[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-exchange] branch master updated: secmod: fchmod socket to ug+rw
|
From: |
gnunet |
|
Subject: |
[taler-exchange] branch master updated: secmod: fchmod socket to ug+rw |
|
Date: |
Tue, 27 Jul 2021 11:26:57 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository exchange.
The following commit(s) were added to refs/heads/master by this push:
new 32f3391b secmod: fchmod socket to ug+rw
32f3391b is described below
commit 32f3391be100622a79c40fdce7dcec44418da34c
Author: Florian Dold <florian@dold.me>
AuthorDate: Tue Jul 27 11:26:48 2021 +0200
secmod: fchmod socket to ug+rw
---
src/util/Makefile.am | 6 ++-
src/util/secmod_common.c | 83 ++++++++++++++++++++++++++++++++++
src/util/secmod_common.h | 36 +++++++++++++++
src/util/taler-exchange-secmod-eddsa.c | 79 ++++++++------------------------
src/util/taler-exchange-secmod-rsa.c | 79 ++++++++------------------------
5 files changed, 160 insertions(+), 123 deletions(-)
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index d9660c71..7a6f3d6e 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -39,7 +39,8 @@ CLEANFILES = \
taler-config
taler_exchange_secmod_rsa_SOURCES = \
- taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h
+ taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h \
+ secmod_common.c secmod_common.h
taler_exchange_secmod_rsa_LDADD = \
libtalerutil.la \
-lgnunetutil \
@@ -48,7 +49,8 @@ taler_exchange_secmod_rsa_LDADD = \
$(XLIB)
taler_exchange_secmod_eddsa_SOURCES = \
- taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h
+ taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h \
+ secmod_common.c secmod_common.h
taler_exchange_secmod_eddsa_LDADD = \
libtalerutil.la \
-lgnunetutil \
diff --git a/src/util/secmod_common.c b/src/util/secmod_common.c
new file mode 100644
index 00000000..cc2def19
--- /dev/null
+++ b/src/util/secmod_common.c
@@ -0,0 +1,83 @@
+/*
+ This file is part of TALER
+ Copyright (C) 2020 Taler Systems SA
+
+ TALER is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ TALER is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file util/secmod_common.c
+ * @brief Common functions for the exchange security modules
+ * @author Florian Dold <dold@taler.net>
+ */
+#include "platform.h"
+#include "taler_util.h"
+#include "taler_signatures.h"
+
+struct GNUNET_NETWORK_Handle *
+TES_open_socket (const char *unixpath)
+{
+ int sock;
+
+ sock = socket (PF_UNIX,
+ SOCK_DGRAM,
+ 0);
+ if (-1 == sock)
+ {
+ GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
+ "socket");
+ return NULL;
+ }
+ /* Change permissions so that group read/writes are allowed.
+ * We need this for multi-user exchange deployment with privilege
+ * separation, where taler-exchange-httpd is part of a group
+ * that allows it to talk to secmod.
+ *
+ * Importantly, we do this before binding the socket.
+ */
+ GNUNET_assert (0 == fchmod (sock, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
+ {
+ struct sockaddr_un un;
+
+ if (GNUNET_OK !=
+ GNUNET_DISK_directory_create_for_file (unixpath))
+ {
+ GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
+ "mkdir(dirname)",
+ unixpath);
+ }
+ if (0 != unlink (unixpath))
+ {
+ if (ENOENT != errno)
+ GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
+ "unlink",
+ unixpath);
+ }
+ memset (&un,
+ 0,
+ sizeof (un));
+ un.sun_family = AF_UNIX;
+ strncpy (un.sun_path,
+ unixpath,
+ sizeof (un.sun_path) - 1);
+ if (0 != bind (sock,
+ (const struct sockaddr *) &un,
+ sizeof (un)))
+ {
+ GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
+ "bind",
+ unixpath);
+ GNUNET_break (0 == close (sock));
+ return NULL;
+ }
+ }
+ return GNUNET_NETWORK_socket_box_native (sock);
+}
diff --git a/src/util/secmod_common.h b/src/util/secmod_common.h
new file mode 100644
index 00000000..c1eea655
--- /dev/null
+++ b/src/util/secmod_common.h
@@ -0,0 +1,36 @@
+/*
+ This file is part of GNU Taler
+ Copyright (C) 2021 Taler Systems SA
+
+ GNU Taler is free software; you can redistribute it and/or modify it under
the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ TALER; see the file COPYING. If not, see
+ <http://www.gnu.org/licenses/>
+*/
+/**
+ * @file util/secmod_common.h
+ * @brief Common functions for the exchange security modules
+ * @author Florian Dold <dold@taler.net>
+ */
+#ifndef SECMOD_COMMON_H
+#define SECMOD_COMMON_H
+
+#include <gnunet/gnunet_util_lib.h>
+#include <gnunet/gnunet_network_lib.h>
+
+/**
+ * Create the listen socket for a secmod daemon.
+ *
+ * @param unixpath socket path
+ */
+struct GNUNET_NETWORK_Handle *
+TES_open_socket (const char *unixpath);
+
+#endif
diff --git a/src/util/taler-exchange-secmod-eddsa.c
b/src/util/taler-exchange-secmod-eddsa.c
index 195992e1..8f996443 100644
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@@ -1521,69 +1521,27 @@ run (void *cls,
return;
}
- /* open socket */
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-eddsa",
+ "UNIXPATH",
+ &unixpath))
{
- int sock;
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-eddsa",
+ "UNIXPATH");
+ global_ret = 3;
+ return;
+ }
- sock = socket (PF_UNIX,
- SOCK_DGRAM,
- 0);
- if (-1 == sock)
- {
- GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
- "socket");
- global_ret = 2;
- return;
- }
- {
- struct sockaddr_un un;
+ GNUNET_assert (NULL != unixpath);
+ unix_sock = TES_open_socket (unixpath);
- if (GNUNET_OK !=
- GNUNET_CONFIGURATION_get_value_filename (kcfg,
-
"taler-exchange-secmod-eddsa",
- "UNIXPATH",
- &unixpath))
- {
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
- "taler-exchange-secmod-eddsa",
- "UNIXPATH");
- global_ret = 3;
- return;
- }
- if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (unixpath))
- {
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
- "mkdir(dirname)",
- unixpath);
- }
- if (0 != unlink (unixpath))
- {
- if (ENOENT != errno)
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
- "unlink",
- unixpath);
- }
- memset (&un,
- 0,
- sizeof (un));
- un.sun_family = AF_UNIX;
- strncpy (un.sun_path,
- unixpath,
- sizeof (un.sun_path) - 1);
- if (0 != bind (sock,
- (const struct sockaddr *) &un,
- sizeof (un)))
- {
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
- "bind",
- unixpath);
- global_ret = 3;
- GNUNET_break (0 == close (sock));
- return;
- }
- }
- unix_sock = GNUNET_NETWORK_socket_box_native (sock);
+ if (NULL == unix_sock)
+ {
+ GNUNET_free (unixpath);
+ global_ret = 2;
+ return;
}
GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
@@ -1675,7 +1633,6 @@ main (int argc,
};
int ret;
- (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH);
/* force linker to link against libtalerutil; if we do
not do this, the linker may "optimize" libtalerutil
away and skip #TALER_OS_init(), which we do need */
diff --git a/src/util/taler-exchange-secmod-rsa.c
b/src/util/taler-exchange-secmod-rsa.c
index 0b2da99d..b6729b66 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -40,6 +40,7 @@
#include <sys/eventfd.h>
#include "taler_error_codes.h"
#include "taler_signatures.h"
+#include "secmod_common.h"
/**
@@ -1895,69 +1896,27 @@ run (void *cls,
return;
}
- /* open socket */
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-rsa",
+ "UNIXPATH",
+ &unixpath))
{
- int sock;
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-rsa",
+ "UNIXPATH");
+ global_ret = 3;
+ return;
+ }
- sock = socket (PF_UNIX,
- SOCK_DGRAM,
- 0);
- if (-1 == sock)
- {
- GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
- "socket");
- global_ret = 2;
- return;
- }
- {
- struct sockaddr_un un;
+ GNUNET_assert (NULL != unixpath);
+ unix_sock = TES_open_socket (unixpath);
- if (GNUNET_OK !=
- GNUNET_CONFIGURATION_get_value_filename (kcfg,
- "taler-exchange-secmod-rsa",
- "UNIXPATH",
- &unixpath))
- {
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
- "taler-exchange-secmod-rsa",
- "UNIXPATH");
- global_ret = 3;
- return;
- }
- if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (unixpath))
- {
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
- "mkdir(dirname)",
- unixpath);
- }
- if (0 != unlink (unixpath))
- {
- if (ENOENT != errno)
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
- "unlink",
- unixpath);
- }
- memset (&un,
- 0,
- sizeof (un));
- un.sun_family = AF_UNIX;
- strncpy (un.sun_path,
- unixpath,
- sizeof (un.sun_path) - 1);
- if (0 != bind (sock,
- (const struct sockaddr *) &un,
- sizeof (un)))
- {
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
- "bind",
- unixpath);
- global_ret = 3;
- GNUNET_break (0 == close (sock));
- return;
- }
- }
- unix_sock = GNUNET_NETWORK_socket_box_native (sock);
+ if (NULL == unix_sock)
+ {
+ GNUNET_free (unixpath);
+ global_ret = 2;
+ return;
}
GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-exchange] branch master updated: secmod: fchmod socket to ug+rw,
gnunet <=