[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r19129 - in gnunet: . src/dht src/dns src/dv src/transport
From: |
gnunet |
Subject: |
[GNUnet-SVN] r19129 - in gnunet: . src/dht src/dns src/dv src/transport src/util src/vpn |
Date: |
Fri, 13 Jan 2012 23:10:16 +0100 |
Author: grothoff
Date: 2012-01-13 23:10:16 +0100 (Fri, 13 Jan 2012)
New Revision: 19129
Modified:
gnunet/configure.ac
gnunet/src/dht/dht.conf.in
gnunet/src/dns/Makefile.am
gnunet/src/dns/dns.conf.in
gnunet/src/dv/dv.conf.in
gnunet/src/transport/transport.conf.in
gnunet/src/util/service.c
gnunet/src/vpn/vpn.conf.in
Log:
improving code and build system to be in line with gnunet access control model
for services as described at https://gnunet.org/gnunet-access-control-model
Modified: gnunet/configure.ac
===================================================================
--- gnunet/configure.ac 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/configure.ac 2012-01-13 22:10:16 UTC (rev 19129)
@@ -751,6 +751,28 @@
AC_SUBST(SUDO_BINARY)
+# test for gnunetdns group name
+GNUNETDNS_GROUP=gnunetdns
+AC_MSG_CHECKING(for gnunetdns group name)
+AC_ARG_WITH(gnunetdns,
+ [ --with-gnunetdns=GRPNAME name for gnunetdns group],
+ [AC_MSG_RESULT("$with_gnunetdns")
+ case $with_gnunetdns in
+ no)
+ GNUNETDNS_GROUP=gnunet
+ ;;
+ yes)
+ GNUNETDNS_GROUP=gnunetdns
+ ;;
+ *)
+ GNUNETDNS_GROUP=$with_gnunetdns
+ ;;
+ esac
+ ],
+ [AC_MSG_RESULT([gnunetdns])])
+AC_SUBST(GNUNETDNS_GROUP)
+
+
# should 'make check' run tests?
AC_MSG_CHECKING(whether to run tests)
AC_ARG_ENABLE([testruns],
Modified: gnunet/src/dht/dht.conf.in
===================================================================
--- gnunet/src/dht/dht.conf.in 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/dht/dht.conf.in 2012-01-13 22:10:16 UTC (rev 19129)
@@ -9,6 +9,7 @@
ACCEPT_FROM6 = ::1;
BUCKET_SIZE = 4
UNIXPATH = /tmp/gnunet-service-dht.sock
+# This could be relaxed...
UNIX_MATCH_UID = YES
UNIX_MATCH_GID = YES
# DISABLE_SOCKET_FORWARDING = NO
Modified: gnunet/src/dns/Makefile.am
===================================================================
--- gnunet/src/dns/Makefile.am 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/dns/Makefile.am 2012-01-13 22:10:16 UTC (rev 19129)
@@ -20,8 +20,11 @@
install-exec-hook:
$(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-hijack-dns ||
true
$(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-hijack-dns || true
- $(SUDO_BINARY) chown root:root $(bindir)/gnunet-helper-dns || true
- $(SUDO_BINARY) chmod u+s $(bindir)/gnunet-helper-dns || true
+ $(SUDO_BINARY) chown root $(bindir)/gnunet-helper-dns || true
+ $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP) $(bindir)/gnunet-helper-dns ||
true
+ $(SUDO_BINARY) chmod 4750 $(bindir)/gnunet-helper-dns || true
+ $(SUDO_BINARY) chgrp $(GNUNETDNS_GROUP)
$(bindir)/gnunet-service-dns-new || true
+ $(SUDO_BINARY) chmod 2755 $(bindir)/gnunet-helper-dns || true
else
install-exec-hook:
endif
Modified: gnunet/src/dns/dns.conf.in
===================================================================
--- gnunet/src/dns/dns.conf.in 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/dns/dns.conf.in 2012-01-13 22:10:16 UTC (rev 19129)
@@ -5,10 +5,9 @@
HOME = $SERVICEHOME
CONFIG = $DEFAULTCONFIG
BINARY = gnunet-service-dns
-ACCEPT_FROM = 127.0.0.1;
-ACCEPT_FROM6 = ::1;
UNIXPATH = /tmp/gnunet-service-dns.sock
-
+UNIX_MATCH_UID = YES
+UNIX_MATCH_GID = YES
PROVIDE_EXIT = YES
IFNAME = gnunet-dns
Modified: gnunet/src/dv/dv.conf.in
===================================================================
--- gnunet/src/dv/dv.conf.in 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/dv/dv.conf.in 2012-01-13 22:10:16 UTC (rev 19129)
@@ -9,6 +9,8 @@
HOSTNAME = localhost
@UNIXONLY@ PORT = 2571
UNIXPATH = /tmp/gnunet-service-dv.sock
+UNIX_MATCH_UID = YES
+UNIX_MATCH_GID = YES
# ACCEPT_FROM =
# ACCEPT_FROM6 =
# REJECT_FROM =
Modified: gnunet/src/transport/transport.conf.in
===================================================================
--- gnunet/src/transport/transport.conf.in 2012-01-13 21:33:47 UTC (rev
19128)
+++ gnunet/src/transport/transport.conf.in 2012-01-13 22:10:16 UTC (rev
19129)
@@ -12,6 +12,7 @@
PLUGINS = tcp
UNIXPATH = /tmp/gnunet-service-transport.sock
BLACKLIST_FILE = $SERVICEHOME/blacklist
+# This could possibly be relaxed
UNIX_MATCH_UID = YES
UNIX_MATCH_GID = YES
# DISABLE_SOCKET_FORWARDING = NO
Modified: gnunet/src/util/service.c
===================================================================
--- gnunet/src/util/service.c 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/util/service.c 2012-01-13 22:10:16 UTC (rev 19129)
@@ -501,14 +501,18 @@
int require_found;
/**
- * Do we require a matching UID for UNIX domain socket
- * connections?
+ * Do we require a matching UID for UNIX domain socket connections?
+ * GNUNET_NO means that the UID does not have to match (however,
+ * "match_gid" may still impose other access control checks).
*/
int match_uid;
/**
- * Do we require a matching GID for UNIX domain socket
- * connections?
+ * Do we require a matching GID for UNIX domain socket connections?
+ * Ignored if "match_uid" is GNUNET_YES. Note that this is about
+ * checking that the client's UID is in our group OR that the
+ * client's GID is our GID. If both "match_gid" and "match_uid" are
+ * "GNUNET_NO", all users on the local system have access.
*/
int match_gid;
@@ -617,15 +621,50 @@
#ifndef WINDOWS
case AF_UNIX:
ret = GNUNET_OK; /* always OK for now */
- if ((sctx->match_uid == GNUNET_YES) || (sctx->match_gid == GNUNET_YES))
- ret = GNUNET_NO;
- if ((uc != NULL) &&
- ((sctx->match_uid != GNUNET_YES) || (uc->uid == geteuid ()) ||
- (uc->uid == getuid ())) && ((sctx->match_gid != GNUNET_YES) ||
- (uc->gid == getegid ()) ||
- (uc->gid == getgid ())))
- ret = GNUNET_YES;
- else
+ if (sctx->match_uid == GNUNET_YES)
+ {
+ /* UID match required */
+ ret = (uc != NULL) && (uc->uid == geteuid ());
+ }
+ else if (sctx->match_gid == GNUNET_YES)
+ {
+ /* group match required */
+ if (uc == NULL)
+ {
+ /* no credentials, group match not possible */
+ ret = GNUNET_NO;
+ }
+ else
+ {
+ struct group *grp;
+ unsigned int i;
+
+ if (uc->gid != getegid())
+ {
+ /* default group did not match, but maybe the user is in our group,
let's check */
+ grp = getgrgid (getegid ());
+ if (NULL == grp)
+ {
+ GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, "getgrgid");
+ return GNUNET_NO;
+ }
+ ret = GNUNET_NO;
+ for (i=0; NULL != grp->gr_mem[i]; i++)
+ {
+ struct passwd *nam = getpwnam (grp->gr_mem[i]);
+ if (NULL == nam)
+ continue; /* name in group that is not in user DB !? */
+ if (nam->pw_uid == uc->uid)
+ {
+ /* yes, uid is in our group, allow! */
+ ret = GNUNET_YES;
+ break;
+ }
+ }
+ }
+ }
+ }
+ if (GNUNET_NO == ret)
LOG (GNUNET_ERROR_TYPE_WARNING, _("Access denied to UID %d / GID %d\n"),
(uc == NULL) ? -1 : uc->uid, (uc == NULL) ? -1 : uc->gid);
break;
Modified: gnunet/src/vpn/vpn.conf.in
===================================================================
--- gnunet/src/vpn/vpn.conf.in 2012-01-13 21:33:47 UTC (rev 19128)
+++ gnunet/src/vpn/vpn.conf.in 2012-01-13 22:10:16 UTC (rev 19129)
@@ -8,6 +8,8 @@
ACCEPT_FROM = 127.0.0.1;
ACCEPT_FROM6 = ::1;
UNIXPATH = /tmp/gnunet-service-vpn.sock
+UNIX_MATCH_UID = YES
+UNIX_MATCH_GID = YES
IPV6ADDR = 1234::1
IPV6PREFIX = 32
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r19129 - in gnunet: . src/dht src/dns src/dv src/transport src/util src/vpn,
gnunet <=