Browse code

- new config variables: sock_mode = <permissions> (e.g. sock_mode=0600: default value = 0660) ser unix sockets and fifo will be created with this permissions (old name fifo_mode is still supported, but deprecated) sock_user = username|"uid" sock_group = groupname|"gid" change the owner and/or group of the ser unix sockets or fifo Short example config snippet: sock_mode=0600 # ser socket/fifo mode sock_user="www-data" # ser socket/fifo owner sock_group=nogroup user=nobody # ser user (ser will suid to it) - typo fixed in socket_info (thanks to Jan)

Andrei Pelinescu-Onciul authored on 29/04/2004 15:39:39
Showing 10 changed files
... ...
@@ -31,6 +31,17 @@ core:
31 31
                               ==, !=, ~= for strings
32 32
                               ==, !=, >, <, >=, <= for integers
33 33
  - new config variables:
34
+   sock_mode = <permissions> (e.g. sock_mode=0600:  default value = 0660)
35
+       ser unix sockets and fifo will be created with this permissions
36
+       (old name fifo_mode is still supported, but deprecated)
37
+   sock_user = username|"uid"
38
+   sock_group = groupname|"gid"
39
+      change the owner and/or group of the ser unix sockets or fifo
40
+      Short example config snippet:
41
+           sock_mode=0600        # ser socket/fifo mode
42
+           sock_user="www-data"  # ser socket/fifo owner
43
+           sock_group=nogroup  
44
+           user=nobody       # ser user (ser will suid to it)
34 45
    disable_core_dump= yes|no 
35 46
        by default core dump limits are set to unlimited or a high enough
36 47
        value, set this config variable o yes to disable core dump-ing
... ...
@@ -1,15 +1,25 @@
1 1
 $Id$
2 2
 
3 3
 ( - todo, x - done)
4
-
4
+- [core] parse_uri support for new uri params
5
+- [core] on sig_child, kill the processes if they don't exit in a 
6
+  reasonable time
5 7
 - [doc] document force_rport()
6 8
 - [fifo] fix fgets error handling (it does not set errno always,
7 9
    , right now kills all ser if interrupted by a signal on ?solaris?)
8 10
 - [mem] make shm_realloc be fragmentation friendly: call shm_compact_frags
9 11
    for the small frags?, don't produce smaller frags -- be wastefull?
10
-- [mem] qm_compact_frags (compacts frags if possible)
12
+- [mem] qm_compact_frags (compacts frags if possible), keep a 
13
+        fragment count/bucket and if too much mem. is blocked in one bucket
14
+        de-frag.
15
+- [mem] investigate: don't produce frag if frag size < request
16
+      (should reduce the unrequested fragments number)
17
+- [mem] investigate: keep an used/unused flag per fragment, on free
18
+      check if neighboring frags were not used and if so defragment
11 19
 - [timer] multiple timers? at least ticks should no be affected by the amount
12 20
    of work done in the timer handlers
21
+- [tcp] ser intiated tcp connections use INADDR_ANY (they should be bound first
22
+  to some ip/port ?function of the dest?)
13 23
 - [tcp] need to confirm fd receipt after send_fd, before closing it (this might
14 24
  happen in tcp_send new conn.) (see FreeBSD send BUGS for more info)
15 25
 x [tcp] make send_all, send  non-blocking ready ?
... ...
@@ -36,7 +46,7 @@ x update all package specs from stable
36 36
    should have it, but it would be slower on systems emulating it, like
37 37
    older linuxes)
38 38
 - [tcp] switch to epoll if HAVE_EPOLL defined (linux 2.6.*)
39
-- [tcp] switch to SIGIO if no epoll (linux only, better than poll?)
39
+- [tcp] switch to SIGIO if no epoll (linux only, better than poll)
40 40
 x tcp_main_loop: BUG cases should "conitnue;"
41 41
 x change len_gt into and expr (e.g msg:len).
42 42
 x sipit: uri == myself doesn't match tls port = 5061 
... ...
@@ -45,7 +45,9 @@
45 45
  *  2003-10-28  added tcp_accept_aliases (andrei)
46 46
  *  2003-11-29  added {tcp_send, tcp_connect, tls_*}_timeout (andrei)
47 47
  *  2004-02-24  added LOAD_AVP_T and AVP_TO_URI_T (bogdan)
48
- * 2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
48
+ *  2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
49
+ *  2004-04-28  added sock_mode (replaces fifo_mode), sock_user &
50
+ *               sock_group  (andrei)
49 51
  */
50 52
 
51 53
 
... ...
@@ -173,7 +175,9 @@ MEMLOG		"memlog"|"mem_log"
173 173
 SIP_WARNING sip_warning
174 174
 FIFO fifo
175 175
 FIFO_DIR  fifo_dir
176
-FIFO_MODE fifo_mode
176
+SOCK_MODE "fifo_mode"|"sock_mode"|"file_mode"
177
+SOCK_USER "fifo_user"|"sock_user"
178
+SOCK_GROUP "fifo_group"|"sock_group"
177 179
 FIFO_DB_URL fifo_db_url
178 180
 UNIX_SOCK unix_sock
179 181
 UNIX_SOCK_CHILDREN unix_sock_children
... ...
@@ -371,7 +375,9 @@ EAT_ABLE	[\ \t\b\r]
371 371
 <INITIAL>{FIFO}	{ count(); yylval.strval=yytext; return FIFO; }
372 372
 <INITIAL>{FIFO_DIR}	{ count(); yylval.strval=yytext; return FIFO_DIR; }
373 373
 <INITIAL>{FIFO_DB_URL}	{ count(); yylval.strval=yytext; return FIFO_DB_URL; }
374
-<INITIAL>{FIFO_MODE}	{ count(); yylval.strval=yytext; return FIFO_MODE; }
374
+<INITIAL>{SOCK_MODE}	{ count(); yylval.strval=yytext; return SOCK_MODE; }
375
+<INITIAL>{SOCK_USER}	{ count(); yylval.strval=yytext; return SOCK_USER; }
376
+<INITIAL>{SOCK_GROUP}	{ count(); yylval.strval=yytext; return SOCK_GROUP; }
375 377
 <INITIAL>{UNIX_SOCK} { count(); yylval.strval=yytext; return UNIX_SOCK; }
376 378
 <INITIAL>{UNIX_SOCK_CHILDREN} { count(); yylval.strval=yytext; return UNIX_SOCK_CHILDREN; }
377 379
 <INITIAL>{UNIX_TX_TIMEOUT} { count(); yylval.strval=yytext; return UNIX_TX_TIMEOUT; }
... ...
@@ -52,6 +52,7 @@
52 52
  * 2003-11-20  added {tcp_connect, tcp_send, tls_*}_timeout (andrei)
53 53
  * 2004-02-24  added LOAD_AVP_T and AVP_TO_URI_T (bogdan)
54 54
  * 2004-03-30  added DISABLE_CORE and OPEN_FD_LIMIT (andrei)
55
+ * 2004-04-29  added SOCK_MODE, SOCK_USER & SOCK_GROUP (andrei)
55 56
  */
56 57
 
57 58
 
... ...
@@ -199,7 +200,9 @@ static struct id_list* mk_listen_id(char*, int, int);
199 199
 %token SIP_WARNING
200 200
 %token FIFO
201 201
 %token FIFO_DIR
202
-%token FIFO_MODE
202
+%token SOCK_MODE
203
+%token SOCK_USER
204
+%token SOCK_GROUP
203 205
 %token FIFO_DB_URL
204 206
 %token UNIX_SOCK
205 207
 %token UNIX_SOCK_CHILDREN
... ...
@@ -411,14 +414,20 @@ assign_stm:	DEBUG EQUAL NUMBER { debug=$3; }
411 411
 		| FIFO EQUAL error { yyerror("string value expected"); }
412 412
 		| FIFO_DIR EQUAL STRING { fifo_dir=$3; }
413 413
 		| FIFO_DIR EQUAL error { yyerror("string value expected"); }
414
-		| FIFO_MODE EQUAL NUMBER { fifo_mode=$3; }
415
-		| FIFO_MODE EQUAL error { yyerror("int value expected"); }
414
+		| SOCK_MODE EQUAL NUMBER { sock_mode=$3; }
415
+		| SOCK_MODE EQUAL error { yyerror("int value expected"); }
416
+		| SOCK_USER EQUAL STRING { sock_user=$3; }
417
+		| SOCK_USER EQUAL ID     { sock_user=$3; }
418
+		| SOCK_USER EQUAL error { yyerror("string value expected"); }
419
+		| SOCK_GROUP EQUAL STRING { sock_group=$3; }
420
+		| SOCK_GROUP EQUAL ID     { sock_group=$3; }
421
+		| SOCK_GROUP EQUAL error { yyerror("string value expected"); }
416 422
 		| FIFO_DB_URL EQUAL STRING { fifo_db_url=$3; }
417 423
 		| FIFO_DB_URL EQUAL error  { yyerror("string value expected"); }
418
-                | UNIX_SOCK EQUAL STRING { unixsock_name=$3; }
419
-                | UNIX_SOCK EQUAL error { yyerror("string value expected"); }
420
-                | UNIX_SOCK_CHILDREN EQUAL NUMBER { unixsock_children=$3; }
421
-                | UNIX_SOCK_CHILDREN EQUAL error { yyerror("int value expected\n"); }
424
+		| UNIX_SOCK EQUAL STRING { unixsock_name=$3; }
425
+		| UNIX_SOCK EQUAL error { yyerror("string value expected"); }
426
+		| UNIX_SOCK_CHILDREN EQUAL NUMBER { unixsock_children=$3; }
427
+		| UNIX_SOCK_CHILDREN EQUAL error { yyerror("int value expected\n"); }
422 428
 		| UNIX_TX_TIMEOUT EQUAL NUMBER { unixsock_tx_timeout=$3; }
423 429
 		| UNIX_TX_TIMEOUT EQUAL error { yyerror("int value expected\n"); }
424 430
 		| AVP_DB_URL EQUAL STRING { avp_db_url=$3; }
... ...
@@ -166,14 +166,18 @@ error:
166 166
 
167 167
 int do_suid()
168 168
 {
169
-	if (gid&&(setgid(gid)<0)){
170
-		LOG(L_CRIT, "cannot change gid to %d: %s\n", gid, strerror(errno));
171
-		goto error;
169
+	if (gid){
170
+		if(setgid(gid)<0){
171
+			LOG(L_CRIT, "cannot change gid to %d: %s\n", gid, strerror(errno));
172
+			goto error;
173
+		}
172 174
 	}
173 175
 	
174
-	if(uid&&(setuid(uid)<0)){
175
-		LOG(L_CRIT, "cannot change uid to %d: %s\n", uid, strerror(errno));
176
-		goto error;
176
+	if(uid){
177
+		if(setuid(uid)<0){
178
+			LOG(L_CRIT, "cannot change uid to %d: %s\n", uid, strerror(errno));
179
+			goto error;
180
+		}
177 181
 	}
178 182
 	return 0;
179 183
 error:
... ...
@@ -61,6 +61,7 @@
61 61
  *  2003-10-13  addef fifo_dir for reply fifos (andrei)
62 62
  *  2003-10-30  DB interface exported via FIFO (bogdan)
63 63
  *  2004-03-09  open_fifo_server split into init_ and start_ (andrei)
64
+ *  2004-04-29  added chown(sock_user, sock_group)  (andrei)
64 65
  */
65 66
 
66 67
 
... ...
@@ -94,7 +95,6 @@
94 94
 /* FIFO server vars */
95 95
 char *fifo=0; /* FIFO name */
96 96
 char* fifo_dir=DEFAULT_FIFO_DIR; /* dir where reply fifos are allowed */
97
-int fifo_mode=S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP ;
98 97
 char *fifo_db_url = 0;
99 98
 pid_t fifo_pid;
100 99
 /* file descriptors */
... ...
@@ -565,20 +565,30 @@ int init_fifo_server()
565 565
 			strerror(errno));
566 566
 	}
567 567
 		/* create FIFO ... */
568
-		if ((mkfifo(fifo, fifo_mode)<0)) {
568
+		if ((mkfifo(fifo, sock_mode)<0)) {
569 569
 			LOG(L_ERR, "ERROR: open_fifo_server; can't create FIFO: "
570 570
 					"%s (mode=%d)\n",
571
-					strerror(errno), fifo_mode);
571
+					strerror(errno), sock_mode);
572 572
 			return -1;
573 573
 		} 
574 574
 		DBG("DEBUG: FIFO created @ %s\n", fifo );
575
-		if ((chmod(fifo, fifo_mode)<0)) {
575
+		if ((chmod(fifo, sock_mode)<0)) {
576 576
 			LOG(L_ERR, "ERROR: open_fifo_server; can't chmod FIFO: "
577 577
 					"%s (mode=%d)\n",
578
-					strerror(errno), fifo_mode);
578
+					strerror(errno), sock_mode);
579 579
 			return -1;
580 580
 		}
581
-	DBG("DEBUG: fifo %s opened, mode=%d\n", fifo, fifo_mode );
581
+		if ((sock_uid!=-1) || (sock_gid!=-1)){
582
+			if (chown(fifo, sock_uid, sock_gid)<0){
583
+			LOG(L_ERR, "ERROR: open_fifo_server: failed to change the"
584
+					" owner/group for %s  to %d.%d; %s[%d]\n",
585
+					fifo, sock_uid, sock_gid, strerror(errno), errno);
586
+			return -1;
587
+		}
588
+	}
589
+
590
+		
591
+	DBG("DEBUG: fifo %s opened, mode=%d\n", fifo, sock_mode );
582 592
 	time(&up_since);
583 593
 	t=ctime(&up_since);
584 594
 	if (strlen(t)+1>=MAX_CTIME_LEN) {
... ...
@@ -93,6 +93,11 @@ extern int sip_warning;
93 93
 extern int server_signature;
94 94
 extern char* user;
95 95
 extern char* group;
96
+extern char* sock_user;
97
+extern char* sock_group;
98
+extern int sock_uid;
99
+extern int sock_gid;
100
+extern int sock_mode;
96 101
 extern char* chroot_dir;
97 102
 extern char* working_dir;
98 103
 
... ...
@@ -48,6 +48,8 @@
48 48
  *  2004-02-06  added support for user pref. - init_avp_child() (bogdan)
49 49
  *  2004-03-30  core dump is enabled by default
50 50
  *              added support for increasing the open files limit    (andrei)
51
+ *  2004-04-28  sock_{user,group,uid,gid,mode} added
52
+ *              user2uid() & user2gid() added  (andrei)
51 53
  *
52 54
  */
53 55
 
... ...
@@ -329,6 +331,12 @@ char* user=0;
329 329
 char* group=0;
330 330
 int uid = 0;
331 331
 int gid = 0;
332
+char* sock_user=0;
333
+char* sock_group=0;
334
+int sock_uid= -1;
335
+int sock_gid= -1;
336
+int sock_mode= S_IRUSR| S_IWUSR| S_IRGRP| S_IWGRP; /* rw-rw---- */
337
+
332 338
 /* more config stuff */
333 339
 int disable_core_dump=0; /* by default enabled */
334 340
 int open_files_limit=-1; /* don't touch it by default */
... ...
@@ -644,6 +652,57 @@ error:
644 644
 
645 645
 
646 646
 
647
+/* converts a username into uid:gid,
648
+ * returns -1 on error & 0 on success */
649
+static int user2uid(int* uid, int* gid, char* user)
650
+{
651
+	char* tmp;
652
+	struct passwd *pw_entry;
653
+	
654
+	if (user){
655
+		*uid=strtol(user, &tmp, 10);
656
+		if ((tmp==0) ||(*tmp)){
657
+			/* maybe it's a string */
658
+			pw_entry=getpwnam(user);
659
+			if (pw_entry==0){
660
+				goto error;
661
+			}
662
+			*uid=pw_entry->pw_uid;
663
+			if (gid) *gid=pw_entry->pw_gid;
664
+		}
665
+		return 0;
666
+	}
667
+error:
668
+	return -1;
669
+}
670
+
671
+
672
+
673
+/* converts a group name into a gid
674
+ * returns -1 on error, 0 on success */
675
+static int group2gid(int* gid, char* group)
676
+{
677
+	char* tmp;
678
+	struct group  *gr_entry;
679
+	
680
+	if (group){
681
+		*gid=strtol(group, &tmp, 10);
682
+		if ((tmp==0) ||(*tmp)){
683
+			/* maybe it's a string */
684
+			gr_entry=getgrnam(group);
685
+			if (gr_entry==0){
686
+				goto error;
687
+			}
688
+			*gid=gr_entry->gr_gid;
689
+		}
690
+		return 0;
691
+	}
692
+error:
693
+	return -1;
694
+}
695
+
696
+
697
+
647 698
 /* main loop */
648 699
 int main_loop()
649 700
 {
... ...
@@ -1042,8 +1101,6 @@ int main(int argc, char** argv)
1042 1042
 	char *tmp;
1043 1043
 	char *options;
1044 1044
 	int ret;
1045
-	struct passwd *pw_entry;
1046
-	struct group  *gr_entry;
1047 1045
 	unsigned int seed;
1048 1046
 	int rfd;
1049 1047
 
... ...
@@ -1299,31 +1356,30 @@ try_again:
1299 1299
 	
1300 1300
 	/* get uid/gid */
1301 1301
 	if (user){
1302
-		uid=strtol(user, &tmp, 10);
1303
-		if ((tmp==0) ||(*tmp)){
1304
-			/* maybe it's a string */
1305
-			pw_entry=getpwnam(user);
1306
-			if (pw_entry==0){
1307
-				fprintf(stderr, "bad user name/uid number: -u %s\n", user);
1308
-				goto error;
1309
-			}
1310
-			uid=pw_entry->pw_uid;
1311
-			gid=pw_entry->pw_gid;
1302
+		if (user2uid(&uid, &gid, user)<0){
1303
+			fprintf(stderr, "bad user name/uid number: -u %s\n", user);
1304
+			goto error;
1312 1305
 		}
1313 1306
 	}
1314 1307
 	if (group){
1315
-		gid=strtol(group, &tmp, 10);
1316
-		if ((tmp==0) ||(*tmp)){
1317
-			/* maybe it's a string */
1318
-			gr_entry=getgrnam(group);
1319
-			if (gr_entry==0){
1308
+		if (group2gid(&gid, group)<0){
1320 1309
 				fprintf(stderr, "bad group name/gid number: -u %s\n", group);
1321
-				goto error;
1322
-			}
1323
-			gid=gr_entry->gr_gid;
1310
+			goto error;
1311
+		}
1312
+	}
1313
+	/* fix sock/fifo uid/gid */
1314
+	if (sock_user){
1315
+		if (user2uid(&sock_uid, 0, sock_user)<0){
1316
+			fprintf(stderr, "bad socket user name/uid number %s\n", user);
1317
+			goto error;
1318
+		}
1319
+	}
1320
+	if (sock_group){
1321
+		if (group2gid(&sock_gid, sock_group)<0){
1322
+			fprintf(stderr, "bad group name/gid number: -u %s\n", group);
1323
+			goto error;
1324 1324
 		}
1325 1325
 	}
1326
-	
1327 1326
 	if (fix_all_socket_lists()!=0){
1328 1327
 		fprintf(stderr,  "failed to initialize liste addresses\n");
1329 1328
 		goto error;
... ...
@@ -492,7 +492,7 @@ static int fix_socket_list(struct socket_info **list)
492 492
 						 l->name.s, l->address_str.s);
493 493
 #endif
494 494
 				/* add the name to the alias list*/
495
-				if ((!(l->flags&& SI_IS_IP)) && (
495
+				if ((!(l->flags& SI_IS_IP)) && (
496 496
 						(l->name.len!=si->name.len)||
497 497
 						(strncmp(l->name.s, si->name.s, si->name.len)!=0))
498 498
 					)
... ...
@@ -29,6 +29,7 @@
29 29
 /* History:
30 30
  *              created by janakj
31 31
  *  2004-03-03  added tcp init code (andrei)
32
+ *  2004-04-29  added chmod(sock_perm) & chown(sock_user,sock_group)  (andrei)
32 33
  */
33 34
 
34 35
 #include <unistd.h>
... ...
@@ -311,7 +312,7 @@ int init_unixsock_socket(void)
311 311
 		DBG("init_unixsock_socket: Unix domain socket server disabled\n");
312 312
 		return 1;
313 313
 	} else if (len > 107) {
314
-		LOG(L_ERR, "init_unixsock_socket: Socket name too long\n");
314
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Socket name too long\n");
315 315
 		return -1;
316 316
 	}
317 317
 
... ...
@@ -320,7 +321,7 @@ int init_unixsock_socket(void)
320 320
 
321 321
 	if (unlink(unixsock_name) == -1) {
322 322
 		if (errno != ENOENT) {
323
-			LOG(L_ERR, "init_unixsock_socket: Error while unlinking "
323
+			LOG(L_ERR, "ERROR: init_unixsock_socket: Error while unlinking "
324 324
 			    "old socket (%s): %s\n", unixsock_name, strerror(errno));
325 325
 			return -1;
326 326
 		}
... ...
@@ -328,8 +329,8 @@ int init_unixsock_socket(void)
328 328
 
329 329
 	rx_sock = socket(PF_LOCAL, SOCK_DGRAM, 0);
330 330
 	if (rx_sock == -1) {
331
-		LOG(L_ERR, "init_unixsock_socket: Cannot create RX socket: %s\n", 
332
-		    strerror(errno));
331
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Cannot create RX "
332
+				"socket: %s\n", strerror(errno));
333 333
 		return -1;
334 334
 	}
335 335
 
... ...
@@ -338,28 +339,46 @@ int init_unixsock_socket(void)
338 338
 	memcpy(addr.sun_path, unixsock_name, len);
339 339
 
340 340
 	if (bind(rx_sock, (struct sockaddr*)&addr, SUN_LEN(&addr)) == -1) {
341
-		LOG(L_ERR, "init_unixsock_socket: bind: %s\n", strerror(errno));
341
+		LOG(L_ERR, "ERROR: init_unixsock_socket: bind: %s\n", strerror(errno));
342 342
 		goto err_rx;
343 343
 	}
344
+	/* try to change the permissions */
345
+	if (sock_mode){ /* sock_mode==0 doesn't make sense, nobody can read/write*/
346
+		if (chmod(unixsock_name, sock_mode)<0){
347
+			LOG(L_ERR, "ERROR: init_unixsock_socket: failed to change the"
348
+					" permissions for %s to %04o: %s[%d]\n",
349
+					unixsock_name, sock_mode, strerror(errno), errno);
350
+			goto err_rx;
351
+		}
352
+	}
353
+	/* try to change the ownership */
354
+	if ((sock_uid!=-1) || (sock_gid!=-1)){
355
+		if (chown(unixsock_name, sock_uid, sock_gid)<0){
356
+			LOG(L_ERR, "ERROR: init_unixsock_socket: failed to change the"
357
+					" owner/group for %s  to %d.%d; %s[%d]\n",
358
+					unixsock_name, sock_uid, sock_gid, strerror(errno), errno);
359
+			goto err_rx;
360
+		}
361
+	}
344 362
 
345 363
 	tx_sock = socket(PF_LOCAL, SOCK_DGRAM, 0);
346 364
 	if (tx_sock == -1) {
347
-		LOG(L_ERR, "init_unixsock_socket: Cannot create TX socket: %s\n",
348
-		    strerror(errno));
365
+		LOG(L_ERR, "ERROR: init_unixsock_socket: Cannot create TX socket:"
366
+				" %s\n", strerror(errno));
349 367
 		goto err_rx;
350 368
 	}
351 369
 
352 370
 	     /* Turn non-blocking mode on */
353 371
 	flags = fcntl(tx_sock, F_GETFL);
354 372
 	if (flags == -1){
355
-		LOG(L_ERR, "init_unixsock_socket: fcntl failed: %s\n",
373
+		LOG(L_ERR, "ERROR: init_unixsock_socket: fcntl failed: %s\n",
356 374
 		    strerror(errno));
357 375
 		goto err_both;
358 376
 	}
359 377
 		
360 378
 	if (fcntl(tx_sock, F_SETFL, flags | O_NONBLOCK) == -1) {
361
-		LOG(L_ERR, "init_unixsock_socket: fcntl: set non-blocking failed:"
362
-		    " %s\n", strerror(errno));
379
+		LOG(L_ERR, "ERROR: init_unixsock_socket: fcntl: "
380
+				"set non-blocking failed: %s\n", strerror(errno));
363 381
 		goto err_both;
364 382
 	}
365 383