search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'vsftpd' into tomato-ND-usbmod-base
[tomato.git] / release / src / router / vsftpd / twoprocess.c
blob26ab477c9fe54cbdae14c024e5f3a929c7e31b57
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
6 *
7 * Code implementing the standard, secure two process security model.
8 */
9
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29 #include "sslslave.h"
30
31 static void drop_all_privs(void);
32 static void handle_sigchld(void* duff);
33 static void handle_sigterm(void* duff);
34 static void process_login_req(struct vsf_session* p_sess);
35 static void common_do_login(struct vsf_session* p_sess,
36 const struct mystr* p_user_str, int do_chroot,
37 int anon);
38 static void handle_per_user_config(const struct mystr* p_user_str);
39 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
40 struct mystr* p_chroot_str,
41 struct mystr* p_chdir_str,
42 const struct mystr* p_user_str,
43 const struct mystr* p_orig_user_str);
44
45 static void
46 handle_sigchld(void* duff)
47 {
48
49 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
50 (void) duff;
51 /* Child died, so we'll do the same! Report it as an error unless the child
52 * exited normally with zero exit code
53 */
54 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)) ||
55 !vsf_sysutil_wait_exited_normally(&wait_retval) ||
56 vsf_sysutil_wait_get_exitcode(&wait_retval) != 0)
57 {
58 die("child died");
59 }
60 else
61 {
62 vsf_sysutil_exit(0);
63 }
64 }
65
66 static void
67 handle_sigterm(void* duff)
68 {
69 (void) duff;
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
73 vsf_sysutil_exit(1);
74 }
75
76 void
77 vsf_two_process_start(struct vsf_session* p_sess)
78 {
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM, handle_sigterm, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess);
84 if (tunable_ssl_enable)
85 {
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
88 */
89 ssl_comm_channel_init(p_sess);
90 }
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
92 {
93 int newpid;
94 if (tunable_isolate_network)
95 {
96 newpid = vsf_sysutil_fork_newnet();
97 }
98 else
99 {
100 newpid = vsf_sysutil_fork();
101 }
102 if (newpid != 0)
103 {
104 priv_sock_set_parent_context(p_sess);
105 if (tunable_ssl_enable)
106 {
107 ssl_comm_channel_set_consumer_context(p_sess);
108 }
109 /* Parent - go into pre-login parent process mode */
110 while (1)
111 {
112 process_login_req(p_sess);
113 }
114 }
115 }
116 /* Child process - time to lose as much privilege as possible and do the
117 * login processing
118 */
119 vsf_set_die_if_parent_dies();
120 priv_sock_set_child_context(p_sess);
121 if (tunable_ssl_enable)
122 {
123 ssl_comm_channel_set_producer_context(p_sess);
124 }
125 if (tunable_local_enable && tunable_userlist_enable)
126 {
127 int retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
128 VSFTP_CONF_FILE_MAX);
129 if (vsf_sysutil_retval_is_error(retval))
130 {
131 die2("cannot read user list file:", tunable_userlist_file);
132 }
133 }
134 drop_all_privs();
135 init_connection(p_sess);
136 /* NOTREACHED */
137 }
138
139 static void
140 drop_all_privs(void)
141 {
142 struct mystr user_str = INIT_MYSTR;
143 struct mystr dir_str = INIT_MYSTR;
144 int option = VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_NO_PROCS;
145 if (!tunable_ssl_enable)
146 {
147 /* Unfortunately, can only enable this if we can be sure of not using SSL.
148 * In the SSL case, we'll need to receive data transfer file descriptors.
149 */
150 option |= VSF_SECUTIL_OPTION_NO_FDS;
151 }
152 str_alloc_text(&user_str, tunable_nopriv_user);
153 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
154 /* Be kind: give good error message if the secure dir is missing */
155 {
156 struct vsf_sysutil_statbuf* p_statbuf = 0;
157 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
158 {
159 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
160 tunable_secure_chroot_dir);
161 }
162 vsf_sysutil_free(p_statbuf);
163 }
164 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0, option);
165 str_free(&user_str);
166 str_free(&dir_str);
167 }
168
169 void
170 vsf_two_process_login(struct vsf_session* p_sess,
171 const struct mystr* p_pass_str)
172 {
173 char result;
174 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
175 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
176 priv_sock_send_str(p_sess->child_fd, p_pass_str);
177 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
178 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
179 result = priv_sock_get_result(p_sess->child_fd);
180 if (result == PRIV_SOCK_RESULT_OK)
181 {
182 /* Miracle. We don't emit the success message here. That is left to
183 * process_post_login().
184 * Exit normally, unless we are remaining as the SSL read / write child.
185 */
186 if (!p_sess->control_use_ssl)
187 {
188 vsf_sysutil_exit(0);
189 }
190 else
191 {
192 ssl_slave(p_sess);
193 }
194 /* NOTREACHED */
195 }
196 else if (result == PRIV_SOCK_RESULT_BAD)
197 {
198 /* Continue the processing loop.. */
199 return;
200 }
201 else
202 {
203 die("priv_sock_get_result");
204 }
205 }
206
207 int
208 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
209 {
210 char res;
211 unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
212 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
213 priv_sock_send_int(p_sess->child_fd, port);
214 res = priv_sock_get_result(p_sess->child_fd);
215 if (res == PRIV_SOCK_RESULT_BAD)
216 {
217 return -1;
218 }
219 else if (res != PRIV_SOCK_RESULT_OK)
220 {
221 die("could not get privileged socket");
222 }
223 return priv_sock_recv_fd(p_sess->child_fd);
224 }
225
226 void
227 vsf_two_process_pasv_cleanup(struct vsf_session* p_sess)
228 {
229 char res;
230 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_CLEANUP);
231 res = priv_sock_get_result(p_sess->child_fd);
232 if (res != PRIV_SOCK_RESULT_OK)
233 {
234 die("could not clean up socket");
235 }
236 }
237
238 int
239 vsf_two_process_pasv_active(struct vsf_session* p_sess)
240 {
241 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACTIVE);
242 return priv_sock_get_int(p_sess->child_fd);
243 }
244
245 unsigned short
246 vsf_two_process_listen(struct vsf_session* p_sess)
247 {
248 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_LISTEN);
249 return (unsigned short) priv_sock_get_int(p_sess->child_fd);
250 }
251
252 int
253 vsf_two_process_get_pasv_fd(struct vsf_session* p_sess)
254 {
255 char res;
256 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACCEPT);
257 res = priv_sock_get_result(p_sess->child_fd);
258 if (res == PRIV_SOCK_RESULT_BAD)
259 {
260 return priv_sock_get_int(p_sess->child_fd);
261 }
262 else if (res != PRIV_SOCK_RESULT_OK)
263 {
264 die("could not accept on listening socket");
265 }
266 return priv_sock_recv_fd(p_sess->child_fd);
267 }
268
269 void
270 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
271 {
272 char res;
273 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
274 priv_sock_send_fd(p_sess->child_fd, fd);
275 res = priv_sock_get_result(p_sess->child_fd);
276 if (res != PRIV_SOCK_RESULT_OK)
277 {
278 die("unexpected failure in vsf_two_process_chown_upload");
279 }
280 }
281
282 static void
283 process_login_req(struct vsf_session* p_sess)
284 {
285 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
286 char cmd;
287 /* Blocks */
288 cmd = priv_sock_get_cmd(p_sess->parent_fd);
289 if (cmd != PRIV_SOCK_LOGIN)
290 {
291 die("bad request");
292 }
293 /* Get username and password - we must distrust these */
294 {
295 struct mystr password_str = INIT_MYSTR;
296 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
297 priv_sock_get_str(p_sess->parent_fd, &password_str);
298 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
299 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
300 if (!tunable_ssl_enable)
301 {
302 p_sess->control_use_ssl = 0;
303 p_sess->data_use_ssl = 0;
304 }
305 e_login_result = vsf_privop_do_login(p_sess, &password_str);
306 str_free(&password_str);
307 }
308 switch (e_login_result)
309 {
310 case kVSFLoginFail:
311 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
312 return;
313 break;
314 case kVSFLoginAnon:
315 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
316 common_do_login(p_sess, &p_sess->user_str, 1, 1);
317 break;
318 case kVSFLoginReal:
319 {
320 int do_chroot = 0;
321 if (tunable_chroot_local_user)
322 {
323 do_chroot = 1;
324 }
325 if (tunable_chroot_list_enable)
326 {
327 struct mystr chroot_list_file = INIT_MYSTR;
328 int retval = str_fileread(&chroot_list_file,
329 tunable_chroot_list_file,
330 VSFTP_CONF_FILE_MAX);
331 if (vsf_sysutil_retval_is_error(retval))
332 {
333 die2("could not read chroot() list file:",
334 tunable_chroot_list_file);
335 }
336 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
337 {
338 if (do_chroot)
339 {
340 do_chroot = 0;
341 }
342 else
343 {
344 do_chroot = 1;
345 }
346 }
347 str_free(&chroot_list_file);
348 }
349 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
350 }
351 break;
352 default:
353 bug("weird state in process_login_request");
354 break;
355 }
356 /* NOTREACHED */
357 }
358
359 static void
360 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
361 int do_chroot, int anon)
362 {
363 int was_anon = anon;
364 const struct mystr* p_orig_user_str = p_user_str;
365 int newpid;
366 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
367 /* Tells the pre-login child all is OK (it may exit in response) */
368 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
369 if (!p_sess->control_use_ssl)
370 {
371 (void) vsf_sysutil_wait();
372 }
373 else
374 {
375 p_sess->ssl_slave_active = 1;
376 }
377 /* Handle loading per-user config options */
378 handle_per_user_config(p_user_str);
379 /* Set this before we fork */
380 p_sess->is_anonymous = anon;
381 priv_sock_close(p_sess);
382 priv_sock_init(p_sess);
383 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
384 if (tunable_isolate_network && !tunable_port_promiscuous)
385 {
386 newpid = vsf_sysutil_fork_newnet();
387 }
388 else
389 {
390 newpid = vsf_sysutil_fork();
391 }
392 if (newpid == 0)
393 {
394 struct mystr guest_user_str = INIT_MYSTR;
395 struct mystr chroot_str = INIT_MYSTR;
396 struct mystr chdir_str = INIT_MYSTR;
397 struct mystr userdir_str = INIT_MYSTR;
398 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS |
399 VSF_SECUTIL_OPTION_NO_PROCS;
400 /* Child - drop privs and start proper FTP! */
401 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
402 * The other cases are taken care of by a shutdown() of the command
403 * connection in our SIGTERM handler.
404 */
405 vsf_set_die_if_parent_dies();
406 priv_sock_set_child_context(p_sess);
407 if (tunable_guest_enable && !anon)
408 {
409 p_sess->is_guest = 1;
410 /* Remap to the guest user */
411 str_alloc_text(&guest_user_str, tunable_guest_username);
412 p_user_str = &guest_user_str;
413 if (!tunable_virtual_use_local_privs)
414 {
415 anon = 1;
416 do_chroot = 1;
417 }
418 }
419 if (do_chroot)
420 {
421 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
422 }
423 if (!anon)
424 {
425 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
426 }
427 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
428 p_user_str, p_orig_user_str);
429 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
430 0, secutil_option);
431 if (!str_isempty(&chdir_str))
432 {
433 (void) str_chdir(&chdir_str);
434 }
435 str_free(&guest_user_str);
436 str_free(&chroot_str);
437 str_free(&chdir_str);
438 str_free(&userdir_str);
439 /* Guard against the config error of having the anonymous ftp tree owned
440 * by the user we are running as
441 */
442 if (!tunable_anon_allow_writable_root && was_anon && vsf_sysutil_write_access("/"))
443 {
444 die("vsftpd: refusing to run with writable anonymous root");
445 }
446 p_sess->is_anonymous = anon;
447 process_post_login(p_sess);
448 bug("should not get here: common_do_login");
449 }
450 /* Parent */
451 priv_sock_set_parent_context(p_sess);
452 if (tunable_ssl_enable)
453 {
454 ssl_comm_channel_set_producer_context(p_sess);
455 }
456 vsf_priv_parent_postlogin(p_sess);
457 bug("should not get here in common_do_login");
458 }
459
460 static void
461 handle_per_user_config(const struct mystr* p_user_str)
462 {
463 struct mystr filename_str = INIT_MYSTR;
464 struct vsf_sysutil_statbuf* p_statbuf = 0;
465 struct str_locate_result loc_result;
466 int retval;
467 if (!tunable_user_config_dir)
468 {
469 return;
470 }
471 /* Security paranoia - ignore if user has a / in it. */
472 loc_result = str_locate_char(p_user_str, '/');
473 if (loc_result.found)
474 {
475 return;
476 }
477 str_alloc_text(&filename_str, tunable_user_config_dir);
478 str_append_char(&filename_str, '/');
479 str_append_str(&filename_str, p_user_str);
480 retval = str_stat(&filename_str, &p_statbuf);
481 if (!vsf_sysutil_retval_is_error(retval))
482 {
483 /* Security - file ownership check now in vsf_parseconf_load_file() */
484 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
485 }
486 else if (vsf_sysutil_get_error() != kVSFSysUtilErrNOENT)
487 {
488 die("error opening per-user config file");
489 }
490 str_free(&filename_str);
491 vsf_sysutil_free(p_statbuf);
492 }
493
494 static void
495 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
496 struct mystr* p_chroot_str,
497 struct mystr* p_chdir_str,
498 const struct mystr* p_user_str,
499 const struct mystr* p_orig_user_str)
500 {
501 if (!anon_login)
502 {
503 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
504 if (p_user == 0)
505 {
506 die2("cannot locate user entry:", str_getbuf(p_user_str));
507 }
508 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
509 if (tunable_user_sub_token)
510 {
511 str_replace_text(p_userdir_str, tunable_user_sub_token,
512 str_getbuf(p_orig_user_str));
513 }
514 }
515 if (anon_login && tunable_anon_root)
516 {
517 str_alloc_text(p_chroot_str, tunable_anon_root);
518 }
519 else if (!anon_login && tunable_local_root)
520 {
521 str_alloc_text(p_chroot_str, tunable_local_root);
522 if (tunable_user_sub_token)
523 {
524 str_replace_text(p_chroot_str, tunable_user_sub_token,
525 str_getbuf(p_orig_user_str));
526 }
527 }
528 /* If enabled, the chroot() location embedded in the HOMEDIR takes
529 * precedence.
530 */
531 if (!anon_login && tunable_passwd_chroot_enable)
532 {
533 struct str_locate_result loc_result;
534 loc_result = str_locate_text(p_userdir_str, "/./");
535 if (loc_result.found)
536 {
537 str_split_text(p_userdir_str, p_chdir_str, "/./");
538 str_copy(p_chroot_str, p_userdir_str);
539 }
540 }
541 }
542
Tomato firmware and modifications.