2 * Part of Very Secure FTPd
7 * Code implementing the standard, secure two process security model.
10 #include "twoprocess.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
24 #include "parseconf.h"
26 #include "readwrite.h"
28 #include "sysdeputil.h"
30 #include "seccompsandbox.h"
32 static void drop_all_privs(void);
33 static void handle_sigchld(void* duff
);
34 static void handle_sigterm(void* duff
);
35 static void process_login_req(struct vsf_session
* p_sess
);
36 static void common_do_login(struct vsf_session
* p_sess
,
37 const struct mystr
* p_user_str
, int do_chroot
,
39 static void handle_per_user_config(const struct mystr
* p_user_str
);
40 static void calculate_chdir_dir(int anon
, struct mystr
* p_userdir_str
,
41 struct mystr
* p_chroot_str
,
42 struct mystr
* p_chdir_str
,
43 const struct mystr
* p_user_str
,
44 const struct mystr
* p_orig_user_str
);
47 handle_sigchld(void* duff
)
50 struct vsf_sysutil_wait_retval wait_retval
= vsf_sysutil_wait();
52 /* Child died, so we'll do the same! Report it as an error unless the child
53 * exited normally with zero exit code
55 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval
)))
57 die("waiting for child");
59 else if (!vsf_sysutil_wait_exited_normally(&wait_retval
))
67 handle_sigterm(void* duff
)
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD
);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
77 vsf_two_process_start(struct vsf_session
* p_sess
)
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM
, handle_sigterm
, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess
);
84 if (tunable_ssl_enable
)
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
89 ssl_comm_channel_init(p_sess
);
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD
, handle_sigchld
, 0, 1);
94 if (tunable_isolate_network
)
96 newpid
= vsf_sysutil_fork_newnet();
100 newpid
= vsf_sysutil_fork();
104 priv_sock_set_parent_context(p_sess
);
105 if (tunable_ssl_enable
)
107 ssl_comm_channel_set_consumer_context(p_sess
);
109 /* Parent - go into pre-login parent process mode */
112 process_login_req(p_sess
);
116 /* Child process - time to lose as much privilege as possible and do the
119 vsf_set_die_if_parent_dies();
120 priv_sock_set_child_context(p_sess
);
121 if (tunable_ssl_enable
)
123 ssl_comm_channel_set_producer_context(p_sess
);
125 if (tunable_local_enable
&& tunable_userlist_enable
)
128 if (tunable_userlist_file
)
130 retval
= str_fileread(&p_sess
->userlist_str
, tunable_userlist_file
,
131 VSFTP_CONF_FILE_MAX
);
133 if (vsf_sysutil_retval_is_error(retval
))
135 die2("cannot read user list file:", tunable_userlist_file
);
139 seccomp_sandbox_init();
140 seccomp_sandbox_setup_prelogin(p_sess
);
141 seccomp_sandbox_lockdown();
142 init_connection(p_sess
);
149 struct mystr user_str
= INIT_MYSTR
;
150 struct mystr dir_str
= INIT_MYSTR
;
151 unsigned int option
= VSF_SECUTIL_OPTION_CHROOT
| VSF_SECUTIL_OPTION_NO_PROCS
;
152 if (!tunable_ssl_enable
)
154 /* Unfortunately, can only enable this if we can be sure of not using SSL.
155 * In the SSL case, we'll need to receive data transfer file descriptors.
157 option
|= VSF_SECUTIL_OPTION_NO_FDS
;
159 if (tunable_nopriv_user
)
161 str_alloc_text(&user_str
, tunable_nopriv_user
);
163 if (tunable_secure_chroot_dir
)
165 str_alloc_text(&dir_str
, tunable_secure_chroot_dir
);
167 /* Be kind: give good error message if the secure dir is missing */
169 struct vsf_sysutil_statbuf
* p_statbuf
= 0;
170 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str
, &p_statbuf
)))
172 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
173 tunable_secure_chroot_dir
);
175 vsf_sysutil_free(p_statbuf
);
177 vsf_secutil_change_credentials(&user_str
, &dir_str
, 0, 0, option
);
183 vsf_two_process_login(struct vsf_session
* p_sess
,
184 const struct mystr
* p_pass_str
)
187 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_LOGIN
);
188 priv_sock_send_str(p_sess
->child_fd
, &p_sess
->user_str
);
189 priv_sock_send_str(p_sess
->child_fd
, p_pass_str
);
190 priv_sock_send_int(p_sess
->child_fd
, p_sess
->control_use_ssl
);
191 priv_sock_send_int(p_sess
->child_fd
, p_sess
->data_use_ssl
);
192 result
= priv_sock_get_result(p_sess
->child_fd
);
193 if (result
== PRIV_SOCK_RESULT_OK
)
195 /* Miracle. We don't emit the success message here. That is left to
196 * process_post_login().
197 * Exit normally, unless we are remaining as the SSL read / write child.
199 if (!p_sess
->control_use_ssl
)
209 else if (result
== PRIV_SOCK_RESULT_BAD
)
211 /* Continue the processing loop.. */
216 die("priv_sock_get_result");
221 vsf_two_process_get_priv_data_sock(struct vsf_session
* p_sess
)
224 unsigned short port
= vsf_sysutil_sockaddr_get_port(p_sess
->p_port_sockaddr
);
225 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_GET_DATA_SOCK
);
226 priv_sock_send_int(p_sess
->child_fd
, port
);
227 res
= priv_sock_get_result(p_sess
->child_fd
);
228 if (res
== PRIV_SOCK_RESULT_BAD
)
232 else if (res
!= PRIV_SOCK_RESULT_OK
)
234 die("could not get privileged socket");
236 return priv_sock_recv_fd(p_sess
->child_fd
);
240 vsf_two_process_pasv_cleanup(struct vsf_session
* p_sess
)
243 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_PASV_CLEANUP
);
244 res
= priv_sock_get_result(p_sess
->child_fd
);
245 if (res
!= PRIV_SOCK_RESULT_OK
)
247 die("could not clean up socket");
252 vsf_two_process_pasv_active(struct vsf_session
* p_sess
)
254 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_PASV_ACTIVE
);
255 return priv_sock_get_int(p_sess
->child_fd
);
259 vsf_two_process_listen(struct vsf_session
* p_sess
)
261 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_PASV_LISTEN
);
262 return (unsigned short) priv_sock_get_int(p_sess
->child_fd
);
266 vsf_two_process_get_pasv_fd(struct vsf_session
* p_sess
)
269 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_PASV_ACCEPT
);
270 res
= priv_sock_get_result(p_sess
->child_fd
);
271 if (res
== PRIV_SOCK_RESULT_BAD
)
273 return priv_sock_get_int(p_sess
->child_fd
);
275 else if (res
!= PRIV_SOCK_RESULT_OK
)
277 die("could not accept on listening socket");
279 return priv_sock_recv_fd(p_sess
->child_fd
);
283 vsf_two_process_chown_upload(struct vsf_session
* p_sess
, int fd
)
286 priv_sock_send_cmd(p_sess
->child_fd
, PRIV_SOCK_CHOWN
);
287 priv_sock_send_fd(p_sess
->child_fd
, fd
);
288 res
= priv_sock_get_result(p_sess
->child_fd
);
289 if (res
!= PRIV_SOCK_RESULT_OK
)
291 die("unexpected failure in vsf_two_process_chown_upload");
296 process_login_req(struct vsf_session
* p_sess
)
298 enum EVSFPrivopLoginResult e_login_result
= kVSFLoginNull
;
301 cmd
= priv_sock_get_cmd(p_sess
->parent_fd
);
302 if (cmd
!= PRIV_SOCK_LOGIN
)
306 /* Get username and password - we must distrust these */
308 struct mystr password_str
= INIT_MYSTR
;
309 priv_sock_get_str(p_sess
->parent_fd
, &p_sess
->user_str
);
310 priv_sock_get_str(p_sess
->parent_fd
, &password_str
);
311 p_sess
->control_use_ssl
= priv_sock_get_int(p_sess
->parent_fd
);
312 p_sess
->data_use_ssl
= priv_sock_get_int(p_sess
->parent_fd
);
313 if (!tunable_ssl_enable
)
315 p_sess
->control_use_ssl
= 0;
316 p_sess
->data_use_ssl
= 0;
318 e_login_result
= vsf_privop_do_login(p_sess
, &password_str
);
319 str_free(&password_str
);
321 switch (e_login_result
)
324 priv_sock_send_result(p_sess
->parent_fd
, PRIV_SOCK_RESULT_BAD
);
328 str_free(&p_sess
->user_str
);
329 if (tunable_ftp_username
)
331 str_alloc_text(&p_sess
->user_str
, tunable_ftp_username
);
333 common_do_login(p_sess
, &p_sess
->user_str
, 1, 1);
338 if (tunable_chroot_local_user
)
342 if (tunable_chroot_list_enable
)
344 struct mystr chroot_list_file
= INIT_MYSTR
;
346 if (tunable_chroot_list_file
)
348 retval
= str_fileread(&chroot_list_file
, tunable_chroot_list_file
,
349 VSFTP_CONF_FILE_MAX
);
351 if (vsf_sysutil_retval_is_error(retval
))
353 die2("could not read chroot() list file:",
354 tunable_chroot_list_file
);
356 if (str_contains_line(&chroot_list_file
, &p_sess
->user_str
))
367 str_free(&chroot_list_file
);
369 common_do_login(p_sess
, &p_sess
->user_str
, do_chroot
, 0);
375 bug("weird state in process_login_request");
382 common_do_login(struct vsf_session
* p_sess
, const struct mystr
* p_user_str
,
383 int do_chroot
, int anon
)
386 const struct mystr
* p_orig_user_str
= p_user_str
;
388 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD
);
389 /* Tells the pre-login child all is OK (it may exit in response) */
390 priv_sock_send_result(p_sess
->parent_fd
, PRIV_SOCK_RESULT_OK
);
391 if (!p_sess
->control_use_ssl
)
393 (void) vsf_sysutil_wait();
397 p_sess
->ssl_slave_active
= 1;
399 /* Handle loading per-user config options */
400 handle_per_user_config(p_user_str
);
401 /* Set this before we fork */
402 p_sess
->is_anonymous
= anon
;
403 priv_sock_close(p_sess
);
404 priv_sock_init(p_sess
);
405 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD
, handle_sigchld
, 0, 1);
406 if (tunable_isolate_network
&& !tunable_port_promiscuous
)
408 newpid
= vsf_sysutil_fork_newnet();
412 newpid
= vsf_sysutil_fork();
416 struct mystr guest_user_str
= INIT_MYSTR
;
417 struct mystr chroot_str
= INIT_MYSTR
;
418 struct mystr chdir_str
= INIT_MYSTR
;
419 struct mystr userdir_str
= INIT_MYSTR
;
420 unsigned int secutil_option
= VSF_SECUTIL_OPTION_USE_GROUPS
|
421 VSF_SECUTIL_OPTION_NO_PROCS
;
422 /* Child - drop privs and start proper FTP! */
423 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
424 * The other cases are taken care of by a shutdown() of the command
425 * connection in our SIGTERM handler.
427 vsf_set_die_if_parent_dies();
428 priv_sock_set_child_context(p_sess
);
429 if (tunable_guest_enable
&& !anon
)
431 p_sess
->is_guest
= 1;
432 /* Remap to the guest user */
433 if (tunable_guest_username
)
435 str_alloc_text(&guest_user_str
, tunable_guest_username
);
437 p_user_str
= &guest_user_str
;
438 if (!tunable_virtual_use_local_privs
)
446 secutil_option
|= VSF_SECUTIL_OPTION_CHROOT
;
450 secutil_option
|= VSF_SECUTIL_OPTION_CHANGE_EUID
;
452 if (!was_anon
&& tunable_allow_writeable_chroot
)
454 secutil_option
|= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT
;
456 calculate_chdir_dir(was_anon
, &userdir_str
, &chroot_str
, &chdir_str
,
457 p_user_str
, p_orig_user_str
);
458 vsf_secutil_change_credentials(p_user_str
, &userdir_str
, &chroot_str
,
460 if (!str_isempty(&chdir_str
))
462 (void) str_chdir(&chdir_str
);
464 str_free(&guest_user_str
);
465 str_free(&chroot_str
);
466 str_free(&chdir_str
);
467 str_free(&userdir_str
);
468 p_sess
->is_anonymous
= anon
;
469 seccomp_sandbox_init();
470 seccomp_sandbox_setup_postlogin(p_sess
);
471 seccomp_sandbox_lockdown();
472 process_post_login(p_sess
);
473 bug("should not get here: common_do_login");
476 priv_sock_set_parent_context(p_sess
);
477 if (tunable_ssl_enable
)
479 ssl_comm_channel_set_producer_context(p_sess
);
481 /* The seccomp sandbox lockdown for the priv parent is done inside here */
482 vsf_priv_parent_postlogin(p_sess
);
483 bug("should not get here in common_do_login");
487 handle_per_user_config(const struct mystr
* p_user_str
)
489 struct mystr filename_str
= INIT_MYSTR
;
490 struct vsf_sysutil_statbuf
* p_statbuf
= 0;
491 struct str_locate_result loc_result
;
493 if (!tunable_user_config_dir
)
497 /* Security paranoia - ignore if user has a / in it. */
498 loc_result
= str_locate_char(p_user_str
, '/');
499 if (loc_result
.found
)
503 str_alloc_text(&filename_str
, tunable_user_config_dir
);
504 str_append_char(&filename_str
, '/');
505 str_append_str(&filename_str
, p_user_str
);
506 retval
= str_stat(&filename_str
, &p_statbuf
);
507 if (!vsf_sysutil_retval_is_error(retval
))
509 /* Security - file ownership check now in vsf_parseconf_load_file() */
510 vsf_parseconf_load_file(str_getbuf(&filename_str
), 1);
512 else if (vsf_sysutil_get_error() != kVSFSysUtilErrNOENT
)
514 die("error opening per-user config file");
516 str_free(&filename_str
);
517 vsf_sysutil_free(p_statbuf
);
521 calculate_chdir_dir(int anon_login
, struct mystr
* p_userdir_str
,
522 struct mystr
* p_chroot_str
,
523 struct mystr
* p_chdir_str
,
524 const struct mystr
* p_user_str
,
525 const struct mystr
* p_orig_user_str
)
529 const struct vsf_sysutil_user
* p_user
= str_getpwnam(p_user_str
);
532 die2("cannot locate user entry:", str_getbuf(p_user_str
));
534 str_alloc_text(p_userdir_str
, vsf_sysutil_user_get_homedir(p_user
));
535 if (tunable_user_sub_token
)
537 str_replace_text(p_userdir_str
, tunable_user_sub_token
,
538 str_getbuf(p_orig_user_str
));
541 if (anon_login
&& tunable_anon_root
)
543 str_alloc_text(p_chroot_str
, tunable_anon_root
);
545 else if (!anon_login
&& tunable_local_root
)
547 str_alloc_text(p_chroot_str
, tunable_local_root
);
548 if (tunable_user_sub_token
)
550 str_replace_text(p_chroot_str
, tunable_user_sub_token
,
551 str_getbuf(p_orig_user_str
));
554 /* If enabled, the chroot() location embedded in the HOMEDIR takes
557 if (!anon_login
&& tunable_passwd_chroot_enable
)
559 struct str_locate_result loc_result
;
560 loc_result
= str_locate_text(p_userdir_str
, "/./");
561 if (loc_result
.found
)
563 str_split_text(p_userdir_str
, p_chdir_str
, "/./");
564 str_copy(p_chroot_str
, p_userdir_str
);