search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vsftpd 2.0.7 - initial checkin.
[tomato.git] / release / src / router / vsftpd / twoprocess.c
blobe6cb90466cece47381b1cd2ef6b0492a920e0e05
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
6 *
7 * Code implementing the standard, secure two process security model.
8 */
9
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29
30 static void drop_all_privs(void);
31 static void handle_sigchld(int duff);
32 static void process_login_req(struct vsf_session* p_sess);
33 static void process_ssl_slave_req(struct vsf_session* p_sess);
34 static void common_do_login(struct vsf_session* p_sess,
35 const struct mystr* p_user_str, int do_chroot,
36 int anon);
37 static void handle_per_user_config(const struct mystr* p_user_str);
38 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
39 struct mystr* p_chroot_str,
40 struct mystr* p_chdir_str,
41 const struct mystr* p_user_str,
42 const struct mystr* p_orig_user_str);
43
44 static void
45 handle_sigchld(int duff)
46 {
47 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
48 (void) duff;
49 /* Child died, so we'll do the same! Report it as an error unless the child
50 * exited normally with zero exit code
51 */
52 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)) ||
53 !vsf_sysutil_wait_exited_normally(&wait_retval) ||
54 vsf_sysutil_wait_get_exitcode(&wait_retval) != 0)
55 {
56 die("child died");
57 }
58 else
59 {
60 vsf_sysutil_exit(0);
61 }
62 }
63
64 void
65 vsf_two_process_start(struct vsf_session* p_sess)
66 {
67 /* Create the comms channel between privileged parent and no-priv child */
68 priv_sock_init(p_sess);
69 if (tunable_ssl_enable)
70 {
71 /* Create the comms channel between the no-priv SSL child and the low-priv
72 * protocol handling child.
73 */
74 ssl_comm_channel_init(p_sess);
75 }
76 vsf_sysutil_install_async_sighandler(kVSFSysUtilSigCHLD, handle_sigchld);
77 {
78 int newpid = vsf_sysutil_fork();
79 if (newpid != 0)
80 {
81 /* Parent - go into pre-login parent process mode */
82 while (1)
83 {
84 process_login_req(p_sess);
85 }
86 }
87 }
88 /* Child process - time to lose as much privilege as possible and do the
89 * login processing
90 */
91 vsf_sysutil_close(p_sess->parent_fd);
92 if (tunable_ssl_enable)
93 {
94 vsf_sysutil_close(p_sess->ssl_consumer_fd);
95 }
96 if (tunable_local_enable && tunable_userlist_enable)
97 {
98 int retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
99 VSFTP_CONF_FILE_MAX);
100 if (vsf_sysutil_retval_is_error(retval))
101 {
102 die2("cannot open user list file:", tunable_userlist_file);
103 }
104 }
105 drop_all_privs();
106 init_connection(p_sess);
107 /* NOTREACHED */
108 }
109
110 static void
111 drop_all_privs(void)
112 {
113 struct mystr user_str = INIT_MYSTR;
114 struct mystr dir_str = INIT_MYSTR;
115 str_alloc_text(&user_str, tunable_nopriv_user);
116 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
117 /* Be kind: give good error message if the secure dir is missing */
118 {
119 struct vsf_sysutil_statbuf* p_statbuf = 0;
120 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
121 {
122 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
123 tunable_secure_chroot_dir);
124 }
125 vsf_sysutil_free(p_statbuf);
126 }
127 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0,
128 VSF_SECUTIL_OPTION_CHROOT);
129 str_free(&user_str);
130 str_free(&dir_str);
131 }
132
133 void
134 vsf_two_process_login(struct vsf_session* p_sess,
135 const struct mystr* p_pass_str)
136 {
137 char result;
138 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
139 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
140 priv_sock_send_str(p_sess->child_fd, p_pass_str);
141 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
142 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
143 result = priv_sock_get_result(p_sess->child_fd);
144 if (result == PRIV_SOCK_RESULT_OK)
145 {
146 /* Miracle. We don't emit the success message here. That is left to
147 * process_post_login().
148 * Exit normally, unless we are remaining as the SSL read / write child.
149 */
150 if (!p_sess->control_use_ssl)
151 {
152 vsf_sysutil_exit(0);
153 }
154 else
155 {
156 vsf_sysutil_clear_alarm();
157 vsf_sysutil_close(p_sess->child_fd);
158 if (tunable_setproctitle_enable)
159 {
160 vsf_sysutil_setproctitle("SSL handler");
161 }
162 process_ssl_slave_req(p_sess);
163 }
164 /* NOTREACHED */
165 }
166 else if (result == PRIV_SOCK_RESULT_BAD)
167 {
168 /* Continue the processing loop.. */
169 return;
170 }
171 else
172 {
173 die("priv_sock_get_result");
174 }
175 }
176
177 int
178 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
179 {
180 char res;
181 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
182 res = priv_sock_get_result(p_sess->child_fd);
183 if (res != PRIV_SOCK_RESULT_OK)
184 {
185 die("could not get privileged socket");
186 }
187 return priv_sock_recv_fd(p_sess->child_fd);
188 }
189
190 void
191 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
192 {
193 char res;
194 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
195 priv_sock_send_fd(p_sess->child_fd, fd);
196 res = priv_sock_get_result(p_sess->child_fd);
197 if (res != PRIV_SOCK_RESULT_OK)
198 {
199 die("unexpected failure in vsf_two_process_chown_upload");
200 }
201 }
202
203 static void
204 process_login_req(struct vsf_session* p_sess)
205 {
206 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
207 char cmd;
208 vsf_sysutil_unblock_sig(kVSFSysUtilSigCHLD);
209 /* Blocks */
210 cmd = priv_sock_get_cmd(p_sess->parent_fd);
211 vsf_sysutil_block_sig(kVSFSysUtilSigCHLD);
212 if (cmd != PRIV_SOCK_LOGIN)
213 {
214 die("bad request");
215 }
216 /* Get username and password - we must distrust these */
217 {
218 struct mystr password_str = INIT_MYSTR;
219 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
220 priv_sock_get_str(p_sess->parent_fd, &password_str);
221 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
222 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
223 if (!tunable_ssl_enable)
224 {
225 p_sess->control_use_ssl = 0;
226 p_sess->data_use_ssl = 0;
227 }
228 e_login_result = vsf_privop_do_login(p_sess, &password_str);
229 str_free(&password_str);
230 }
231 switch (e_login_result)
232 {
233 case kVSFLoginFail:
234 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
235 return;
236 break;
237 case kVSFLoginAnon:
238 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
239 common_do_login(p_sess, &p_sess->user_str, 1, 1);
240 break;
241 case kVSFLoginReal:
242 {
243 int do_chroot = 0;
244 if (tunable_chroot_local_user)
245 {
246 do_chroot = 1;
247 }
248 if (tunable_chroot_list_enable)
249 {
250 struct mystr chroot_list_file = INIT_MYSTR;
251 int retval = str_fileread(&chroot_list_file,
252 tunable_chroot_list_file,
253 VSFTP_CONF_FILE_MAX);
254 if (vsf_sysutil_retval_is_error(retval))
255 {
256 die2("could not open chroot() list file:",
257 tunable_chroot_list_file);
258 }
259 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
260 {
261 if (do_chroot)
262 {
263 do_chroot = 0;
264 }
265 else
266 {
267 do_chroot = 1;
268 }
269 }
270 str_free(&chroot_list_file);
271 }
272 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
273 }
274 break;
275 default:
276 bug("weird state in process_login_request");
277 break;
278 }
279 /* NOTREACHED */
280 }
281
282 static void
283 process_ssl_slave_req(struct vsf_session* p_sess)
284 {
285 priv_sock_send_str(p_sess->ssl_slave_fd, &p_sess->control_cert_digest);
286 while (1)
287 {
288 char cmd = priv_sock_get_cmd(p_sess->ssl_slave_fd);
289 int retval;
290 if (cmd == PRIV_SOCK_GET_USER_CMD)
291 {
292 ftp_getline(p_sess, &p_sess->ftp_cmd_str, p_sess->p_control_line_buf);
293 priv_sock_send_str(p_sess->ssl_slave_fd, &p_sess->ftp_cmd_str);
294 }
295 else if (cmd == PRIV_SOCK_WRITE_USER_RESP)
296 {
297 priv_sock_get_str(p_sess->ssl_slave_fd, &p_sess->ftp_cmd_str);
298 retval = ftp_write_str(p_sess, &p_sess->ftp_cmd_str, kVSFRWControl);
299 priv_sock_send_int(p_sess->ssl_slave_fd, retval);
300 }
301 else
302 {
303 die("bad request in process_ssl_slave_req");
304 }
305 }
306 }
307
308 static void
309 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
310 int do_chroot, int anon)
311 {
312 int was_anon = anon;
313 const struct mystr* p_orig_user_str = p_user_str;
314 int newpid;
315 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
316 /* Tells the pre-login child all is OK (it may exit in response) */
317 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
318 if (!p_sess->control_use_ssl)
319 {
320 (void) vsf_sysutil_wait();
321 }
322 else
323 {
324 p_sess->ssl_slave_active = 1;
325 }
326 /* Absorb the SIGCHLD */
327 vsf_sysutil_unblock_sig(kVSFSysUtilSigCHLD);
328 /* Handle loading per-user config options */
329 handle_per_user_config(p_user_str);
330 /* Set this before we fork */
331 p_sess->is_anonymous = anon;
332 vsf_sysutil_install_async_sighandler(kVSFSysUtilSigCHLD, handle_sigchld);
333 newpid = vsf_sysutil_fork();
334 if (newpid == 0)
335 {
336 struct mystr guest_user_str = INIT_MYSTR;
337 struct mystr chroot_str = INIT_MYSTR;
338 struct mystr chdir_str = INIT_MYSTR;
339 struct mystr userdir_str = INIT_MYSTR;
340 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS;
341 /* Child - drop privs and start proper FTP! */
342 vsf_sysutil_close(p_sess->parent_fd);
343 if (tunable_ssl_enable)
344 {
345 vsf_sysutil_close(p_sess->ssl_slave_fd);
346 if (p_sess->ssl_slave_active)
347 {
348 priv_sock_get_str(p_sess->ssl_consumer_fd,
349 &p_sess->control_cert_digest);
350 }
351 }
352 if (tunable_guest_enable && !anon)
353 {
354 p_sess->is_guest = 1;
355 /* Remap to the guest user */
356 str_alloc_text(&guest_user_str, tunable_guest_username);
357 p_user_str = &guest_user_str;
358 if (!tunable_virtual_use_local_privs)
359 {
360 anon = 1;
361 do_chroot = 1;
362 }
363 }
364 if (do_chroot)
365 {
366 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
367 }
368 if (!anon)
369 {
370 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
371 }
372 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
373 p_user_str, p_orig_user_str);
374 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
375 0, secutil_option);
376 if (!str_isempty(&chdir_str))
377 {
378 (void) str_chdir(&chdir_str);
379 }
380 str_free(&guest_user_str);
381 str_free(&chroot_str);
382 str_free(&chdir_str);
383 str_free(&userdir_str);
384 /* Guard against the config error of having the anonymous ftp tree owned
385 * by the user we are running as
386 */
387 if (was_anon && vsf_sysutil_write_access("/"))
388 {
389 die("vsftpd: refusing to run with writable anonymous root");
390 }
391 p_sess->is_anonymous = anon;
392 process_post_login(p_sess);
393 bug("should not get here: common_do_login");
394 }
395 /* Parent */
396 if (tunable_ssl_enable)
397 {
398 vsf_sysutil_close(p_sess->ssl_consumer_fd);
399 /* Keep the SSL slave fd around so we can shutdown() upon exit */
400 }
401 vsf_priv_parent_postlogin(p_sess);
402 bug("should not get here in common_do_login");
403 }
404
405 static void
406 handle_per_user_config(const struct mystr* p_user_str)
407 {
408 struct mystr filename_str = INIT_MYSTR;
409 struct vsf_sysutil_statbuf* p_statbuf = 0;
410 struct str_locate_result loc_result;
411 int retval;
412 if (!tunable_user_config_dir)
413 {
414 return;
415 }
416 /* Security paranoia - ignore if user has a / in it. */
417 loc_result = str_locate_char(p_user_str, '/');
418 if (loc_result.found)
419 {
420 return;
421 }
422 str_alloc_text(&filename_str, tunable_user_config_dir);
423 str_append_char(&filename_str, '/');
424 str_append_str(&filename_str, p_user_str);
425 retval = str_stat(&filename_str, &p_statbuf);
426 /* Security - ignore unless owned by root */
427 if (!vsf_sysutil_retval_is_error(retval) &&
428 vsf_sysutil_statbuf_get_uid(p_statbuf) == VSFTP_ROOT_UID)
429 {
430 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
431 }
432 str_free(&filename_str);
433 vsf_sysutil_free(p_statbuf);
434 }
435
436 static void
437 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
438 struct mystr* p_chroot_str,
439 struct mystr* p_chdir_str,
440 const struct mystr* p_user_str,
441 const struct mystr* p_orig_user_str)
442 {
443 if (!anon_login)
444 {
445 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
446 if (p_user == 0)
447 {
448 die2("cannot locate user entry:", str_getbuf(p_user_str));
449 }
450 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
451 if (tunable_user_sub_token)
452 {
453 str_replace_text(p_userdir_str, tunable_user_sub_token,
454 str_getbuf(p_orig_user_str));
455 }
456 }
457 if (anon_login && tunable_anon_root)
458 {
459 str_alloc_text(p_chroot_str, tunable_anon_root);
460 }
461 else if (!anon_login && tunable_local_root)
462 {
463 str_alloc_text(p_chroot_str, tunable_local_root);
464 if (tunable_user_sub_token)
465 {
466 str_replace_text(p_chroot_str, tunable_user_sub_token,
467 str_getbuf(p_orig_user_str));
468 }
469 }
470 /* If enabled, the chroot() location embedded in the HOMEDIR takes
471 * precedence.
472 */
473 if (!anon_login && tunable_passwd_chroot_enable)
474 {
475 struct str_locate_result loc_result;
476 loc_result = str_locate_text(p_userdir_str, "/./");
477 if (loc_result.found)
478 {
479 str_split_text(p_userdir_str, p_chdir_str, "/./");
480 str_copy(p_chroot_str, p_userdir_str);
481 }
482 }
483 }
484
Tomato firmware and modifications.