diff options
author | Florian Dold <florian@dold.me> | 2021-07-27 11:26:48 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2021-07-27 11:26:48 +0200 |
commit | 32f3391be100622a79c40fdce7dcec44418da34c (patch) | |
tree | b15af29e6df4667b2328a4698f80bc7e18b41a5e | |
parent | 065ebbf57e673927034357bd85fb8c6519639894 (diff) | |
download | exchange-32f3391be100622a79c40fdce7dcec44418da34c.tar.gz exchange-32f3391be100622a79c40fdce7dcec44418da34c.zip |
secmod: fchmod socket to ug+rw
-rw-r--r-- | src/util/Makefile.am | 6 | ||||
-rw-r--r-- | src/util/secmod_common.c | 83 | ||||
-rw-r--r-- | src/util/secmod_common.h | 36 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-eddsa.c | 79 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-rsa.c | 79 |
5 files changed, 160 insertions, 123 deletions
diff --git a/src/util/Makefile.am b/src/util/Makefile.am index d9660c710..7a6f3d6e7 100644 --- a/src/util/Makefile.am +++ b/src/util/Makefile.am | |||
@@ -39,7 +39,8 @@ CLEANFILES = \ | |||
39 | taler-config | 39 | taler-config |
40 | 40 | ||
41 | taler_exchange_secmod_rsa_SOURCES = \ | 41 | taler_exchange_secmod_rsa_SOURCES = \ |
42 | taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h | 42 | taler-exchange-secmod-rsa.c taler-exchange-secmod-rsa.h \ |
43 | secmod_common.c secmod_common.h | ||
43 | taler_exchange_secmod_rsa_LDADD = \ | 44 | taler_exchange_secmod_rsa_LDADD = \ |
44 | libtalerutil.la \ | 45 | libtalerutil.la \ |
45 | -lgnunetutil \ | 46 | -lgnunetutil \ |
@@ -48,7 +49,8 @@ taler_exchange_secmod_rsa_LDADD = \ | |||
48 | $(XLIB) | 49 | $(XLIB) |
49 | 50 | ||
50 | taler_exchange_secmod_eddsa_SOURCES = \ | 51 | taler_exchange_secmod_eddsa_SOURCES = \ |
51 | taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h | 52 | taler-exchange-secmod-eddsa.c taler-exchange-secmod-eddsa.h \ |
53 | secmod_common.c secmod_common.h | ||
52 | taler_exchange_secmod_eddsa_LDADD = \ | 54 | taler_exchange_secmod_eddsa_LDADD = \ |
53 | libtalerutil.la \ | 55 | libtalerutil.la \ |
54 | -lgnunetutil \ | 56 | -lgnunetutil \ |
diff --git a/src/util/secmod_common.c b/src/util/secmod_common.c new file mode 100644 index 000000000..cc2def19f --- /dev/null +++ b/src/util/secmod_common.c | |||
@@ -0,0 +1,83 @@ | |||
1 | /* | ||
2 | This file is part of TALER | ||
3 | Copyright (C) 2020 Taler Systems SA | ||
4 | |||
5 | TALER is free software; you can redistribute it and/or modify it under the | ||
6 | terms of the GNU General Public License as published by the Free Software | ||
7 | Foundation; either version 3, or (at your option) any later version. | ||
8 | |||
9 | TALER is distributed in the hope that it will be useful, but WITHOUT ANY | ||
10 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR | ||
11 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. | ||
12 | |||
13 | You should have received a copy of the GNU General Public License along with | ||
14 | TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> | ||
15 | */ | ||
16 | /** | ||
17 | * @file util/secmod_common.c | ||
18 | * @brief Common functions for the exchange security modules | ||
19 | * @author Florian Dold <dold@taler.net> | ||
20 | */ | ||
21 | #include "platform.h" | ||
22 | #include "taler_util.h" | ||
23 | #include "taler_signatures.h" | ||
24 | |||
25 | struct GNUNET_NETWORK_Handle * | ||
26 | TES_open_socket (const char *unixpath) | ||
27 | { | ||
28 | int sock; | ||
29 | |||
30 | sock = socket (PF_UNIX, | ||
31 | SOCK_DGRAM, | ||
32 | 0); | ||
33 | if (-1 == sock) | ||
34 | { | ||
35 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, | ||
36 | "socket"); | ||
37 | return NULL; | ||
38 | } | ||
39 | /* Change permissions so that group read/writes are allowed. | ||
40 | * We need this for multi-user exchange deployment with privilege | ||
41 | * separation, where taler-exchange-httpd is part of a group | ||
42 | * that allows it to talk to secmod. | ||
43 | * | ||
44 | * Importantly, we do this before binding the socket. | ||
45 | */ | ||
46 | GNUNET_assert (0 == fchmod (sock, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); | ||
47 | { | ||
48 | struct sockaddr_un un; | ||
49 | |||
50 | if (GNUNET_OK != | ||
51 | GNUNET_DISK_directory_create_for_file (unixpath)) | ||
52 | { | ||
53 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
54 | "mkdir(dirname)", | ||
55 | unixpath); | ||
56 | } | ||
57 | if (0 != unlink (unixpath)) | ||
58 | { | ||
59 | if (ENOENT != errno) | ||
60 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
61 | "unlink", | ||
62 | unixpath); | ||
63 | } | ||
64 | memset (&un, | ||
65 | 0, | ||
66 | sizeof (un)); | ||
67 | un.sun_family = AF_UNIX; | ||
68 | strncpy (un.sun_path, | ||
69 | unixpath, | ||
70 | sizeof (un.sun_path) - 1); | ||
71 | if (0 != bind (sock, | ||
72 | (const struct sockaddr *) &un, | ||
73 | sizeof (un))) | ||
74 | { | ||
75 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, | ||
76 | "bind", | ||
77 | unixpath); | ||
78 | GNUNET_break (0 == close (sock)); | ||
79 | return NULL; | ||
80 | } | ||
81 | } | ||
82 | return GNUNET_NETWORK_socket_box_native (sock); | ||
83 | } | ||
diff --git a/src/util/secmod_common.h b/src/util/secmod_common.h new file mode 100644 index 000000000..c1eea655c --- /dev/null +++ b/src/util/secmod_common.h | |||
@@ -0,0 +1,36 @@ | |||
1 | /* | ||
2 | This file is part of GNU Taler | ||
3 | Copyright (C) 2021 Taler Systems SA | ||
4 | |||
5 | GNU Taler is free software; you can redistribute it and/or modify it under the | ||
6 | terms of the GNU General Public License as published by the Free Software | ||
7 | Foundation; either version 3, or (at your option) any later version. | ||
8 | |||
9 | GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY | ||
10 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR | ||
11 | A PARTICULAR PURPOSE. See the GNU General Public License for more details. | ||
12 | |||
13 | You should have received a copy of the GNU General Public License along with | ||
14 | TALER; see the file COPYING. If not, see | ||
15 | <http://www.gnu.org/licenses/> | ||
16 | */ | ||
17 | /** | ||
18 | * @file util/secmod_common.h | ||
19 | * @brief Common functions for the exchange security modules | ||
20 | * @author Florian Dold <dold@taler.net> | ||
21 | */ | ||
22 | #ifndef SECMOD_COMMON_H | ||
23 | #define SECMOD_COMMON_H | ||
24 | |||
25 | #include <gnunet/gnunet_util_lib.h> | ||
26 | #include <gnunet/gnunet_network_lib.h> | ||
27 | |||
28 | /** | ||
29 | * Create the listen socket for a secmod daemon. | ||
30 | * | ||
31 | * @param unixpath socket path | ||
32 | */ | ||
33 | struct GNUNET_NETWORK_Handle * | ||
34 | TES_open_socket (const char *unixpath); | ||
35 | |||
36 | #endif | ||
diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c index 195992e1e..8f9964439 100644 --- a/src/util/taler-exchange-secmod-eddsa.c +++ b/src/util/taler-exchange-secmod-eddsa.c | |||
@@ -1521,69 +1521,27 @@ run (void *cls, | |||
1521 | return; | 1521 | return; |
1522 | } | 1522 | } |
1523 | 1523 | ||
1524 | /* open socket */ | 1524 | if (GNUNET_OK != |
1525 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | ||
1526 | "taler-exchange-secmod-eddsa", | ||
1527 | "UNIXPATH", | ||
1528 | &unixpath)) | ||
1525 | { | 1529 | { |
1526 | int sock; | 1530 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, |
1531 | "taler-exchange-secmod-eddsa", | ||
1532 | "UNIXPATH"); | ||
1533 | global_ret = 3; | ||
1534 | return; | ||
1535 | } | ||
1527 | 1536 | ||
1528 | sock = socket (PF_UNIX, | 1537 | GNUNET_assert (NULL != unixpath); |
1529 | SOCK_DGRAM, | 1538 | unix_sock = TES_open_socket (unixpath); |
1530 | 0); | ||
1531 | if (-1 == sock) | ||
1532 | { | ||
1533 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, | ||
1534 | "socket"); | ||
1535 | global_ret = 2; | ||
1536 | return; | ||
1537 | } | ||
1538 | { | ||
1539 | struct sockaddr_un un; | ||
1540 | 1539 | ||
1541 | if (GNUNET_OK != | 1540 | if (NULL == unix_sock) |
1542 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | 1541 | { |
1543 | "taler-exchange-secmod-eddsa", | 1542 | GNUNET_free (unixpath); |
1544 | "UNIXPATH", | 1543 | global_ret = 2; |
1545 | &unixpath)) | 1544 | return; |
1546 | { | ||
1547 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, | ||
1548 | "taler-exchange-secmod-eddsa", | ||
1549 | "UNIXPATH"); | ||
1550 | global_ret = 3; | ||
1551 | return; | ||
1552 | } | ||
1553 | if (GNUNET_OK != | ||
1554 | GNUNET_DISK_directory_create_for_file (unixpath)) | ||
1555 | { | ||
1556 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
1557 | "mkdir(dirname)", | ||
1558 | unixpath); | ||
1559 | } | ||
1560 | if (0 != unlink (unixpath)) | ||
1561 | { | ||
1562 | if (ENOENT != errno) | ||
1563 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
1564 | "unlink", | ||
1565 | unixpath); | ||
1566 | } | ||
1567 | memset (&un, | ||
1568 | 0, | ||
1569 | sizeof (un)); | ||
1570 | un.sun_family = AF_UNIX; | ||
1571 | strncpy (un.sun_path, | ||
1572 | unixpath, | ||
1573 | sizeof (un.sun_path) - 1); | ||
1574 | if (0 != bind (sock, | ||
1575 | (const struct sockaddr *) &un, | ||
1576 | sizeof (un))) | ||
1577 | { | ||
1578 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, | ||
1579 | "bind", | ||
1580 | unixpath); | ||
1581 | global_ret = 3; | ||
1582 | GNUNET_break (0 == close (sock)); | ||
1583 | return; | ||
1584 | } | ||
1585 | } | ||
1586 | unix_sock = GNUNET_NETWORK_socket_box_native (sock); | ||
1587 | } | 1545 | } |
1588 | 1546 | ||
1589 | GNUNET_SCHEDULER_add_shutdown (&do_shutdown, | 1547 | GNUNET_SCHEDULER_add_shutdown (&do_shutdown, |
@@ -1675,7 +1633,6 @@ main (int argc, | |||
1675 | }; | 1633 | }; |
1676 | int ret; | 1634 | int ret; |
1677 | 1635 | ||
1678 | (void) umask (S_IWGRP | S_IROTH | S_IWOTH | S_IXOTH); | ||
1679 | /* force linker to link against libtalerutil; if we do | 1636 | /* force linker to link against libtalerutil; if we do |
1680 | not do this, the linker may "optimize" libtalerutil | 1637 | not do this, the linker may "optimize" libtalerutil |
1681 | away and skip #TALER_OS_init(), which we do need */ | 1638 | away and skip #TALER_OS_init(), which we do need */ |
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 0b2da99d7..b6729b66b 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c | |||
@@ -40,6 +40,7 @@ | |||
40 | #include <sys/eventfd.h> | 40 | #include <sys/eventfd.h> |
41 | #include "taler_error_codes.h" | 41 | #include "taler_error_codes.h" |
42 | #include "taler_signatures.h" | 42 | #include "taler_signatures.h" |
43 | #include "secmod_common.h" | ||
43 | 44 | ||
44 | 45 | ||
45 | /** | 46 | /** |
@@ -1895,69 +1896,27 @@ run (void *cls, | |||
1895 | return; | 1896 | return; |
1896 | } | 1897 | } |
1897 | 1898 | ||
1898 | /* open socket */ | 1899 | if (GNUNET_OK != |
1900 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | ||
1901 | "taler-exchange-secmod-rsa", | ||
1902 | "UNIXPATH", | ||
1903 | &unixpath)) | ||
1899 | { | 1904 | { |
1900 | int sock; | 1905 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, |
1906 | "taler-exchange-secmod-rsa", | ||
1907 | "UNIXPATH"); | ||
1908 | global_ret = 3; | ||
1909 | return; | ||
1910 | } | ||
1901 | 1911 | ||
1902 | sock = socket (PF_UNIX, | 1912 | GNUNET_assert (NULL != unixpath); |
1903 | SOCK_DGRAM, | 1913 | unix_sock = TES_open_socket (unixpath); |
1904 | 0); | ||
1905 | if (-1 == sock) | ||
1906 | { | ||
1907 | GNUNET_log_strerror (GNUNET_ERROR_TYPE_ERROR, | ||
1908 | "socket"); | ||
1909 | global_ret = 2; | ||
1910 | return; | ||
1911 | } | ||
1912 | { | ||
1913 | struct sockaddr_un un; | ||
1914 | 1914 | ||
1915 | if (GNUNET_OK != | 1915 | if (NULL == unix_sock) |
1916 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | 1916 | { |
1917 | "taler-exchange-secmod-rsa", | 1917 | GNUNET_free (unixpath); |
1918 | "UNIXPATH", | 1918 | global_ret = 2; |
1919 | &unixpath)) | 1919 | return; |
1920 | { | ||
1921 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, | ||
1922 | "taler-exchange-secmod-rsa", | ||
1923 | "UNIXPATH"); | ||
1924 | global_ret = 3; | ||
1925 | return; | ||
1926 | } | ||
1927 | if (GNUNET_OK != | ||
1928 | GNUNET_DISK_directory_create_for_file (unixpath)) | ||
1929 | { | ||
1930 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
1931 | "mkdir(dirname)", | ||
1932 | unixpath); | ||
1933 | } | ||
1934 | if (0 != unlink (unixpath)) | ||
1935 | { | ||
1936 | if (ENOENT != errno) | ||
1937 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, | ||
1938 | "unlink", | ||
1939 | unixpath); | ||
1940 | } | ||
1941 | memset (&un, | ||
1942 | 0, | ||
1943 | sizeof (un)); | ||
1944 | un.sun_family = AF_UNIX; | ||
1945 | strncpy (un.sun_path, | ||
1946 | unixpath, | ||
1947 | sizeof (un.sun_path) - 1); | ||
1948 | if (0 != bind (sock, | ||
1949 | (const struct sockaddr *) &un, | ||
1950 | sizeof (un))) | ||
1951 | { | ||
1952 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, | ||
1953 | "bind", | ||
1954 | unixpath); | ||
1955 | global_ret = 3; | ||
1956 | GNUNET_break (0 == close (sock)); | ||
1957 | return; | ||
1958 | } | ||
1959 | } | ||
1960 | unix_sock = GNUNET_NETWORK_socket_box_native (sock); | ||
1961 | } | 1920 | } |
1962 | 1921 | ||
1963 | GNUNET_SCHEDULER_add_shutdown (&do_shutdown, | 1922 | GNUNET_SCHEDULER_add_shutdown (&do_shutdown, |