[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r24112 - in gnunet/src: dns pt
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] r24112 - in gnunet/src: dns pt |
|
Date: |
Fri, 28 Sep 2012 18:53:51 +0200 |
Author: grothoff
Date: 2012-09-28 18:53:51 +0200 (Fri, 28 Sep 2012)
New Revision: 24112
Modified:
gnunet/src/dns/gnunet-helper-dns.c
gnunet/src/pt/test_gns_vpn.c
Log:
-do not close stdin/stdout for standard system progs
Modified: gnunet/src/dns/gnunet-helper-dns.c
===================================================================
--- gnunet/src/dns/gnunet-helper-dns.c 2012-09-28 16:37:18 UTC (rev 24111)
+++ gnunet/src/dns/gnunet-helper-dns.c 2012-09-28 16:53:51 UTC (rev 24112)
@@ -155,6 +155,33 @@
/**
+ * Open '/dev/null' and make the result the given
+ * file descriptor.
+ *
+ * @param target_fd desired FD to point to /dev/null
+ * @param flags open flags (O_RDONLY, O_WRONLY)
+ */
+static void
+open_dev_null (int target_fd,
+ int flags)
+{
+ int fd;
+
+ fd = open ("/dev/null", flags);
+ if (-1 == fd)
+ abort ();
+ if (fd == target_fd)
+ return;
+ if (-1 == dup2 (fd, target_fd))
+ {
+ (void) close (fd);
+ abort ();
+ }
+ (void) close (fd);
+}
+
+
+/**
* Run the given command and wait for it to complete.
*
* @param file name of the binary to run
@@ -183,7 +210,9 @@
/* close stdin/stdout to not cause interference
with the helper's main protocol! */
(void) close (0);
+ open_dev_null (0, O_RDONLY);
(void) close (1);
+ open_dev_null (1, O_WRONLY);
(void) execv (file, cmd);
/* can only get here on error */
fprintf (stderr,
@@ -683,6 +712,7 @@
* 25-39 failed to drop privs and then failed to undo some changes to
routing table
* 40 failed to regain privs
* 41-55 failed to regain prisv and then failed to undo some changes
to routing table
+ * 254 insufficient priviledges
* 255 failed to handle kill signal properly
*/
int
@@ -692,6 +722,7 @@
char dev[IFNAMSIZ];
char mygid[32];
int fd_tun;
+ uid_t uid;
if (6 != argc)
{
@@ -699,6 +730,22 @@
return 1;
}
+ /* assert privs so we can modify the firewall rules! */
+ uid = getuid ();
+#ifdef HAVE_SETRESUID
+ if (0 != setresuid (uid, 0, 0))
+ {
+ fprintf (stderr, "Failed to setresuid to root: %s\n", strerror (errno));
+ return 254;
+ }
+#else
+ if (0 != seteuid (0))
+ {
+ fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
+ return 254;
+ }
+#endif
+
/* verify that the binaries were care about are executable */
if (0 == access ("/sbin/iptables", X_OK))
sbin_iptables = "/sbin/iptables";
@@ -899,7 +946,6 @@
/* drop privs *except* for the saved UID; this is not perfect, but better
than doing nothing */
- uid_t uid = getuid ();
#ifdef HAVE_SETRESUID
if (0 != setresuid (uid, uid, 0))
{
Modified: gnunet/src/pt/test_gns_vpn.c
===================================================================
--- gnunet/src/pt/test_gns_vpn.c 2012-09-28 16:37:18 UTC (rev 24111)
+++ gnunet/src/pt/test_gns_vpn.c 2012-09-28 16:53:51 UTC (rev 24112)
@@ -239,6 +239,7 @@
NULL);
}
+
static void
start_curl (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
{
@@ -261,12 +262,14 @@
curl_main ();
}
+
static void
disco_ns (void* cls, const struct GNUNET_SCHEDULER_TaskContext *tc)
{
GNUNET_NAMESTORE_disconnect (namestore);
}
+
/**
* Callback invoked from the namestore service once record is
* created.
@@ -354,6 +357,7 @@
NULL);
}
+
static void
run (void *cls,
const struct GNUNET_CONFIGURATION_Handle *cfg,
@@ -438,6 +442,33 @@
/**
+ * Open '/dev/null' and make the result the given
+ * file descriptor.
+ *
+ * @param target_fd desired FD to point to /dev/null
+ * @param flags open flags (O_RDONLY, O_WRONLY)
+ */
+static void
+open_dev_null (int target_fd,
+ int flags)
+{
+ int fd;
+
+ fd = open ("/dev/null", flags);
+ if (-1 == fd)
+ abort ();
+ if (fd == target_fd)
+ return;
+ if (-1 == dup2 (fd, target_fd))
+ {
+ (void) close (fd);
+ abort ();
+ }
+ (void) close (fd);
+}
+
+
+/**
* Run the given command and wait for it to complete.
*
* @param file name of the binary to run
@@ -466,7 +497,9 @@
/* close stdin/stdout to not cause interference
with the helper's main protocol! */
(void) close (0);
+ open_dev_null (0, O_RDONLY);
(void) close (1);
+ open_dev_null (1, O_WRONLY);
(void) execv (file, cmd);
/* can only get here on error */
fprintf (stderr,
@@ -515,7 +548,7 @@
if (0 != fork_and_exec (sbin_iptables, iptables_args))
{
fprintf (stderr,
- "IPtables not available, Skipping.\n");
+ "Failed to run `iptables -t mangle -L -v'. Skipping test.\n");
return 0;
}
@@ -529,12 +562,13 @@
return 0;
}
- if ( (GNUNET_YES !=
- GNUNET_OS_check_helper_binary ("gnunet-helper-vpn")) ||
- (GNUNET_YES !=
- GNUNET_OS_check_helper_binary ("gnunet-helper-exit")) ||
- (GNUNET_YES !=
- GNUNET_OS_check_helper_binary ("gnunet-helper-dns")))
+ if ( (0 != geteuid ()) &&
+ ( (GNUNET_YES !=
+ GNUNET_OS_check_helper_binary ("gnunet-helper-vpn")) ||
+ (GNUNET_YES !=
+ GNUNET_OS_check_helper_binary ("gnunet-helper-exit")) ||
+ (GNUNET_YES !=
+ GNUNET_OS_check_helper_binary ("gnunet-helper-dns"))) )
{
fprintf (stderr,
"WARNING: gnunet-helper-{exit,vpn,dns} binaries in $PATH are not
SUID, refusing to run test (as it would have to fail).\n");
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r24112 - in gnunet/src: dns pt,
gnunet <=