aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Dold <florian@dold.me>2021-07-27 11:26:48 +0200
committerFlorian Dold <florian@dold.me>2021-07-27 11:26:48 +0200
commit32f3391be100622a79c40fdce7dcec44418da34c (patch)
treeb15af29e6df4667b2328a4698f80bc7e18b41a5e
parent065ebbf57e673927034357bd85fb8c6519639894 (diff)
downloadexchange-32f3391be100622a79c40fdce7dcec44418da34c.tar.gz
exchange-32f3391be100622a79c40fdce7dcec44418da34c.zip
secmod: fchmod socket to ug+rw
-rw-r--r--src/util/Makefile.am6
-rw-r--r--src/util/secmod_common.c83
-rw-r--r--src/util/secmod_common.h36
-rw-r--r--src/util/taler-exchange-secmod-eddsa.c79
-rw-r--r--src/util/taler-exchange-secmod-rsa.c79
5 files changed, 160 insertions, 123 deletions
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index d9660c710..7a6f3d6e7 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -39,7 +39,8 @@ CLEANFILES = \
39 taler-config 39 taler-config
40 40
41taler_exchange_secmod_rsa_SOURCES = \ 41taler_exchange_secmod_rsa_SOURCES = \
42 taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h 42 taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h \
43 secmod_common.c secmod_common.h
43taler_exchange_secmod_rsa_LDADD = \ 44taler_exchange_secmod_rsa_LDADD = \
44 libtalerutil.la \ 45 libtalerutil.la \
45 -lgnunetutil \ 46 -lgnunetutil \
@@ -48,7 +49,8 @@ taler_exchange_secmod_rsa_LDADD = \
48 $(XLIB) 49 $(XLIB)
49 50
50taler_exchange_secmod_eddsa_SOURCES = \ 51taler_exchange_secmod_eddsa_SOURCES = \
51 taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h 52 taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h \
53 secmod_common.c secmod_common.h
52taler_exchange_secmod_eddsa_LDADD = \ 54taler_exchange_secmod_eddsa_LDADD = \
53 libtalerutil.la \ 55 libtalerutil.la \
54 -lgnunetutil \ 56 -lgnunetutil \
diff --git a/src/util/secmod_common.c b/src/util/secmod_common.c
new file mode 100644
index 000000000..cc2def19f
--- /dev/null
+++ b/src/util/secmod_common.c
@@ -0,0 +1,83 @@
1/*
2 This file is part of TALER
3 Copyright (C) 2020 Taler Systems SA
4
5 TALER is free software; you can redistribute it and/or modify it under the
6 terms of the GNU General Public License as published by the Free Software
7 Foundation; either version 3, or (at your option) any later version.
8
9 TALER is distributed in the hope that it will be useful, but WITHOUT ANY
10 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
11 A PARTICULAR PURPOSE. See the GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License along with
14 TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/>
15*/
16/**
17 * @file util/secmod_common.c
18 * @brief Common functions for the exchange security modules
19 * @author Florian Dold <dold@taler.net>
20 */
21#include "platform.h"
22#include "taler_util.h"
23#include "taler_signatures.h"
24
25struct GNUNET_NETWORK_Handle *
26TES_open_socket (const char *unixpath)
27{
28 int sock;
29
30 sock = socket (PF_UNIX,
31 SOCK_DGRAM,
32 0);
33 if (-1 == sock)
34 {
35 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
36 "socket");
37 return NULL;
38 }
39 /* Change permissions so that group read/writes are allowed.
40 * We need this for multi-user exchange deployment with privilege
41 * separation, where taler-exchange-httpd is part of a group
42 * that allows it to talk to secmod.
43 *
44 * Importantly, we do this before binding the socket.
45 */
46 GNUNET_assert (0 == fchmod (sock, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
47 {
48 struct sockaddr_un un;
49
50 if (GNUNET_OK !=
51 GNUNET_DISK_directory_create_for_file (unixpath))
52 {
53 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
54 "mkdir(dirname)",
55 unixpath);
56 }
57 if (0 != unlink (unixpath))
58 {
59 if (ENOENT != errno)
60 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
61 "unlink",
62 unixpath);
63 }
64 memset (&un,
65 0,
66 sizeof (un));
67 un.sun_family = AF_UNIX;
68 strncpy (un.sun_path,
69 unixpath,
70 sizeof (un.sun_path) - 1);
71 if (0 != bind (sock,
72 (const struct sockaddr *) &un,
73 sizeof (un)))
74 {
75 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
76 "bind",
77 unixpath);
78 GNUNET_break (0 == close (sock));
79 return NULL;
80 }
81 }
82 return GNUNET_NETWORK_socket_box_native (sock);
83}
diff --git a/src/util/secmod_common.h b/src/util/secmod_common.h
new file mode 100644
index 000000000..c1eea655c
--- /dev/null
+++ b/src/util/secmod_common.h
@@ -0,0 +1,36 @@
1/*
2 This file is part of GNU Taler
3 Copyright (C) 2021 Taler Systems SA
4
5 GNU Taler is free software; you can redistribute it and/or modify it under the
6 terms of the GNU General Public License as published by the Free Software
7 Foundation; either version 3, or (at your option) any later version.
8
9 GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY
10 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
11 A PARTICULAR PURPOSE. See the GNU General Public License for more details.
12
13 You should have received a copy of the GNU General Public License along with
14 TALER; see the file COPYING. If not, see
15 <http://www.gnu.org/licenses/>
16*/
17/**
18 * @file util/secmod_common.h
19 * @brief Common functions for the exchange security modules
20 * @author Florian Dold <dold@taler.net>
21 */
22#ifndef SECMOD_COMMON_H
23#define SECMOD_COMMON_H
24
25#include <gnunet/gnunet_util_lib.h>
26#include <gnunet/gnunet_network_lib.h>
27
28/**
29 * Create the listen socket for a secmod daemon.
30 *
31 * @param unixpath socket path
32 */
33struct GNUNET_NETWORK_Handle *
34TES_open_socket (const char *unixpath);
35
36#endif
diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c
index 195992e1e..8f9964439 100644
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@@ -1521,69 +1521,27 @@ run (void *cls,
1521 return; 1521 return;
1522 } 1522 }
1523 1523
1524 /* open socket */ 1524 if (GNUNET_OK !=
1525 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1526 "taler-exchange-secmod-eddsa",
1527 "UNIXPATH",
1528 &unixpath))
1525 { 1529 {
1526 int sock; 1530 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1531 "taler-exchange-secmod-eddsa",
1532 "UNIXPATH");
1533 global_ret = 3;
1534 return;
1535 }
1527 1536
1528 sock = socket (PF_UNIX, 1537 GNUNET_assert (NULL != unixpath);
1529 SOCK_DGRAM, 1538 unix_sock = TES_open_socket (unixpath);
1530 0);
1531 if (-1 == sock)
1532 {
1533 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
1534 "socket");
1535 global_ret = 2;
1536 return;
1537 }
1538 {
1539 struct sockaddr_un un;
1540 1539
1541 if (GNUNET_OK != 1540 if (NULL == unix_sock)
1542 GNUNET_CONFIGURATION_get_value_filename (kcfg, 1541 {
1543 "taler-exchange-secmod-eddsa", 1542 GNUNET_free (unixpath);
1544 "UNIXPATH", 1543 global_ret = 2;
1545 &unixpath)) 1544 return;
1546 {
1547 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1548 "taler-exchange-secmod-eddsa",
1549 "UNIXPATH");
1550 global_ret = 3;
1551 return;
1552 }
1553 if (GNUNET_OK !=
1554 GNUNET_DISK_directory_create_for_file (unixpath))
1555 {
1556 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
1557 "mkdir(dirname)",
1558 unixpath);
1559 }
1560 if (0 != unlink (unixpath))
1561 {
1562 if (ENOENT != errno)
1563 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
1564 "unlink",
1565 unixpath);
1566 }
1567 memset (&un,
1568 0,
1569 sizeof (un));
1570 un.sun_family = AF_UNIX;
1571 strncpy (un.sun_path,
1572 unixpath,
1573 sizeof (un.sun_path) - 1);
1574 if (0 != bind (sock,
1575 (const struct sockaddr *) &un,
1576 sizeof (un)))
1577 {
1578 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
1579 "bind",
1580 unixpath);
1581 global_ret = 3;
1582 GNUNET_break (0 == close (sock));
1583 return;
1584 }
1585 }
1586 unix_sock = GNUNET_NETWORK_socket_box_native (sock);
1587 } 1545 }
1588 1546
1589 GNUNET_SCHEDULER_add_shutdown (&do_shutdown, 1547 GNUNET_SCHEDULER_add_shutdown (&do_shutdown,
@@ -1675,7 +1633,6 @@ main (int argc,
1675 }; 1633 };
1676 int ret; 1634 int ret;
1677 1635
1678 (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH);
1679 /* force linker to link against libtalerutil; if we do 1636 /* force linker to link against libtalerutil; if we do
1680 not do this, the linker may "optimize" libtalerutil 1637 not do this, the linker may "optimize" libtalerutil
1681 away and skip #TALER_OS_init(), which we do need */ 1638 away and skip #TALER_OS_init(), which we do need */
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c
index 0b2da99d7..b6729b66b 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -40,6 +40,7 @@
40#include <sys/eventfd.h> 40#include <sys/eventfd.h>
41#include "taler_error_codes.h" 41#include "taler_error_codes.h"
42#include "taler_signatures.h" 42#include "taler_signatures.h"
43#include "secmod_common.h"
43 44
44 45
45/** 46/**
@@ -1895,69 +1896,27 @@ run (void *cls,
1895 return; 1896 return;
1896 } 1897 }
1897 1898
1898 /* open socket */ 1899 if (GNUNET_OK !=
1900 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1901 "taler-exchange-secmod-rsa",
1902 "UNIXPATH",
1903 &unixpath))
1899 { 1904 {
1900 int sock; 1905 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1906 "taler-exchange-secmod-rsa",
1907 "UNIXPATH");
1908 global_ret = 3;
1909 return;
1910 }
1901 1911
1902 sock = socket (PF_UNIX, 1912 GNUNET_assert (NULL != unixpath);
1903 SOCK_DGRAM, 1913 unix_sock = TES_open_socket (unixpath);
1904 0);
1905 if (-1 == sock)
1906 {
1907 GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR,
1908 "socket");
1909 global_ret = 2;
1910 return;
1911 }
1912 {
1913 struct sockaddr_un un;
1914 1914
1915 if (GNUNET_OK != 1915 if (NULL == unix_sock)
1916 GNUNET_CONFIGURATION_get_value_filename (kcfg, 1916 {
1917 "taler-exchange-secmod-rsa", 1917 GNUNET_free (unixpath);
1918 "UNIXPATH", 1918 global_ret = 2;
1919 &unixpath)) 1919 return;
1920 {
1921 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1922 "taler-exchange-secmod-rsa",
1923 "UNIXPATH");
1924 global_ret = 3;
1925 return;
1926 }
1927 if (GNUNET_OK !=
1928 GNUNET_DISK_directory_create_for_file (unixpath))
1929 {
1930 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
1931 "mkdir(dirname)",
1932 unixpath);
1933 }
1934 if (0 != unlink (unixpath))
1935 {
1936 if (ENOENT != errno)
1937 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING,
1938 "unlink",
1939 unixpath);
1940 }
1941 memset (&un,
1942 0,
1943 sizeof (un));
1944 un.sun_family = AF_UNIX;
1945 strncpy (un.sun_path,
1946 unixpath,
1947 sizeof (un.sun_path) - 1);
1948 if (0 != bind (sock,
1949 (const struct sockaddr *) &un,
1950 sizeof (un)))
1951 {
1952 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
1953 "bind",
1954 unixpath);
1955 global_ret = 3;
1956 GNUNET_break (0 == close (sock));
1957 return;
1958 }
1959 }
1960 unix_sock = GNUNET_NETWORK_socket_box_native (sock);
1961 } 1920 }
1962 1921
1963 GNUNET_SCHEDULER_add_shutdown (&do_shutdown, 1922 GNUNET_SCHEDULER_add_shutdown (&do_shutdown,