search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vsftpd 3.0.3
[tomato.git] / release / src-rt-6.x.4708 / router / vsftpd / twoprocess.c
blob33d84dc85fe4223449922f8a2021230427c89d85
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
6 *
7 * Code implementing the standard, secure two process security model.
8 */
9
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29 #include "sslslave.h"
30 #include "seccompsandbox.h"
31
32 static void drop_all_privs(void);
33 static void handle_sigchld(void* duff);
34 static void handle_sigterm(void* duff);
35 static void process_login_req(struct vsf_session* p_sess);
36 static void common_do_login(struct vsf_session* p_sess,
37 const struct mystr* p_user_str, int do_chroot,
38 int anon);
39 static void handle_per_user_config(const struct mystr* p_user_str);
40 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
41 struct mystr* p_chroot_str,
42 struct mystr* p_chdir_str,
43 const struct mystr* p_user_str,
44 const struct mystr* p_orig_user_str);
45
46 static void
47 handle_sigchld(void* duff)
48 {
49
50 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
51 (void) duff;
52 /* Child died, so we'll do the same! Report it as an error unless the child
53 * exited normally with zero exit code
54 */
55 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)))
56 {
57 die("waiting for child");
58 }
59 else if (!vsf_sysutil_wait_exited_normally(&wait_retval))
60 {
61 die("child died");
62 }
63 vsf_sysutil_exit(0);
64 }
65
66 static void
67 handle_sigterm(void* duff)
68 {
69 (void) duff;
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
73 vsf_sysutil_exit(1);
74 }
75
76 void
77 vsf_two_process_start(struct vsf_session* p_sess)
78 {
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM, handle_sigterm, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess);
84 if (tunable_ssl_enable)
85 {
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
88 */
89 ssl_comm_channel_init(p_sess);
90 }
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
92 {
93 int newpid;
94 if (tunable_isolate_network)
95 {
96 newpid = vsf_sysutil_fork_newnet();
97 }
98 else
99 {
100 newpid = vsf_sysutil_fork();
101 }
102 if (newpid != 0)
103 {
104 priv_sock_set_parent_context(p_sess);
105 if (tunable_ssl_enable)
106 {
107 ssl_comm_channel_set_consumer_context(p_sess);
108 }
109 /* Parent - go into pre-login parent process mode */
110 while (1)
111 {
112 process_login_req(p_sess);
113 }
114 }
115 }
116 /* Child process - time to lose as much privilege as possible and do the
117 * login processing
118 */
119 vsf_set_die_if_parent_dies();
120 priv_sock_set_child_context(p_sess);
121 if (tunable_ssl_enable)
122 {
123 ssl_comm_channel_set_producer_context(p_sess);
124 }
125 if (tunable_local_enable && tunable_userlist_enable)
126 {
127 int retval = -1;
128 if (tunable_userlist_file)
129 {
130 retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
131 VSFTP_CONF_FILE_MAX);
132 }
133 if (vsf_sysutil_retval_is_error(retval))
134 {
135 die2("cannot read user list file:", tunable_userlist_file);
136 }
137 }
138 drop_all_privs();
139 seccomp_sandbox_init();
140 seccomp_sandbox_setup_prelogin(p_sess);
141 seccomp_sandbox_lockdown();
142 init_connection(p_sess);
143 /* NOTREACHED */
144 }
145
146 static void
147 drop_all_privs(void)
148 {
149 struct mystr user_str = INIT_MYSTR;
150 struct mystr dir_str = INIT_MYSTR;
151 unsigned int option = VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_NO_PROCS;
152 if (!tunable_ssl_enable)
153 {
154 /* Unfortunately, can only enable this if we can be sure of not using SSL.
155 * In the SSL case, we'll need to receive data transfer file descriptors.
156 */
157 option |= VSF_SECUTIL_OPTION_NO_FDS;
158 }
159 if (tunable_nopriv_user)
160 {
161 str_alloc_text(&user_str, tunable_nopriv_user);
162 }
163 if (tunable_secure_chroot_dir)
164 {
165 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
166 }
167 /* Be kind: give good error message if the secure dir is missing */
168 {
169 struct vsf_sysutil_statbuf* p_statbuf = 0;
170 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
171 {
172 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
173 tunable_secure_chroot_dir);
174 }
175 vsf_sysutil_free(p_statbuf);
176 }
177 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0, option);
178 str_free(&user_str);
179 str_free(&dir_str);
180 }
181
182 void
183 vsf_two_process_login(struct vsf_session* p_sess,
184 const struct mystr* p_pass_str)
185 {
186 char result;
187 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
188 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
189 priv_sock_send_str(p_sess->child_fd, p_pass_str);
190 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
191 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
192 result = priv_sock_get_result(p_sess->child_fd);
193 if (result == PRIV_SOCK_RESULT_OK)
194 {
195 /* Miracle. We don't emit the success message here. That is left to
196 * process_post_login().
197 * Exit normally, unless we are remaining as the SSL read / write child.
198 */
199 if (!p_sess->control_use_ssl)
200 {
201 vsf_sysutil_exit(0);
202 }
203 else
204 {
205 ssl_slave(p_sess);
206 }
207 /* NOTREACHED */
208 }
209 else if (result == PRIV_SOCK_RESULT_BAD)
210 {
211 /* Continue the processing loop.. */
212 return;
213 }
214 else
215 {
216 die("priv_sock_get_result");
217 }
218 }
219
220 int
221 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
222 {
223 char res;
224 unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
225 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
226 priv_sock_send_int(p_sess->child_fd, port);
227 res = priv_sock_get_result(p_sess->child_fd);
228 if (res == PRIV_SOCK_RESULT_BAD)
229 {
230 return -1;
231 }
232 else if (res != PRIV_SOCK_RESULT_OK)
233 {
234 die("could not get privileged socket");
235 }
236 return priv_sock_recv_fd(p_sess->child_fd);
237 }
238
239 void
240 vsf_two_process_pasv_cleanup(struct vsf_session* p_sess)
241 {
242 char res;
243 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_CLEANUP);
244 res = priv_sock_get_result(p_sess->child_fd);
245 if (res != PRIV_SOCK_RESULT_OK)
246 {
247 die("could not clean up socket");
248 }
249 }
250
251 int
252 vsf_two_process_pasv_active(struct vsf_session* p_sess)
253 {
254 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACTIVE);
255 return priv_sock_get_int(p_sess->child_fd);
256 }
257
258 unsigned short
259 vsf_two_process_listen(struct vsf_session* p_sess)
260 {
261 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_LISTEN);
262 return (unsigned short) priv_sock_get_int(p_sess->child_fd);
263 }
264
265 int
266 vsf_two_process_get_pasv_fd(struct vsf_session* p_sess)
267 {
268 char res;
269 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACCEPT);
270 res = priv_sock_get_result(p_sess->child_fd);
271 if (res == PRIV_SOCK_RESULT_BAD)
272 {
273 return priv_sock_get_int(p_sess->child_fd);
274 }
275 else if (res != PRIV_SOCK_RESULT_OK)
276 {
277 die("could not accept on listening socket");
278 }
279 return priv_sock_recv_fd(p_sess->child_fd);
280 }
281
282 void
283 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
284 {
285 char res;
286 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
287 priv_sock_send_fd(p_sess->child_fd, fd);
288 res = priv_sock_get_result(p_sess->child_fd);
289 if (res != PRIV_SOCK_RESULT_OK)
290 {
291 die("unexpected failure in vsf_two_process_chown_upload");
292 }
293 }
294
295 static void
296 process_login_req(struct vsf_session* p_sess)
297 {
298 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
299 char cmd;
300 /* Blocks */
301 cmd = priv_sock_get_cmd(p_sess->parent_fd);
302 if (cmd != PRIV_SOCK_LOGIN)
303 {
304 die("bad request");
305 }
306 /* Get username and password - we must distrust these */
307 {
308 struct mystr password_str = INIT_MYSTR;
309 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
310 priv_sock_get_str(p_sess->parent_fd, &password_str);
311 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
312 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
313 if (!tunable_ssl_enable)
314 {
315 p_sess->control_use_ssl = 0;
316 p_sess->data_use_ssl = 0;
317 }
318 e_login_result = vsf_privop_do_login(p_sess, &password_str);
319 str_free(&password_str);
320 }
321 switch (e_login_result)
322 {
323 case kVSFLoginFail:
324 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
325 return;
326 break;
327 case kVSFLoginAnon:
328 str_free(&p_sess->user_str);
329 if (tunable_ftp_username)
330 {
331 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
332 }
333 common_do_login(p_sess, &p_sess->user_str, 1, 1);
334 break;
335 case kVSFLoginReal:
336 {
337 int do_chroot = 0;
338 if (tunable_chroot_local_user)
339 {
340 do_chroot = 1;
341 }
342 if (tunable_chroot_list_enable)
343 {
344 struct mystr chroot_list_file = INIT_MYSTR;
345 int retval = -1;
346 if (tunable_chroot_list_file)
347 {
348 retval = str_fileread(&chroot_list_file, tunable_chroot_list_file,
349 VSFTP_CONF_FILE_MAX);
350 }
351 if (vsf_sysutil_retval_is_error(retval))
352 {
353 die2("could not read chroot() list file:",
354 tunable_chroot_list_file);
355 }
356 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
357 {
358 if (do_chroot)
359 {
360 do_chroot = 0;
361 }
362 else
363 {
364 do_chroot = 1;
365 }
366 }
367 str_free(&chroot_list_file);
368 }
369 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
370 }
371 break;
372 case kVSFLoginNull:
373 /* Fall through */
374 default:
375 bug("weird state in process_login_request");
376 break;
377 }
378 /* NOTREACHED */
379 }
380
381 static void
382 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
383 int do_chroot, int anon)
384 {
385 int was_anon = anon;
386 const struct mystr* p_orig_user_str = p_user_str;
387 int newpid;
388 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
389 /* Tells the pre-login child all is OK (it may exit in response) */
390 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
391 if (!p_sess->control_use_ssl)
392 {
393 (void) vsf_sysutil_wait();
394 }
395 else
396 {
397 p_sess->ssl_slave_active = 1;
398 }
399 /* Handle loading per-user config options */
400 handle_per_user_config(p_user_str);
401 /* Set this before we fork */
402 p_sess->is_anonymous = anon;
403 priv_sock_close(p_sess);
404 priv_sock_init(p_sess);
405 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
406 if (tunable_isolate_network && !tunable_port_promiscuous)
407 {
408 newpid = vsf_sysutil_fork_newnet();
409 }
410 else
411 {
412 newpid = vsf_sysutil_fork();
413 }
414 if (newpid == 0)
415 {
416 struct mystr guest_user_str = INIT_MYSTR;
417 struct mystr chroot_str = INIT_MYSTR;
418 struct mystr chdir_str = INIT_MYSTR;
419 struct mystr userdir_str = INIT_MYSTR;
420 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS |
421 VSF_SECUTIL_OPTION_NO_PROCS;
422 /* Child - drop privs and start proper FTP! */
423 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
424 * The other cases are taken care of by a shutdown() of the command
425 * connection in our SIGTERM handler.
426 */
427 vsf_set_die_if_parent_dies();
428 priv_sock_set_child_context(p_sess);
429 if (tunable_guest_enable && !anon)
430 {
431 p_sess->is_guest = 1;
432 /* Remap to the guest user */
433 if (tunable_guest_username)
434 {
435 str_alloc_text(&guest_user_str, tunable_guest_username);
436 }
437 p_user_str = &guest_user_str;
438 if (!tunable_virtual_use_local_privs)
439 {
440 anon = 1;
441 do_chroot = 1;
442 }
443 }
444 if (do_chroot)
445 {
446 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
447 }
448 if (!anon)
449 {
450 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
451 }
452 if (!was_anon && tunable_allow_writeable_chroot)
453 {
454 secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT;
455 }
456 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
457 p_user_str, p_orig_user_str);
458 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
459 0, secutil_option);
460 if (!str_isempty(&chdir_str))
461 {
462 (void) str_chdir(&chdir_str);
463 }
464 str_free(&guest_user_str);
465 str_free(&chroot_str);
466 str_free(&chdir_str);
467 str_free(&userdir_str);
468 p_sess->is_anonymous = anon;
469 seccomp_sandbox_init();
470 seccomp_sandbox_setup_postlogin(p_sess);
471 seccomp_sandbox_lockdown();
472 process_post_login(p_sess);
473 bug("should not get here: common_do_login");
474 }
475 /* Parent */
476 priv_sock_set_parent_context(p_sess);
477 if (tunable_ssl_enable)
478 {
479 ssl_comm_channel_set_producer_context(p_sess);
480 }
481 /* The seccomp sandbox lockdown for the priv parent is done inside here */
482 vsf_priv_parent_postlogin(p_sess);
483 bug("should not get here in common_do_login");
484 }
485
486 static void
487 handle_per_user_config(const struct mystr* p_user_str)
488 {
489 struct mystr filename_str = INIT_MYSTR;
490 struct vsf_sysutil_statbuf* p_statbuf = 0;
491 struct str_locate_result loc_result;
492 int retval;
493 if (!tunable_user_config_dir)
494 {
495 return;
496 }
497 /* Security paranoia - ignore if user has a / in it. */
498 loc_result = str_locate_char(p_user_str, '/');
499 if (loc_result.found)
500 {
501 return;
502 }
503 str_alloc_text(&filename_str, tunable_user_config_dir);
504 str_append_char(&filename_str, '/');
505 str_append_str(&filename_str, p_user_str);
506 retval = str_stat(&filename_str, &p_statbuf);
507 if (!vsf_sysutil_retval_is_error(retval))
508 {
509 /* Security - file ownership check now in vsf_parseconf_load_file() */
510 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
511 }
512 else if (vsf_sysutil_get_error() != kVSFSysUtilErrNOENT)
513 {
514 die("error opening per-user config file");
515 }
516 str_free(&filename_str);
517 vsf_sysutil_free(p_statbuf);
518 }
519
520 static void
521 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
522 struct mystr* p_chroot_str,
523 struct mystr* p_chdir_str,
524 const struct mystr* p_user_str,
525 const struct mystr* p_orig_user_str)
526 {
527 if (!anon_login)
528 {
529 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
530 if (p_user == 0)
531 {
532 die2("cannot locate user entry:", str_getbuf(p_user_str));
533 }
534 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
535 if (tunable_user_sub_token)
536 {
537 str_replace_text(p_userdir_str, tunable_user_sub_token,
538 str_getbuf(p_orig_user_str));
539 }
540 }
541 if (anon_login && tunable_anon_root)
542 {
543 str_alloc_text(p_chroot_str, tunable_anon_root);
544 }
545 else if (!anon_login && tunable_local_root)
546 {
547 str_alloc_text(p_chroot_str, tunable_local_root);
548 if (tunable_user_sub_token)
549 {
550 str_replace_text(p_chroot_str, tunable_user_sub_token,
551 str_getbuf(p_orig_user_str));
552 }
553 }
554 /* If enabled, the chroot() location embedded in the HOMEDIR takes
555 * precedence.
556 */
557 if (!anon_login && tunable_passwd_chroot_enable)
558 {
559 struct str_locate_result loc_result;
560 loc_result = str_locate_text(p_userdir_str, "/./");
561 if (loc_result.found)
562 {
563 str_split_text(p_userdir_str, p_chdir_str, "/./");
564 str_copy(p_chroot_str, p_userdir_str);
565 }
566 }
567 }
568
Tomato firmware and modifications.