Browse code

- new config variables: sock_mode = <permissions> (e.g. sock_mode=0600: default value = 0660) ser unix sockets and fifo will be created with this permissions (old name fifo_mode is still supported, but deprecated) sock_user = username|"uid" sock_group = groupname|"gid" change the owner and/or group of the ser unix sockets or fifo Short example config snippet: sock_mode=0600 # ser socket/fifo mode sock_user="www-data" # ser socket/fifo owner sock_group=nogroup user=nobody # ser user (ser will suid to it) - typo fixed in socket_info (thanks to Jan)

Andrei Pelinescu-Onciul authored on 29/04/2004 15:39:39
Showing 10 changed files
... ...
@@ -31,6 +31,17 @@ core:
31 31
                               ==, !=, ~= for strings
32 32
                               ==, !=, >, <, >=, <= for integers
33 33
  - new config variables:
34
+   sock_mode = <permissions> (e.g. sock_mode=0600:  default value = 0660)
35
+       ser unix sockets and fifo will be created with this permissions
36
+       (old name fifo_mode is still supported, but deprecated)
37
+   sock_user = username|"uid"
38
+   sock_group = groupname|"gid"
39
+      change the owner and/or group of the ser unix sockets or fifo
40
+      Short example config snippet:
41
+           sock_mode=0600        # ser socket/fifo mode
42
+           sock_user="www-data"  # ser socket/fifo owner
43
+           sock_group=nogroup  
44
+           user=nobody       # ser user (ser will suid to it)
34 45
    disable_core_dump= yes|no 
35 46
        by default core dump limits are set to unlimited or a high enough
36 47
        value, set this config variable o yes to disable core dump-ing
... ...
@@ -1,15 +1,25 @@
1 1
 $Id$
2 2
 
3 3
 ( - todo, x - done)
4
-
4
+- [core] parse_uri support for new uri params
5
+- [core] on sig_child, kill the processes if they don't exit in a 
6
+  reasonable time
5 7
 - [doc] document force_rport()
6 8
 - [fifo] fix fgets error handling (it does not set errno always,
7 9
    , right now kills all ser if interrupted by a signal on ?solaris?)
8 10
 - [mem] make shm_realloc be fragmentation friendly: call shm_compact_frags
9 11
    for the small frags?, don't produce smaller frags -- be wastefull?
10
-- [mem] qm_compact_frags (compacts frags if possible)
12
+- [mem] qm_compact_frags (compacts frags if possible), keep a 
13
+        fragment count/bucket and if too much mem. is blocked in one bucket
14
+        de-frag.
15
+- [mem] investigate: don't produce frag if frag size < request
16
+      (should reduce the unrequested fragments number)
17
+- [mem] investigate: keep an used/unused flag per fragment, on free
18
+      check if neighboring frags were not used and if so defragment
11 19
 - [timer] multiple timers? at least ticks should no be affected by the amount
12 20
    of work done in the timer handlers
21
+- [tcp] ser intiated tcp connections use INADDR_ANY (they should be bound first
22
+  to some ip/port ?function of the dest?)
13 23
 - [tcp] need to confirm fd receipt after send_fd, before closing it (this might
14 24
  happen in tcp_send new conn.) (see FreeBSD send BUGS for more info)
15 25
 x [tcp] make send_all, send  non-blocking ready ?
... ...
@@ -36,7 +46,7 @@ x update all package specs from stable
36 46
    should have it, but it would be slower on systems emulating it, like
37 47
    older linuxes)
38 48
 - [tcp] switch to epoll if HAVE_EPOLL defined (linux 2.6.*)
39
-- [tcp] switch to SIGIO if no epoll (linux only, better than poll?)
49
+- [tcp] switch to SIGIO if no epoll (linux only, better than poll)
40 50
 x tcp_main_loop: BUG cases should "conitnue;"
41 51
 x change len_gt into and expr (e.g msg:len).
42 52
 x sipit: uri == myself doesn't match tls port = 5061 
... ...
@@ -45,7 +45,9 @@
45 45
  *  2003-10-28  added tcp_accept_aliases (andrei)
46 46
  *  2003-11-29  added {tcp_send, tcp_connect, tls_*}_timeout (andrei)
47 47
  *  2004-02-24  added LOAD_AVP_T and AVP_TO_URI_T (bogdan)
48
- * 2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
48
+ *  2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
49
+ *  2004-04-28  added sock_mode (replaces fifo_mode), sock_user &
50
+ *               sock_group  (andrei)
49 51
  */
50 52
 
51 53
 
... ...
@@ -173,7 +175,9 @@ MEMLOG		"memlog"|"mem_log"
173 175
 SIP_WARNING sip_warning
174 176
 FIFO fifo
175 177
 FIFO_DIR  fifo_dir
176
-FIFO_MODE fifo_mode
178
+SOCK_MODE "fifo_mode"|"sock_mode"|"file_mode"
179
+SOCK_USER "fifo_user"|"sock_user"
180
+SOCK_GROUP "fifo_group"|"sock_group"
177 181
 FIFO_DB_URL fifo_db_url
178 182
 UNIX_SOCK unix_sock
179 183
 UNIX_SOCK_CHILDREN unix_sock_children
... ...
@@ -371,7 +375,9 @@ EAT_ABLE	[\ \t\b\r]
371 375
 <INITIAL>{FIFO}	{ count(); yylval.strval=yytext; return FIFO; }
372 376
 <INITIAL>{FIFO_DIR}	{ count(); yylval.strval=yytext; return FIFO_DIR; }
373 377
 <INITIAL>{FIFO_DB_URL}	{ count(); yylval.strval=yytext; return FIFO_DB_URL; }
374
-<INITIAL>{FIFO_MODE}	{ count(); yylval.strval=yytext; return FIFO_MODE; }
378
+<INITIAL>{SOCK_MODE}	{ count(); yylval.strval=yytext; return SOCK_MODE; }
379
+<INITIAL>{SOCK_USER}	{ count(); yylval.strval=yytext; return SOCK_USER; }
380
+<INITIAL>{SOCK_GROUP}	{ count(); yylval.strval=yytext; return SOCK_GROUP; }
375 381
 <INITIAL>{UNIX_SOCK} { count(); yylval.strval=yytext; return UNIX_SOCK; }
376 382
 <INITIAL>{UNIX_SOCK_CHILDREN} { count(); yylval.strval=yytext; return UNIX_SOCK_CHILDREN; }
377 383
 <INITIAL>{UNIX_TX_TIMEOUT} { count(); yylval.strval=yytext; return UNIX_TX_TIMEOUT; }
... ...
@@ -52,6 +52,7 @@
52 52
  * 2003-11-20  added {tcp_connect, tcp_send, tls_*}_timeout (andrei)
53 53
  * 2004-02-24  added LOAD_AVP_T and AVP_TO_URI_T (bogdan)
54 54
  * 2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
55
+ * 2004-04-29  added SOCK_MODE, SOCK_USER & SOCK_GROUP (andrei)
55 56
  */
56 57
 
57 58
 
... ...
@@ -199,7 +200,9 @@ static struct id_list* mk_listen_id(char*, int, int);
199 200
 %token SIP_WARNING
200 201
 %token FIFO
201 202
 %token FIFO_DIR
202
-%token FIFO_MODE
203
+%token SOCK_MODE
204
+%token SOCK_USER
205
+%token SOCK_GROUP
203 206
 %token FIFO_DB_URL
204 207
 %token UNIX_SOCK
205 208
 %token UNIX_SOCK_CHILDREN
... ...
@@ -411,14 +414,20 @@ assign_stm:	DEBUG EQUAL NUMBER { debug=$3; }
411 414
 		| FIFO EQUAL error { yyerror("string value expected"); }
412 415
 		| FIFO_DIR EQUAL STRING { fifo_dir=$3; }
413 416
 		| FIFO_DIR EQUAL error { yyerror("string value expected"); }
414
-		| FIFO_MODE EQUAL NUMBER { fifo_mode=$3; }
415
-		| FIFO_MODE EQUAL error { yyerror("int value expected"); }
417
+		| SOCK_MODE EQUAL NUMBER { sock_mode=$3; }
418
+		| SOCK_MODE EQUAL error { yyerror("int value expected"); }
419
+		| SOCK_USER EQUAL STRING { sock_user=$3; }
420
+		| SOCK_USER EQUAL ID     { sock_user=$3; }
421
+		| SOCK_USER EQUAL error { yyerror("string value expected"); }
422
+		| SOCK_GROUP EQUAL STRING { sock_group=$3; }
423
+		| SOCK_GROUP EQUAL ID     { sock_group=$3; }
424
+		| SOCK_GROUP EQUAL error { yyerror("string value expected"); }
416 425
 		| FIFO_DB_URL EQUAL STRING { fifo_db_url=$3; }
417 426
 		| FIFO_DB_URL EQUAL error  { yyerror("string value expected"); }
418
-                | UNIX_SOCK EQUAL STRING { unixsock_name=$3; }
419
-                | UNIX_SOCK EQUAL error { yyerror("string value expected"); }
420
-                | UNIX_SOCK_CHILDREN EQUAL NUMBER { unixsock_children=$3; }
421
-                | UNIX_SOCK_CHILDREN EQUAL error { yyerror("int value expected\n"); }
427
+		| UNIX_SOCK EQUAL STRING { unixsock_name=$3; }
428
+		| UNIX_SOCK EQUAL error { yyerror("string value expected"); }
429
+		| UNIX_SOCK_CHILDREN EQUAL NUMBER { unixsock_children=$3; }
430
+		| UNIX_SOCK_CHILDREN EQUAL error { yyerror("int value expected\n"); }
422 431
 		| UNIX_TX_TIMEOUT EQUAL NUMBER { unixsock_tx_timeout=$3; }
423 432
 		| UNIX_TX_TIMEOUT EQUAL error { yyerror("int value expected\n"); }
424 433
 		| AVP_DB_URL EQUAL STRING { avp_db_url=$3; }
... ...
@@ -166,14 +166,18 @@ error:
166 166
 
167 167
 int do_suid()
168 168
 {
169
-	if (gid&&(setgid(gid)<0)){
170
-		LOG(L_CRIT, "cannot change gid to %d: %s\n", gid, strerror(errno));
171
-		goto error;
169
+	if (gid){
170
+		if(setgid(gid)<0){
171
+			LOG(L_CRIT, "cannot change gid to %d: %s\n", gid, strerror(errno));
172
+			goto error;
173
+		}
172 174
 	}
173 175
 	
174
-	if(uid&&(setuid(uid)<0)){
175
-		LOG(L_CRIT, "cannot change uid to %d: %s\n", uid, strerror(errno));
176
-		goto error;
176
+	if(uid){
177
+		if(setuid(uid)<0){
178
+			LOG(L_CRIT, "cannot change uid to %d: %s\n", uid, strerror(errno));
179
+			goto error;
180
+		}
177 181
 	}
178 182
 	return 0;
179 183
 error:
... ...
@@ -61,6 +61,7 @@
61 61
  *  2003-10-13  addef fifo_dir for reply fifos (andrei)
62 62
  *  2003-10-30  DB interface exported via FIFO (bogdan)
63 63
  *  2004-03-09  open_fifo_server split into init_ and start_ (andrei)
64
+ *  2004-04-29  added chown(sock_user, sock_group)  (andrei)
64 65
  */
65 66
 
66 67
 
... ...
@@ -94,7 +95,6 @@
94 95
 /* FIFO server vars */
95 96
 char *fifo=0; /* FIFO name */
96 97
 char* fifo_dir=DEFAULT_FIFO_DIR; /* dir where reply fifos are allowed */
97
-int fifo_mode=S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP ;
98 98
 char *fifo_db_url = 0;
99 99
 pid_t fifo_pid;
100 100
 /* file descriptors */
... ...
@@ -565,20 +565,30 @@ int init_fifo_server()
565 565
 			strerror(errno));
566 566
 	}
567 567
 		/* create FIFO ... */
568
-		if ((mkfifo(fifo, fifo_mode)<0)) {
568
+		if ((mkfifo(fifo, sock_mode)<0)) {
569 569
 			LOG(L_ERR, "ERROR: open_fifo_server; can't create FIFO: "
570 570
 					"%s (mode=%d)\n",
571
-					strerror(errno), fifo_mode);
571
+					strerror(errno), sock_mode);
572 572
 			return -1;
573 573
 		} 
574 574
 		DBG("DEBUG: FIFO created @ %s\n", fifo );
575
-		if ((chmod(fifo, fifo_mode)<0)) {
575
+		if ((chmod(fifo, sock_mode)<0)) {
576 576
 			LOG(L_ERR, "ERROR: open_fifo_server; can't chmod FIFO: "
577 577
 					"%s (mode=%d)\n",
578
-					strerror(errno), fifo_mode);
578
+					strerror(errno), sock_mode);
579 579
 			return -1;
580 580
 		}
581
-	DBG("DEBUG: fifo %s opened, mode=%d\n", fifo, fifo_mode );
581
+		if ((sock_uid!=-1) || (sock_gid!=-1)){
582
+			if (chown(fifo, sock_uid, sock_gid)<0){
583
+			LOG(L_ERR, "ERROR: open_fifo_server: failed to change the"
584
+					" owner/group for %s  to %d.%d; %s[%d]\n",
585
+					fifo, sock_uid, sock_gid, strerror(errno), errno);
586
+			return -1;
587
+		}
588
+	}
589
+
590
+		
591
+	DBG("DEBUG: fifo %s opened, mode=%d\n", fifo, sock_mode );
582 592
 	time(&up_since);
583 593
 	t=ctime(&up_since);
584 594
 	if (strlen(t)+1>=MAX_CTIME_LEN) {
... ...
@@ -93,6 +93,11 @@ extern int sip_warning;
93 93
 extern int server_signature;
94 94
 extern char* user;
95 95
 extern char* group;
96
+extern char* sock_user;
97
+extern char* sock_group;
98
+extern int sock_uid;
99
+extern int sock_gid;
100
+extern int sock_mode;
96 101
 extern char* chroot_dir;
97 102
 extern char* working_dir;
98 103
 
... ...
@@ -48,6 +48,8 @@
48 48
  *  2004-02-06  added support for user pref. - init_avp_child() (bogdan)
49 49
  *  2004-03-30  core dump is enabled by default
50 50
  *              added support for increasing the open files limit    (andrei)
51
+ *  2004-04-28  sock_{user,group,uid,gid,mode} added
52
+ *              user2uid() & user2gid() added  (andrei)
51 53
  *
52 54
  */
53 55
 
... ...
@@ -329,6 +331,12 @@ char* user=0;
329 331
 char* group=0;
330 332
 int uid = 0;
331 333
 int gid = 0;
334
+char* sock_user=0;
335
+char* sock_group=0;
336
+int sock_uid= -1;
337
+int sock_gid= -1;
338
+int sock_mode= S_IRUSR| S_IWUSR| S_IRGRP| S_IWGRP; /* rw-rw---- */
339
+
332 340
 /* more config stuff */
333 341
 int disable_core_dump=0; /* by default enabled */
334 342
 int open_files_limit=-1; /* don't touch it by default */
... ...
@@ -644,6 +652,57 @@ error:
644 652
 
645 653
 
646 654
 
655
+/* converts a username into uid:gid,
656
+ * returns -1 on error & 0 on success */
657
+static int user2uid(int* uid, int* gid, char* user)
658
+{
659
+	char* tmp;
660
+	struct passwd *pw_entry;
661
+	
662
+	if (user){
663
+		*uid=strtol(user, &tmp, 10);
664
+		if ((tmp==0) ||(*tmp)){
665
+			/* maybe it's a string */
666
+			pw_entry=getpwnam(user);
667
+			if (pw_entry==0){
668
+				goto error;
669
+			}
670
+			*uid=pw_entry->pw_uid;
671
+			if (gid) *gid=pw_entry->pw_gid;
672
+		}
673
+		return 0;
674
+	}
675
+error:
676
+	return -1;
677
+}
678
+
679
+
680
+
681
+/* converts a group name into a gid
682
+ * returns -1 on error, 0 on success */
683
+static int group2gid(int* gid, char* group)
684
+{
685
+	char* tmp;
686
+	struct group  *gr_entry;
687
+	
688
+	if (group){
689
+		*gid=strtol(group, &tmp, 10);
690
+		if ((tmp==0) ||(*tmp)){
691
+			/* maybe it's a string */
692
+			gr_entry=getgrnam(group);
693
+			if (gr_entry==0){
694
+				goto error;
695
+			}
696
+			*gid=gr_entry->gr_gid;
697
+		}
698
+		return 0;
699
+	}
700
+error:
701
+	return -1;
702
+}
703
+
704
+
705
+
647 706
 /* main loop */
648 707
 int main_loop()
649 708
 {
... ...
@@ -1042,8 +1101,6 @@ int main(int argc, char** argv)
1042 1101
 	char *tmp;
1043 1102
 	char *options;
1044 1103
 	int ret;
1045
-	struct passwd *pw_entry;
1046
-	struct group  *gr_entry;
1047 1104
 	unsigned int seed;
1048 1105
 	int rfd;
1049 1106
 
... ...
@@ -1299,31 +1356,30 @@ try_again:
1299 1356
 	
1300 1357
 	/* get uid/gid */
1301 1358
 	if (user){
1302
-		uid=strtol(user, &tmp, 10);
1303
-		if ((tmp==0) ||(*tmp)){
1304
-			/* maybe it's a string */
1305
-			pw_entry=getpwnam(user);
1306
-			if (pw_entry==0){
1307
-				fprintf(stderr, "bad user name/uid number: -u %s\n", user);
1308
-				goto error;
1309
-			}
1310
-			uid=pw_entry->pw_uid;
1311
-			gid=pw_entry->pw_gid;
1359
+		if (user2uid(&uid, &gid, user)<0){
1360
+			fprintf(stderr, "bad user name/uid number: -u %s\n", user);
1361
+			goto error;
1312 1362
 		}
1313 1363
 	}
1314 1364
 	if (group){
1315
-		gid=strtol(group, &tmp, 10);
1316
-		if ((tmp==0) ||(*tmp)){
1317
-			/* maybe it's a string */
1318
-			gr_entry=getgrnam(group);
1319
-			if (gr_entry==0){
1365
+		if (group2gid(&gid, group)<0){
1320 1366
 				fprintf(stderr, "bad group name/gid number: -u %s\n", group);
1321
-				goto error;
1322
-			}
1323
-			gid=gr_entry->gr_gid;
1367
+			goto error;
1368
+		}
1369
+	}
1370
+	/* fix sock/fifo uid/gid */
1371
+	if (sock_user){
1372
+		if (user2uid(&sock_uid, 0, sock_user)<0){
1373
+			fprintf(stderr, "bad socket user name/uid number %s\n", user);
1374
+			goto error;
1375
+		}
1376
+	}
1377
+	if (sock_group){
1378
+		if (group2gid(&sock_gid, sock_group)<0){
1379
+			fprintf(stderr, "bad group name/gid number: -u %s\n", group);
1380
+			goto error;
1324 1381
 		}
1325 1382
 	}
1326
-	
1327 1383
 	if (fix_all_socket_lists()!=0){
1328 1384
 		fprintf(stderr,  "failed to initialize liste addresses\n");
1329 1385
 		goto error;
... ...
@@ -492,7 +492,7 @@ static int fix_socket_list(struct socket_info **list)
492 492
 						 l->name.s, l->address_str.s);
493 493
 #endif
494 494
 				/* add the name to the alias list*/
495
-				if ((!(l->flags&& SI_IS_IP)) && (
495
+				if ((!(l->flags& SI_IS_IP)) && (
496 496
 						(l->name.len!=si->name.len)||
497 497
 						(strncmp(l->name.s, si->name.s, si->name.len)!=0))
498 498
 					)
... ...
@@ -29,6 +29,7 @@
29 29
 /* History:
30 30
  *              created by janakj
31 31
  *  2004-03-03  added tcp init code (andrei)
32
+ *  2004-04-29  added chmod(sock_perm) & chown(sock_user,sock_group)  (andrei)
32 33
  */
33 34
 
34 35
 #include <unistd.h>
... ...
@@ -311,7 +312,7 @@ int init_unixsock_socket(void)
311 312
 		DBG("init_unixsock_socket: Unix domain socket server disabled\n");
312 313
 		return 1;
313 314
 	} else if (len > 107) {
314
-		LOG(L_ERR, "init_unixsock_socket: Socket name too long\n");
315
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Socket name too long\n");
315 316
 		return -1;
316 317
 	}
317 318
 
... ...
@@ -320,7 +321,7 @@ int init_unixsock_socket(void)
320 321
 
321 322
 	if (unlink(unixsock_name) == -1) {
322 323
 		if (errno != ENOENT) {
323
-			LOG(L_ERR, "init_unixsock_socket: Error while unlinking "
324
+			LOG(L_ERR, "ERROR: init_unixsock_socket: Error while unlinking "
324 325
 			    "old socket (%s): %s\n", unixsock_name, strerror(errno));
325 326
 			return -1;
326 327
 		}
... ...
@@ -328,8 +329,8 @@ int init_unixsock_socket(void)
328 329
 
329 330
 	rx_sock = socket(PF_LOCAL, SOCK_DGRAM, 0);
330 331
 	if (rx_sock == -1) {
331
-		LOG(L_ERR, "init_unixsock_socket: Cannot create RX socket: %s\n", 
332
-		    strerror(errno));
332
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Cannot create RX "
333
+				"socket: %s\n", strerror(errno));
333 334
 		return -1;
334 335
 	}
335 336
 
... ...
@@ -338,28 +339,46 @@ int init_unixsock_socket(void)
338 339
 	memcpy(addr.sun_path, unixsock_name, len);
339 340
 
340 341
 	if (bind(rx_sock, (struct sockaddr*)&addr, SUN_LEN(&addr)) == -1) {
341
-		LOG(L_ERR, "init_unixsock_socket: bind: %s\n", strerror(errno));
342
+		LOG(L_ERR, "ERROR: init_unixsock_socket: bind: %s\n", strerror(errno));
342 343
 		goto err_rx;
343 344
 	}
345
+	/* try to change the permissions */
346
+	if (sock_mode){ /* sock_mode==0 doesn't make sense, nobody can read/write*/
347
+		if (chmod(unixsock_name, sock_mode)<0){
348
+			LOG(L_ERR, "ERROR: init_unixsock_socket: failed to change the"
349
+					" permissions for %s to %04o: %s[%d]\n",
350
+					unixsock_name, sock_mode, strerror(errno), errno);
351
+			goto err_rx;
352
+		}
353
+	}
354
+	/* try to change the ownership */
355
+	if ((sock_uid!=-1) || (sock_gid!=-1)){
356
+		if (chown(unixsock_name, sock_uid, sock_gid)<0){
357
+			LOG(L_ERR, "ERROR: init_unixsock_socket: failed to change the"
358
+					" owner/group for %s  to %d.%d; %s[%d]\n",
359
+					unixsock_name, sock_uid, sock_gid, strerror(errno), errno);
360
+			goto err_rx;
361
+		}
362
+	}
344 363
 
345 364
 	tx_sock = socket(PF_LOCAL, SOCK_DGRAM, 0);
346 365
 	if (tx_sock == -1) {
347
-		LOG(L_ERR, "init_unixsock_socket: Cannot create TX socket: %s\n",
348
-		    strerror(errno));
366
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Cannot create TX socket:"
367
+				" %s\n", strerror(errno));
349 368
 		goto err_rx;
350 369
 	}
351 370
 
352 371
 	     /* Turn non-blocking mode on */
353 372
 	flags = fcntl(tx_sock, F_GETFL);
354 373
 	if (flags == -1){
355
-		LOG(L_ERR, "init_unixsock_socket: fcntl failed: %s\n",
374
+		LOG(L_ERR, "ERROR: init_unixsock_socket: fcntl failed: %s\n",
356 375
 		    strerror(errno));
357 376
 		goto err_both;
358 377
 	}
359 378
 		
360 379
 	if (fcntl(tx_sock, F_SETFL, flags | O_NONBLOCK) == -1) {
361
-		LOG(L_ERR, "init_unixsock_socket: fcntl: set non-blocking failed:"
362
-		    " %s\n", strerror(errno));
380
+		LOG(L_ERR, "ERROR: init_unixsock_socket: fcntl: "
381
+				"set non-blocking failed: %s\n", strerror(errno));
363 382
 		goto err_both;
364 383
 	}
365 384