[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] branch master updated (dec6cf00d -> 8c057274e)
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnunet] branch master updated (dec6cf00d -> 8c057274e) |
|
Date: |
Sat, 29 Jun 2019 13:00:52 +0200 |
This is an automated email from the git hooks/post-receive script.
lurchi pushed a change to branch master
in repository gnunet.
from dec6cf00d use mmap() instead of malloc, rename heap->flat as database
is persisted in flat file
new 8073ee2c2 introduce GNUNET_OS_get_suid_binary_path
new 9c7302e9d introduce config option SUID_BINARY_PATH (empty by default)
new 8c057274e use GNUNET_OS_get_suid_binary_path to construct suid helper
paths
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/dns/gnunet-service-dns.c | 11 +++++++--
src/exit/gnunet-daemon-exit.c | 9 ++++---
src/include/gnunet_os_lib.h | 17 +++++++++++++
src/nat/gnunet-service-nat.c | 6 +++--
src/nat/gnunet-service-nat_helper.c | 20 +++++++++++-----
src/nat/gnunet-service-nat_helper.h | 8 +++++--
src/util/os_installation.c | 48 +++++++++++++++++++++++++++++++++++++
src/util/util.conf | 6 +++++
src/vpn/gnunet-service-vpn.c | 19 +++++++++++----
9 files changed, 124 insertions(+), 20 deletions(-)
diff --git a/src/dns/gnunet-service-dns.c b/src/dns/gnunet-service-dns.c
index a63205ebf..dc9f37377 100644
--- a/src/dns/gnunet-service-dns.c
+++ b/src/dns/gnunet-service-dns.c
@@ -1082,7 +1082,8 @@ run (void *cls,
_("need a valid IPv4 or IPv6 address\n"));
GNUNET_free_non_null (dns_exit);
}
- binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-dns");
+ binary = GNUNET_OS_get_suid_binary_path (cfg, "gnunet-helper-dns");
+
if (GNUNET_YES !=
GNUNET_OS_check_helper_binary (binary,
GNUNET_YES,
@@ -1106,6 +1107,7 @@ run (void *cls,
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"No entry 'IFNAME' in configuration!\n");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -1118,6 +1120,7 @@ run (void *cls,
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"No entry 'IPV6ADDR' in configuration!\n");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -1130,6 +1133,7 @@ run (void *cls,
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"No entry 'IPV6PREFIX' in configuration!\n");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -1143,6 +1147,7 @@ run (void *cls,
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"No entry 'IPV4ADDR' in configuration!\n");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -1153,6 +1158,7 @@ run (void *cls,
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"No entry 'IPV4MASK' in configuration!\n");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -1167,10 +1173,11 @@ run (void *cls,
helper_argv[7] = NULL;
hijacker = GNUNET_HELPER_start (GNUNET_NO,
- "gnunet-helper-dns",
+ binary,
helper_argv,
&process_helper_messages,
NULL, NULL);
+ GNUNET_free (binary);
}
diff --git a/src/exit/gnunet-daemon-exit.c b/src/exit/gnunet-daemon-exit.c
index 5bcf53f57..ed49a5297 100644
--- a/src/exit/gnunet-daemon-exit.c
+++ b/src/exit/gnunet-daemon-exit.c
@@ -3790,9 +3790,9 @@ run (void *cls,
&max_connections))
max_connections = 1024;
parse_ip_options ();
+ binary = GNUNET_OS_get_suid_binary_path (cfg, "gnunet-helper-exit");
if ( (ipv4_exit) || (ipv6_exit) )
{
- binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-exit");
if (GNUNET_YES !=
GNUNET_OS_check_helper_binary (binary,
GNUNET_YES,
@@ -3807,10 +3807,10 @@ run (void *cls,
global_ret = 1;
return;
}
- GNUNET_free (binary);
}
if (! (ipv4_enabled || ipv6_enabled))
{
+ GNUNET_free (binary);
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
_("No useful service enabled. Exiting.\n"));
GNUNET_SCHEDULER_shutdown ();
@@ -3824,6 +3824,7 @@ run (void *cls,
cadet_handle = GNUNET_CADET_connect (cfg);
if (NULL == cadet_handle)
{
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -3831,6 +3832,7 @@ run (void *cls,
if (GNUNET_OK !=
setup_exit_helper_args ())
{
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -3927,11 +3929,12 @@ run (void *cls,
}
}
helper_handle = GNUNET_HELPER_start (GNUNET_NO,
- "gnunet-helper-exit",
+ binary,
exit_argv,
&message_token,
NULL,
NULL);
+ GNUNET_free (binary);
}
diff --git a/src/include/gnunet_os_lib.h b/src/include/gnunet_os_lib.h
index 285dfb68d..6eb4ce5eb 100644
--- a/src/include/gnunet_os_lib.h
+++ b/src/include/gnunet_os_lib.h
@@ -317,6 +317,23 @@ char *
GNUNET_OS_get_libexec_binary_path (const char *progname);
+/**
+ * Given the name of a helper, service or daemon binary construct the full
+ * path to the binary using the SUID_BINARY_PATH in the PATHS section of the
+ * configuration. If that option is not present, fall back to
+ * GNUNET_OS_get_libexec_binary_path. If @a progname is an absolute path, a
+ * copy of this path is returned.
+ *
+ * @param cfg configuration to inspect
+ * @param progname name of the binary
+ * @return full path to the binary, if possible, a copy of @a progname
+ * otherwise
+ */
+char *
+GNUNET_OS_get_suid_binary_path (const struct GNUNET_CONFIGURATION_Handle *cfg,
+ const char *progname);
+
+
/**
* Callback function invoked for each interface found.
*
diff --git a/src/nat/gnunet-service-nat.c b/src/nat/gnunet-service-nat.c
index 8d771f474..2498a990a 100644
--- a/src/nat/gnunet-service-nat.c
+++ b/src/nat/gnunet-service-nat.c
@@ -1063,7 +1063,8 @@ run_scan (void *cls)
sizeof (*s4)));
pos->hc = GN_start_gnunet_nat_server_ (&s4->sin_addr,
&reversal_callback,
- pos);
+ pos,
+ cfg);
}
}
}
@@ -1826,7 +1827,8 @@ handle_request_connection_reversal (void *cls,
GNUNET_break_op (AF_INET == r4.sin_family);
ret = GN_request_connection_reversal (&l4.sin_addr,
ntohs (l4.sin_port),
- &r4.sin_addr);
+ &r4.sin_addr,
+ cfg);
if (GNUNET_OK != ret)
GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
_("Connection reversal request failed\n"));
diff --git a/src/nat/gnunet-service-nat_helper.c
b/src/nat/gnunet-service-nat_helper.c
index 56090bcea..43ac54adf 100644
--- a/src/nat/gnunet-service-nat_helper.c
+++ b/src/nat/gnunet-service-nat_helper.c
@@ -74,6 +74,11 @@ struct HelperContext
* stdout file handle (for reading) for the gnunet-helper-nat-server process
*/
const struct GNUNET_DISK_FileHandle *server_stdout_handle;
+
+ /**
+ * Handle to the GNUnet configuration
+ */
+ const struct GNUNET_CONFIGURATION_Handle *cfg;
};
@@ -227,8 +232,7 @@ restart_nat_server (void *cls)
ia,
sizeof (ia)));
/* Start the server process */
- binary
- = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-nat-server");
+ binary = GNUNET_OS_get_suid_binary_path (h->cfg, "gnunet-helper-nat-server");
if (GNUNET_YES !=
GNUNET_OS_check_helper_binary (binary,
GNUNET_YES,
@@ -298,12 +302,14 @@ restart_nat_server (void *cls)
* @param internal_address
* @param cb function to call if we receive a request
* @param cb_cls closure for @a cb
+ * @param cfg Handle to the GNUnet configuration
* @return NULL on error
*/
struct HelperContext *
GN_start_gnunet_nat_server_ (const struct in_addr *internal_address,
GN_ReversalCallback cb,
- void *cb_cls)
+ void *cb_cls,
+ const struct GNUNET_CONFIGURATION_Handle *cfg)
{
struct HelperContext *h;
@@ -311,6 +317,7 @@ GN_start_gnunet_nat_server_ (const struct in_addr
*internal_address,
h->cb = cb;
h->cb_cls = cb_cls;
h->internal_address = *internal_address;
+ h->cfg = cfg;
restart_nat_server (h);
if (NULL == h->server_stdout)
{
@@ -366,13 +373,15 @@ GN_stop_gnunet_nat_server_ (struct HelperContext *h)
* @param internal_address out internal address to use
* @param internal_port port to use
* @param remote_v4 the address of the peer (IPv4-only)
+ * @param cfg handle to the GNUnet configuration
* @return #GNUNET_SYSERR on error,
* #GNUNET_OK otherwise
*/
int
GN_request_connection_reversal (const struct in_addr *internal_address,
uint16_t internal_port,
- const struct in_addr *remote_v4)
+ const struct in_addr *remote_v4,
+ const struct GNUNET_CONFIGURATION_Handle *cfg)
{
char intv4[INET_ADDRSTRLEN];
char remv4[INET_ADDRSTRLEN];
@@ -407,8 +416,7 @@ GN_request_connection_reversal (const struct in_addr
*internal_address,
intv4,
remv4,
internal_port);
- binary
- = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-nat-client");
+ binary = GNUNET_OS_get_suid_binary_path (cfg, "gnunet-helper-nat-client");
proc
= GNUNET_OS_start_process (GNUNET_NO,
0,
diff --git a/src/nat/gnunet-service-nat_helper.h
b/src/nat/gnunet-service-nat_helper.h
index d9294d949..4c39a374c 100644
--- a/src/nat/gnunet-service-nat_helper.h
+++ b/src/nat/gnunet-service-nat_helper.h
@@ -53,12 +53,14 @@ typedef void
* @param internal_address
* @param cb function to call if we receive a request
* @param cb_cls closure for @a cb
+ * @param cfg handle to the GNUnet configuration
* @return NULL on error
*/
struct HelperContext *
GN_start_gnunet_nat_server_ (const struct in_addr *internal_address,
GN_ReversalCallback cb,
- void *cb_cls);
+ void *cb_cls,
+ const struct GNUNET_CONFIGURATION_Handle *cfg);
/**
@@ -79,13 +81,15 @@ GN_stop_gnunet_nat_server_ (struct HelperContext *h);
* @param internal_address out internal address to use
* @param internal_port internal port to use
* @param remote_v4 the address of the peer (IPv4-only)
+ * @param cfg handle to the GNUnet configuration
* @return #GNUNET_SYSERR on error,
* #GNUNET_OK otherwise
*/
int
GN_request_connection_reversal (const struct in_addr *internal_address,
uint16_t internal_port,
- const struct in_addr *sa);
+ const struct in_addr *remote_v4,
+ const struct GNUNET_CONFIGURATION_Handle *cfg);
/* end of gnunet-service-nat_helper.h */
diff --git a/src/util/os_installation.c b/src/util/os_installation.c
index f2d24f85e..e0568e6dd 100644
--- a/src/util/os_installation.c
+++ b/src/util/os_installation.c
@@ -804,6 +804,54 @@ GNUNET_OS_get_libexec_binary_path (const char *progname)
}
+/**
+ * Given the name of a helper, service or daemon binary construct the full
+ * path to the binary using the SUID_BINARY_PATH in the PATHS section of the
+ * configuration. If that option is not present, fall back to
+ * GNUNET_OS_get_libexec_binary_path. If @a progname is an absolute path, a
+ * copy of this path is returned.
+ *
+ * @param cfg configuration to inspect
+ * @param progname name of the binary
+ * @return full path to the binary, if possible, a copy of @a progname
+ * otherwise
+ */
+char *
+GNUNET_OS_get_suid_binary_path (const struct GNUNET_CONFIGURATION_Handle *cfg,
+ const char *progname)
+{
+ static const char *cache;
+ char *binary = NULL;
+ char *path = NULL;
+ size_t path_len;
+
+ if (GNUNET_YES ==
+ GNUNET_STRINGS_path_is_absolute (progname,
+ GNUNET_NO,
+ NULL, NULL))
+ {
+ return GNUNET_strdup (progname);
+ }
+ if (NULL != cache)
+ path = cache;
+ else
+ GNUNET_CONFIGURATION_get_value_string (cfg,
+ "PATHS",
+ "SUID_BINARY_PATH",
+ &path);
+ if (NULL == path)
+ return GNUNET_OS_get_libexec_binary_path (progname);
+ path_len = strlen (path);
+ GNUNET_asprintf (&binary,
+ "%s%s%s",
+ path,
+ (path[path_len - 1] == DIR_SEPARATOR) ? "" :
DIR_SEPARATOR_STR,
+ progname);
+ cache = path;
+ return binary;
+}
+
+
/**
* Check whether an executable exists and possibly if the suid bit is
* set on the file. Attempts to find the file using the current PATH
diff --git a/src/util/util.conf b/src/util/util.conf
index dbc2b2e0d..dfa4f8346 100644
--- a/src/util/util.conf
+++ b/src/util/util.conf
@@ -48,6 +48,12 @@ GNUNET_TMP = ${TMPDIR:-${TMP:-/tmp}}/gnunet/
# configuration file is assumed to be the default,
# which is what we want by default...
+# Location of binaries requiring setuid or setgid flags, e.g.
gnunet-helper-vpn.
+# By default it is assumed to be in the libexec directory, but on some systems
+# like NixOS setuid / setgid is only possible through a wrapper in a specific
+# location.
+SUID_BINARY_PATH =
+
[PEER]
# Where do we store our private key?
diff --git a/src/vpn/gnunet-service-vpn.c b/src/vpn/gnunet-service-vpn.c
index 91bc13fd8..f48022b5f 100644
--- a/src/vpn/gnunet-service-vpn.c
+++ b/src/vpn/gnunet-service-vpn.c
@@ -2936,7 +2936,8 @@ run (void *cls,
struct in6_addr v6;
char *binary;
- binary = GNUNET_OS_get_libexec_binary_path ("gnunet-helper-vpn");
+ cfg = cfg_;
+ binary = GNUNET_OS_get_suid_binary_path (cfg, "gnunet-helper-vpn");
if (GNUNET_YES !=
GNUNET_OS_check_helper_binary (binary,
@@ -2953,8 +2954,6 @@ run (void *cls,
anything either */
return;
}
- GNUNET_free (binary);
- cfg = cfg_;
stats = GNUNET_STATISTICS_create ("vpn", cfg);
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_number (cfg,
@@ -2980,6 +2979,7 @@ run (void *cls,
GNUNET_CONFIGURATION_get_value_string (cfg, "VPN", "IFNAME", &ifname))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, "VPN", "IFNAME");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -2994,6 +2994,7 @@ run (void *cls,
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, "VPN", "IPV6ADDR",
_("Must specify valid IPv6 address"));
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
GNUNET_free_non_null (ipv6addr);
return;
@@ -3005,6 +3006,7 @@ run (void *cls,
&ipv6prefix_s))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, "VPN", "IPV6PREFIX");
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
GNUNET_free_non_null (ipv6prefix_s);
return;
@@ -3018,6 +3020,7 @@ run (void *cls,
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, "VPN", "IPV4MASK",
_("Must specify valid IPv6 mask"));
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
return;
}
@@ -3039,6 +3042,7 @@ run (void *cls,
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, "VPN", "IPV4ADDR",
_("Must specify valid IPv4 address"));
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
GNUNET_free_non_null (ipv4addr);
return;
@@ -3052,6 +3056,7 @@ run (void *cls,
{
GNUNET_log_config_invalid (GNUNET_ERROR_TYPE_ERROR, "VPN", "IPV4MASK",
_("Must specify valid IPv4 mask"));
+ GNUNET_free (binary);
GNUNET_SCHEDULER_shutdown ();
GNUNET_free_non_null (ipv4mask);
return;
@@ -3070,8 +3075,12 @@ run (void *cls,
cadet_handle = GNUNET_CADET_connect (cfg_);
// FIXME never opens ports???
helper_handle = GNUNET_HELPER_start (GNUNET_NO,
- "gnunet-helper-vpn", vpn_argv,
- &message_token, NULL, NULL);
+ binary,
+ vpn_argv,
+ &message_token,
+ NULL,
+ NULL);
+ GNUNET_free (binary);
GNUNET_SCHEDULER_add_shutdown (&cleanup,
NULL);
}
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [GNUnet-SVN] [gnunet] branch master updated (dec6cf00d -> 8c057274e),
gnunet <=