search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Vsftpd ver 2.1.1 (05/28/2009)
[tomato.git] / release / src / router / vsftpd / twoprocess.c
blobdff01ae1b9c777d4c8766e95e05eb211022170f2
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
6 *
7 * Code implementing the standard, secure two process security model.
8 */
9
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29 #include "sslslave.h"
30
31 static void drop_all_privs(void);
32 static void handle_sigchld(void* duff);
33 static void handle_sigterm(void* duff);
34 static void process_login_req(struct vsf_session* p_sess);
35 static void common_do_login(struct vsf_session* p_sess,
36 const struct mystr* p_user_str, int do_chroot,
37 int anon);
38 static void handle_per_user_config(const struct mystr* p_user_str);
39 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
40 struct mystr* p_chroot_str,
41 struct mystr* p_chdir_str,
42 const struct mystr* p_user_str,
43 const struct mystr* p_orig_user_str);
44
45 static void
46 handle_sigchld(void* duff)
47 {
48
49 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
50 (void) duff;
51 /* Child died, so we'll do the same! Report it as an error unless the child
52 * exited normally with zero exit code
53 */
54 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)) ||
55 !vsf_sysutil_wait_exited_normally(&wait_retval) ||
56 vsf_sysutil_wait_get_exitcode(&wait_retval) != 0)
57 {
58 die("child died");
59 }
60 else
61 {
62 vsf_sysutil_exit(0);
63 }
64 }
65
66 static void
67 handle_sigterm(void* duff)
68 {
69 (void) duff;
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
73 vsf_sysutil_exit(1);
74 }
75
76 void
77 vsf_two_process_start(struct vsf_session* p_sess)
78 {
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM, handle_sigterm, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess);
84 if (tunable_ssl_enable)
85 {
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
88 */
89 ssl_comm_channel_init(p_sess);
90 }
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
92 {
93 int newpid = vsf_sysutil_fork();
94 if (newpid != 0)
95 {
96 priv_sock_set_parent_context(p_sess);
97 if (tunable_ssl_enable)
98 {
99 ssl_comm_channel_set_consumer_context(p_sess);
100 }
101 /* Parent - go into pre-login parent process mode */
102 while (1)
103 {
104 process_login_req(p_sess);
105 }
106 }
107 }
108 /* Child process - time to lose as much privilege as possible and do the
109 * login processing
110 */
111 vsf_set_die_if_parent_dies();
112 priv_sock_set_child_context(p_sess);
113 if (tunable_ssl_enable)
114 {
115 ssl_comm_channel_set_producer_context(p_sess);
116 }
117 if (tunable_local_enable && tunable_userlist_enable)
118 {
119 int retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
120 VSFTP_CONF_FILE_MAX);
121 if (vsf_sysutil_retval_is_error(retval))
122 {
123 die2("cannot open user list file:", tunable_userlist_file);
124 }
125 }
126 drop_all_privs();
127 init_connection(p_sess);
128 /* NOTREACHED */
129 }
130
131 static void
132 drop_all_privs(void)
133 {
134 struct mystr user_str = INIT_MYSTR;
135 struct mystr dir_str = INIT_MYSTR;
136 int option = VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_NO_PROCS;
137 if (!tunable_ssl_enable)
138 {
139 /* Unfortunately, can only enable this if we can be sure of not using SSL.
140 * In the SSL case, we'll need to receive data transfer file descriptors.
141 */
142 option |= VSF_SECUTIL_OPTION_NO_FDS;
143 }
144 str_alloc_text(&user_str, tunable_nopriv_user);
145 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
146 /* Be kind: give good error message if the secure dir is missing */
147 {
148 struct vsf_sysutil_statbuf* p_statbuf = 0;
149 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
150 {
151 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
152 tunable_secure_chroot_dir);
153 }
154 vsf_sysutil_free(p_statbuf);
155 }
156 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0, option);
157 str_free(&user_str);
158 str_free(&dir_str);
159 }
160
161 void
162 vsf_two_process_login(struct vsf_session* p_sess,
163 const struct mystr* p_pass_str)
164 {
165 char result;
166 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
167 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
168 priv_sock_send_str(p_sess->child_fd, p_pass_str);
169 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
170 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
171 result = priv_sock_get_result(p_sess->child_fd);
172 if (result == PRIV_SOCK_RESULT_OK)
173 {
174 /* Miracle. We don't emit the success message here. That is left to
175 * process_post_login().
176 * Exit normally, unless we are remaining as the SSL read / write child.
177 */
178 if (!p_sess->control_use_ssl)
179 {
180 vsf_sysutil_exit(0);
181 }
182 else
183 {
184 ssl_slave(p_sess);
185 }
186 /* NOTREACHED */
187 }
188 else if (result == PRIV_SOCK_RESULT_BAD)
189 {
190 /* Continue the processing loop.. */
191 return;
192 }
193 else
194 {
195 die("priv_sock_get_result");
196 }
197 }
198
199 int
200 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
201 {
202 char res;
203 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
204 res = priv_sock_get_result(p_sess->child_fd);
205 if (res != PRIV_SOCK_RESULT_OK)
206 {
207 die("could not get privileged socket");
208 }
209 return priv_sock_recv_fd(p_sess->child_fd);
210 }
211
212 void
213 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
214 {
215 char res;
216 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
217 priv_sock_send_fd(p_sess->child_fd, fd);
218 res = priv_sock_get_result(p_sess->child_fd);
219 if (res != PRIV_SOCK_RESULT_OK)
220 {
221 die("unexpected failure in vsf_two_process_chown_upload");
222 }
223 }
224
225 static void
226 process_login_req(struct vsf_session* p_sess)
227 {
228 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
229 char cmd;
230 /* Blocks */
231 cmd = priv_sock_get_cmd(p_sess->parent_fd);
232 if (cmd != PRIV_SOCK_LOGIN)
233 {
234 die("bad request");
235 }
236 /* Get username and password - we must distrust these */
237 {
238 struct mystr password_str = INIT_MYSTR;
239 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
240 priv_sock_get_str(p_sess->parent_fd, &password_str);
241 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
242 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
243 if (!tunable_ssl_enable)
244 {
245 p_sess->control_use_ssl = 0;
246 p_sess->data_use_ssl = 0;
247 }
248 e_login_result = vsf_privop_do_login(p_sess, &password_str);
249 str_free(&password_str);
250 }
251 switch (e_login_result)
252 {
253 case kVSFLoginFail:
254 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
255 return;
256 break;
257 case kVSFLoginAnon:
258 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
259 common_do_login(p_sess, &p_sess->user_str, 1, 1);
260 break;
261 case kVSFLoginReal:
262 {
263 int do_chroot = 0;
264 if (tunable_chroot_local_user)
265 {
266 do_chroot = 1;
267 }
268 if (tunable_chroot_list_enable)
269 {
270 struct mystr chroot_list_file = INIT_MYSTR;
271 int retval = str_fileread(&chroot_list_file,
272 tunable_chroot_list_file,
273 VSFTP_CONF_FILE_MAX);
274 if (vsf_sysutil_retval_is_error(retval))
275 {
276 die2("could not open chroot() list file:",
277 tunable_chroot_list_file);
278 }
279 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
280 {
281 if (do_chroot)
282 {
283 do_chroot = 0;
284 }
285 else
286 {
287 do_chroot = 1;
288 }
289 }
290 str_free(&chroot_list_file);
291 }
292 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
293 }
294 break;
295 default:
296 bug("weird state in process_login_request");
297 break;
298 }
299 /* NOTREACHED */
300 }
301
302 static void
303 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
304 int do_chroot, int anon)
305 {
306 int was_anon = anon;
307 const struct mystr* p_orig_user_str = p_user_str;
308 int newpid;
309 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
310 /* Tells the pre-login child all is OK (it may exit in response) */
311 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
312 if (!p_sess->control_use_ssl)
313 {
314 (void) vsf_sysutil_wait();
315 }
316 else
317 {
318 p_sess->ssl_slave_active = 1;
319 }
320 /* Handle loading per-user config options */
321 handle_per_user_config(p_user_str);
322 /* Set this before we fork */
323 p_sess->is_anonymous = anon;
324 priv_sock_close(p_sess);
325 priv_sock_init(p_sess);
326 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
327 newpid = vsf_sysutil_fork();
328 if (newpid == 0)
329 {
330 struct mystr guest_user_str = INIT_MYSTR;
331 struct mystr chroot_str = INIT_MYSTR;
332 struct mystr chdir_str = INIT_MYSTR;
333 struct mystr userdir_str = INIT_MYSTR;
334 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS |
335 VSF_SECUTIL_OPTION_NO_PROCS;
336 /* Child - drop privs and start proper FTP! */
337 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
338 * The other cases are taken care of by a shutdown() of the command
339 * connection in our SIGTERM handler.
340 */
341 vsf_set_die_if_parent_dies();
342 priv_sock_set_child_context(p_sess);
343 if (tunable_guest_enable && !anon)
344 {
345 p_sess->is_guest = 1;
346 /* Remap to the guest user */
347 str_alloc_text(&guest_user_str, tunable_guest_username);
348 p_user_str = &guest_user_str;
349 if (!tunable_virtual_use_local_privs)
350 {
351 anon = 1;
352 do_chroot = 1;
353 }
354 }
355 if (do_chroot)
356 {
357 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
358 }
359 if (!anon)
360 {
361 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
362 }
363 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
364 p_user_str, p_orig_user_str);
365 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
366 0, secutil_option);
367 if (!str_isempty(&chdir_str))
368 {
369 (void) str_chdir(&chdir_str);
370 }
371 str_free(&guest_user_str);
372 str_free(&chroot_str);
373 str_free(&chdir_str);
374 str_free(&userdir_str);
375 /* Guard against the config error of having the anonymous ftp tree owned
376 * by the user we are running as
377 */
378 if (was_anon && vsf_sysutil_write_access("/"))
379 {
380 die("vsftpd: refusing to run with writable anonymous root");
381 }
382 p_sess->is_anonymous = anon;
383 process_post_login(p_sess);
384 bug("should not get here: common_do_login");
385 }
386 /* Parent */
387 priv_sock_set_parent_context(p_sess);
388 if (tunable_ssl_enable)
389 {
390 ssl_comm_channel_set_producer_context(p_sess);
391 }
392 vsf_priv_parent_postlogin(p_sess);
393 bug("should not get here in common_do_login");
394 }
395
396 static void
397 handle_per_user_config(const struct mystr* p_user_str)
398 {
399 struct mystr filename_str = INIT_MYSTR;
400 struct vsf_sysutil_statbuf* p_statbuf = 0;
401 struct str_locate_result loc_result;
402 int retval;
403 if (!tunable_user_config_dir)
404 {
405 return;
406 }
407 /* Security paranoia - ignore if user has a / in it. */
408 loc_result = str_locate_char(p_user_str, '/');
409 if (loc_result.found)
410 {
411 return;
412 }
413 str_alloc_text(&filename_str, tunable_user_config_dir);
414 str_append_char(&filename_str, '/');
415 str_append_str(&filename_str, p_user_str);
416 retval = str_stat(&filename_str, &p_statbuf);
417 if (!vsf_sysutil_retval_is_error(retval))
418 {
419 /* Security - file ownership check now in vsf_parseconf_load_file() */
420 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
421 }
422 str_free(&filename_str);
423 vsf_sysutil_free(p_statbuf);
424 }
425
426 static void
427 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
428 struct mystr* p_chroot_str,
429 struct mystr* p_chdir_str,
430 const struct mystr* p_user_str,
431 const struct mystr* p_orig_user_str)
432 {
433 if (!anon_login)
434 {
435 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
436 if (p_user == 0)
437 {
438 die2("cannot locate user entry:", str_getbuf(p_user_str));
439 }
440 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
441 if (tunable_user_sub_token)
442 {
443 str_replace_text(p_userdir_str, tunable_user_sub_token,
444 str_getbuf(p_orig_user_str));
445 }
446 }
447 if (anon_login && tunable_anon_root)
448 {
449 str_alloc_text(p_chroot_str, tunable_anon_root);
450 }
451 else if (!anon_login && tunable_local_root)
452 {
453 str_alloc_text(p_chroot_str, tunable_local_root);
454 if (tunable_user_sub_token)
455 {
456 str_replace_text(p_chroot_str, tunable_user_sub_token,
457 str_getbuf(p_orig_user_str));
458 }
459 }
460 /* If enabled, the chroot() location embedded in the HOMEDIR takes
461 * precedence.
462 */
463 if (!anon_login && tunable_passwd_chroot_enable)
464 {
465 struct str_locate_result loc_result;
466 loc_result = str_locate_text(p_userdir_str, "/./");
467 if (loc_result.found)
468 {
469 str_split_text(p_userdir_str, p_chdir_str, "/./");
470 str_copy(p_chroot_str, p_userdir_str);
471 }
472 }
473 }
474
Tomato firmware and modifications.