%d::%s] in getpeername", errno,
strerror_r(errno, err_str, sizeof(err_str)));
}
PKI_log(PKI_LOG_INFO, "Connection from [%s]",
inet_ntoa(cliaddr.sin_addr));
}
// Communicate that there is a good socket waiting for a thread to pickup
PKI_COND_broadcast ( &ocspd_conf->condVars[CLIFD_COND] );
PKI_MUTEX_release ( &ocspd_conf->mutexes[CLIFD_MUTEX] );
// Waits for a thread to successfully pickup the socket
PKI_MUTEX_acquire ( &ocspd_conf->mutexes[SRVFD_MUTEX] );
while (ocspd_conf->connfd > 2)
{
PKI_COND_wait ( &ocspd_conf->condVars[SRVFD_COND],
&ocspd_conf->mutexes[SRVFD_MUTEX] );
}
PKI_MUTEX_release ( &ocspd_conf->mutexes[SRVFD_MUTEX] );
}
return(0);
}
