search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vsftpd 2.3.5
[tomato.git] / release / src-rt-6.x.4708 / router / vsftpd / twoprocess.c
blob394d90929b81e134ebf2236fe416a1180fcd70b2
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
6 *
7 * Code implementing the standard, secure two process security model.
8 */
9
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29 #include "sslslave.h"
30
31 static void drop_all_privs(void);
32 static void handle_sigchld(void* duff);
33 static void handle_sigterm(void* duff);
34 static void process_login_req(struct vsf_session* p_sess);
35 static void common_do_login(struct vsf_session* p_sess,
36 const struct mystr* p_user_str, int do_chroot,
37 int anon);
38 static void handle_per_user_config(const struct mystr* p_user_str);
39 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
40 struct mystr* p_chroot_str,
41 struct mystr* p_chdir_str,
42 const struct mystr* p_user_str,
43 const struct mystr* p_orig_user_str);
44
45 static void
46 handle_sigchld(void* duff)
47 {
48
49 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
50 (void) duff;
51 /* Child died, so we'll do the same! Report it as an error unless the child
52 * exited normally with zero exit code
53 */
54 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)) ||
55 !vsf_sysutil_wait_exited_normally(&wait_retval) ||
56 vsf_sysutil_wait_get_exitcode(&wait_retval) != 0)
57 {
58 die("child died");
59 }
60 else
61 {
62 vsf_sysutil_exit(0);
63 }
64 }
65
66 static void
67 handle_sigterm(void* duff)
68 {
69 (void) duff;
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
73 vsf_sysutil_exit(1);
74 }
75
76 void
77 vsf_two_process_start(struct vsf_session* p_sess)
78 {
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM, handle_sigterm, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess);
84 if (tunable_ssl_enable)
85 {
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
88 */
89 ssl_comm_channel_init(p_sess);
90 }
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
92 {
93 int newpid;
94 if (tunable_isolate_network)
95 {
96 newpid = vsf_sysutil_fork_newnet();
97 }
98 else
99 {
100 newpid = vsf_sysutil_fork();
101 }
102 if (newpid != 0)
103 {
104 priv_sock_set_parent_context(p_sess);
105 if (tunable_ssl_enable)
106 {
107 ssl_comm_channel_set_consumer_context(p_sess);
108 }
109 /* Parent - go into pre-login parent process mode */
110 while (1)
111 {
112 process_login_req(p_sess);
113 }
114 }
115 }
116 /* Child process - time to lose as much privilege as possible and do the
117 * login processing
118 */
119 vsf_set_die_if_parent_dies();
120 priv_sock_set_child_context(p_sess);
121 if (tunable_ssl_enable)
122 {
123 ssl_comm_channel_set_producer_context(p_sess);
124 }
125 if (tunable_local_enable && tunable_userlist_enable)
126 {
127 int retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
128 VSFTP_CONF_FILE_MAX);
129 if (vsf_sysutil_retval_is_error(retval))
130 {
131 die2("cannot read user list file:", tunable_userlist_file);
132 }
133 }
134 drop_all_privs();
135 init_connection(p_sess);
136 /* NOTREACHED */
137 }
138
139 static void
140 drop_all_privs(void)
141 {
142 struct mystr user_str = INIT_MYSTR;
143 struct mystr dir_str = INIT_MYSTR;
144 int option = VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_NO_PROCS;
145 if (!tunable_ssl_enable)
146 {
147 /* Unfortunately, can only enable this if we can be sure of not using SSL.
148 * In the SSL case, we'll need to receive data transfer file descriptors.
149 */
150 option |= VSF_SECUTIL_OPTION_NO_FDS;
151 }
152 str_alloc_text(&user_str, tunable_nopriv_user);
153 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
154 /* Be kind: give good error message if the secure dir is missing */
155 {
156 struct vsf_sysutil_statbuf* p_statbuf = 0;
157 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
158 {
159 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
160 tunable_secure_chroot_dir);
161 }
162 vsf_sysutil_free(p_statbuf);
163 }
164 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0, option);
165 str_free(&user_str);
166 str_free(&dir_str);
167 }
168
169 void
170 vsf_two_process_login(struct vsf_session* p_sess,
171 const struct mystr* p_pass_str)
172 {
173 char result;
174 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
175 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
176 priv_sock_send_str(p_sess->child_fd, p_pass_str);
177 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
178 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
179 result = priv_sock_get_result(p_sess->child_fd);
180 if (result == PRIV_SOCK_RESULT_OK)
181 {
182 /* Miracle. We don't emit the success message here. That is left to
183 * process_post_login().
184 * Exit normally, unless we are remaining as the SSL read / write child.
185 */
186 if (!p_sess->control_use_ssl)
187 {
188 vsf_sysutil_exit(0);
189 }
190 else
191 {
192 ssl_slave(p_sess);
193 }
194 /* NOTREACHED */
195 }
196 else if (result == PRIV_SOCK_RESULT_BAD)
197 {
198 /* Continue the processing loop.. */
199 return;
200 }
201 else
202 {
203 die("priv_sock_get_result");
204 }
205 }
206
207 int
208 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
209 {
210 char res;
211 unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
212 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
213 priv_sock_send_int(p_sess->child_fd, port);
214 res = priv_sock_get_result(p_sess->child_fd);
215 if (res == PRIV_SOCK_RESULT_BAD)
216 {
217 return -1;
218 }
219 else if (res != PRIV_SOCK_RESULT_OK)
220 {
221 die("could not get privileged socket");
222 }
223 return priv_sock_recv_fd(p_sess->child_fd);
224 }
225
226 void
227 vsf_two_process_pasv_cleanup(struct vsf_session* p_sess)
228 {
229 char res;
230 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_CLEANUP);
231 res = priv_sock_get_result(p_sess->child_fd);
232 if (res != PRIV_SOCK_RESULT_OK)
233 {
234 die("could not clean up socket");
235 }
236 }
237
238 int
239 vsf_two_process_pasv_active(struct vsf_session* p_sess)
240 {
241 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACTIVE);
242 return priv_sock_get_int(p_sess->child_fd);
243 }
244
245 unsigned short
246 vsf_two_process_listen(struct vsf_session* p_sess)
247 {
248 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_LISTEN);
249 return (unsigned short) priv_sock_get_int(p_sess->child_fd);
250 }
251
252 int
253 vsf_two_process_get_pasv_fd(struct vsf_session* p_sess)
254 {
255 char res;
256 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACCEPT);
257 res = priv_sock_get_result(p_sess->child_fd);
258 if (res == PRIV_SOCK_RESULT_BAD)
259 {
260 return priv_sock_get_int(p_sess->child_fd);
261 }
262 else if (res != PRIV_SOCK_RESULT_OK)
263 {
264 die("could not accept on listening socket");
265 }
266 return priv_sock_recv_fd(p_sess->child_fd);
267 }
268
269 void
270 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
271 {
272 char res;
273 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
274 priv_sock_send_fd(p_sess->child_fd, fd);
275 res = priv_sock_get_result(p_sess->child_fd);
276 if (res != PRIV_SOCK_RESULT_OK)
277 {
278 die("unexpected failure in vsf_two_process_chown_upload");
279 }
280 }
281
282 static void
283 process_login_req(struct vsf_session* p_sess)
284 {
285 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
286 char cmd;
287 /* Blocks */
288 cmd = priv_sock_get_cmd(p_sess->parent_fd);
289 if (cmd != PRIV_SOCK_LOGIN)
290 {
291 die("bad request");
292 }
293 /* Get username and password - we must distrust these */
294 {
295 struct mystr password_str = INIT_MYSTR;
296 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
297 priv_sock_get_str(p_sess->parent_fd, &password_str);
298 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
299 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
300 if (!tunable_ssl_enable)
301 {
302 p_sess->control_use_ssl = 0;
303 p_sess->data_use_ssl = 0;
304 }
305 e_login_result = vsf_privop_do_login(p_sess, &password_str);
306 str_free(&password_str);
307 }
308 switch (e_login_result)
309 {
310 case kVSFLoginFail:
311 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
312 return;
313 break;
314 case kVSFLoginAnon:
315 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
316 common_do_login(p_sess, &p_sess->user_str, 1, 1);
317 break;
318 case kVSFLoginReal:
319 {
320 int do_chroot = 0;
321 if (tunable_chroot_local_user)
322 {
323 do_chroot = 1;
324 }
325 if (tunable_chroot_list_enable)
326 {
327 struct mystr chroot_list_file = INIT_MYSTR;
328 int retval = str_fileread(&chroot_list_file,
329 tunable_chroot_list_file,
330 VSFTP_CONF_FILE_MAX);
331 if (vsf_sysutil_retval_is_error(retval))
332 {
333 die2("could not read chroot() list file:",
334 tunable_chroot_list_file);
335 }
336 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
337 {
338 if (do_chroot)
339 {
340 do_chroot = 0;
341 }
342 else
343 {
344 do_chroot = 1;
345 }
346 }
347 str_free(&chroot_list_file);
348 }
349 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
350 }
351 break;
352 case kVSFLoginNull:
353 /* Fall through */
354 default:
355 bug("weird state in process_login_request");
356 break;
357 }
358 /* NOTREACHED */
359 }
360
361 static void
362 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
363 int do_chroot, int anon)
364 {
365 int was_anon = anon;
366 const struct mystr* p_orig_user_str = p_user_str;
367 int newpid;
368 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
369 /* Tells the pre-login child all is OK (it may exit in response) */
370 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
371 if (!p_sess->control_use_ssl)
372 {
373 (void) vsf_sysutil_wait();
374 }
375 else
376 {
377 p_sess->ssl_slave_active = 1;
378 }
379 /* Handle loading per-user config options */
380 handle_per_user_config(p_user_str);
381 /* Set this before we fork */
382 p_sess->is_anonymous = anon;
383 priv_sock_close(p_sess);
384 priv_sock_init(p_sess);
385 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
386 if (tunable_isolate_network && !tunable_port_promiscuous)
387 {
388 newpid = vsf_sysutil_fork_newnet();
389 }
390 else
391 {
392 newpid = vsf_sysutil_fork();
393 }
394 if (newpid == 0)
395 {
396 struct mystr guest_user_str = INIT_MYSTR;
397 struct mystr chroot_str = INIT_MYSTR;
398 struct mystr chdir_str = INIT_MYSTR;
399 struct mystr userdir_str = INIT_MYSTR;
400 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS |
401 VSF_SECUTIL_OPTION_NO_PROCS;
402 /* Child - drop privs and start proper FTP! */
403 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
404 * The other cases are taken care of by a shutdown() of the command
405 * connection in our SIGTERM handler.
406 */
407 vsf_set_die_if_parent_dies();
408 priv_sock_set_child_context(p_sess);
409 if (tunable_guest_enable && !anon)
410 {
411 p_sess->is_guest = 1;
412 /* Remap to the guest user */
413 str_alloc_text(&guest_user_str, tunable_guest_username);
414 p_user_str = &guest_user_str;
415 if (!tunable_virtual_use_local_privs)
416 {
417 anon = 1;
418 do_chroot = 1;
419 }
420 }
421 if (do_chroot)
422 {
423 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
424 }
425 if (!anon)
426 {
427 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
428 }
429 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
430 p_user_str, p_orig_user_str);
431 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
432 0, secutil_option);
433 if (!str_isempty(&chdir_str))
434 {
435 (void) str_chdir(&chdir_str);
436 }
437 str_free(&guest_user_str);
438 str_free(&chroot_str);
439 str_free(&chdir_str);
440 str_free(&userdir_str);
441 /* Guard against the config error of having the anonymous ftp tree owned
442 * by the user we are running as
443 */
444 if (!tunable_anon_allow_writable_root && was_anon && vsf_sysutil_write_access("/"))
445 {
446 die("vsftpd: refusing to run with writable anonymous root");
447 }
448 p_sess->is_anonymous = anon;
449 process_post_login(p_sess);
450 bug("should not get here: common_do_login");
451 }
452 /* Parent */
453 priv_sock_set_parent_context(p_sess);
454 if (tunable_ssl_enable)
455 {
456 ssl_comm_channel_set_producer_context(p_sess);
457 }
458 vsf_priv_parent_postlogin(p_sess);
459 bug("should not get here in common_do_login");
460 }
461
462 static void
463 handle_per_user_config(const struct mystr* p_user_str)
464 {
465 struct mystr filename_str = INIT_MYSTR;
466 struct vsf_sysutil_statbuf* p_statbuf = 0;
467 struct str_locate_result loc_result;
468 int retval;
469 if (!tunable_user_config_dir)
470 {
471 return;
472 }
473 /* Security paranoia - ignore if user has a / in it. */
474 loc_result = str_locate_char(p_user_str, '/');
475 if (loc_result.found)
476 {
477 return;
478 }
479 str_alloc_text(&filename_str, tunable_user_config_dir);
480 str_append_char(&filename_str, '/');
481 str_append_str(&filename_str, p_user_str);
482 retval = str_stat(&filename_str, &p_statbuf);
483 if (!vsf_sysutil_retval_is_error(retval))
484 {
485 /* Security - file ownership check now in vsf_parseconf_load_file() */
486 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
487 }
488 else if (vsf_sysutil_get_error() != kVSFSysUtilErrNOENT)
489 {
490 die("error opening per-user config file");
491 }
492 str_free(&filename_str);
493 vsf_sysutil_free(p_statbuf);
494 }
495
496 static void
497 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
498 struct mystr* p_chroot_str,
499 struct mystr* p_chdir_str,
500 const struct mystr* p_user_str,
501 const struct mystr* p_orig_user_str)
502 {
503 if (!anon_login)
504 {
505 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
506 if (p_user == 0)
507 {
508 die2("cannot locate user entry:", str_getbuf(p_user_str));
509 }
510 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
511 if (tunable_user_sub_token)
512 {
513 str_replace_text(p_userdir_str, tunable_user_sub_token,
514 str_getbuf(p_orig_user_str));
515 }
516 }
517 if (anon_login && tunable_anon_root)
518 {
519 str_alloc_text(p_chroot_str, tunable_anon_root);
520 }
521 else if (!anon_login && tunable_local_root)
522 {
523 str_alloc_text(p_chroot_str, tunable_local_root);
524 if (tunable_user_sub_token)
525 {
526 str_replace_text(p_chroot_str, tunable_user_sub_token,
527 str_getbuf(p_orig_user_str));
528 }
529 }
530 /* If enabled, the chroot() location embedded in the HOMEDIR takes
531 * precedence.
532 */
533 if (!anon_login && tunable_passwd_chroot_enable)
534 {
535 struct str_locate_result loc_result;
536 loc_result = str_locate_text(p_userdir_str, "/./");
537 if (loc_result.found)
538 {
539 str_split_text(p_userdir_str, p_chdir_str, "/./");
540 str_copy(p_chroot_str, p_userdir_str);
541 }
542 }
543 }
544
Tomato firmware and modifications.