Correct PPTP server firewall rules chain.
[tomato/davidwu.git] / release / src / router / vsftpd / twoprocess.c
blob26ab477c9fe54cbdae14c024e5f3a929c7e31b57
1 /*
2 * Part of Very Secure FTPd
3 * License: GPL v2
4 * Author: Chris Evans
5 * twoprocess.c
7 * Code implementing the standard, secure two process security model.
8 */
10 #include "twoprocess.h"
11 #include "privops.h"
12 #include "prelogin.h"
13 #include "postlogin.h"
14 #include "postprivparent.h"
15 #include "session.h"
16 #include "privsock.h"
17 #include "secutil.h"
18 #include "filestr.h"
19 #include "str.h"
20 #include "sysstr.h"
21 #include "utility.h"
22 #include "tunables.h"
23 #include "defs.h"
24 #include "parseconf.h"
25 #include "ssl.h"
26 #include "readwrite.h"
27 #include "sysutil.h"
28 #include "sysdeputil.h"
29 #include "sslslave.h"
31 static void drop_all_privs(void);
32 static void handle_sigchld(void* duff);
33 static void handle_sigterm(void* duff);
34 static void process_login_req(struct vsf_session* p_sess);
35 static void common_do_login(struct vsf_session* p_sess,
36 const struct mystr* p_user_str, int do_chroot,
37 int anon);
38 static void handle_per_user_config(const struct mystr* p_user_str);
39 static void calculate_chdir_dir(int anon, struct mystr* p_userdir_str,
40 struct mystr* p_chroot_str,
41 struct mystr* p_chdir_str,
42 const struct mystr* p_user_str,
43 const struct mystr* p_orig_user_str);
45 static void
46 handle_sigchld(void* duff)
49 struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait();
50 (void) duff;
51 /* Child died, so we'll do the same! Report it as an error unless the child
52 * exited normally with zero exit code
54 if (vsf_sysutil_retval_is_error(vsf_sysutil_wait_get_retval(&wait_retval)) ||
55 !vsf_sysutil_wait_exited_normally(&wait_retval) ||
56 vsf_sysutil_wait_get_exitcode(&wait_retval) != 0)
58 die("child died");
60 else
62 vsf_sysutil_exit(0);
66 static void
67 handle_sigterm(void* duff)
69 (void) duff;
70 /* Blow away the connection to make sure no process lingers. */
71 vsf_sysutil_shutdown_failok(VSFTP_COMMAND_FD);
72 /* Will call the registered exit function to clean up u/wtmp if needed. */
73 vsf_sysutil_exit(1);
76 void
77 vsf_two_process_start(struct vsf_session* p_sess)
79 vsf_sysutil_install_sighandler(kVSFSysUtilSigTERM, handle_sigterm, 0, 1);
80 /* Overrides the SIGKILL setting set by the standalone listener. */
81 vsf_set_term_if_parent_dies();
82 /* Create the comms channel between privileged parent and no-priv child */
83 priv_sock_init(p_sess);
84 if (tunable_ssl_enable)
86 /* Create the comms channel between the no-priv SSL child and the low-priv
87 * protocol handling child.
89 ssl_comm_channel_init(p_sess);
91 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
93 int newpid;
94 if (tunable_isolate_network)
96 newpid = vsf_sysutil_fork_newnet();
98 else
100 newpid = vsf_sysutil_fork();
102 if (newpid != 0)
104 priv_sock_set_parent_context(p_sess);
105 if (tunable_ssl_enable)
107 ssl_comm_channel_set_consumer_context(p_sess);
109 /* Parent - go into pre-login parent process mode */
110 while (1)
112 process_login_req(p_sess);
116 /* Child process - time to lose as much privilege as possible and do the
117 * login processing
119 vsf_set_die_if_parent_dies();
120 priv_sock_set_child_context(p_sess);
121 if (tunable_ssl_enable)
123 ssl_comm_channel_set_producer_context(p_sess);
125 if (tunable_local_enable && tunable_userlist_enable)
127 int retval = str_fileread(&p_sess->userlist_str, tunable_userlist_file,
128 VSFTP_CONF_FILE_MAX);
129 if (vsf_sysutil_retval_is_error(retval))
131 die2("cannot read user list file:", tunable_userlist_file);
134 drop_all_privs();
135 init_connection(p_sess);
136 /* NOTREACHED */
139 static void
140 drop_all_privs(void)
142 struct mystr user_str = INIT_MYSTR;
143 struct mystr dir_str = INIT_MYSTR;
144 int option = VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_NO_PROCS;
145 if (!tunable_ssl_enable)
147 /* Unfortunately, can only enable this if we can be sure of not using SSL.
148 * In the SSL case, we'll need to receive data transfer file descriptors.
150 option |= VSF_SECUTIL_OPTION_NO_FDS;
152 str_alloc_text(&user_str, tunable_nopriv_user);
153 str_alloc_text(&dir_str, tunable_secure_chroot_dir);
154 /* Be kind: give good error message if the secure dir is missing */
156 struct vsf_sysutil_statbuf* p_statbuf = 0;
157 if (vsf_sysutil_retval_is_error(str_lstat(&dir_str, &p_statbuf)))
159 die2("vsftpd: not found: directory given in 'secure_chroot_dir':",
160 tunable_secure_chroot_dir);
162 vsf_sysutil_free(p_statbuf);
164 vsf_secutil_change_credentials(&user_str, &dir_str, 0, 0, option);
165 str_free(&user_str);
166 str_free(&dir_str);
169 void
170 vsf_two_process_login(struct vsf_session* p_sess,
171 const struct mystr* p_pass_str)
173 char result;
174 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_LOGIN);
175 priv_sock_send_str(p_sess->child_fd, &p_sess->user_str);
176 priv_sock_send_str(p_sess->child_fd, p_pass_str);
177 priv_sock_send_int(p_sess->child_fd, p_sess->control_use_ssl);
178 priv_sock_send_int(p_sess->child_fd, p_sess->data_use_ssl);
179 result = priv_sock_get_result(p_sess->child_fd);
180 if (result == PRIV_SOCK_RESULT_OK)
182 /* Miracle. We don't emit the success message here. That is left to
183 * process_post_login().
184 * Exit normally, unless we are remaining as the SSL read / write child.
186 if (!p_sess->control_use_ssl)
188 vsf_sysutil_exit(0);
190 else
192 ssl_slave(p_sess);
194 /* NOTREACHED */
196 else if (result == PRIV_SOCK_RESULT_BAD)
198 /* Continue the processing loop.. */
199 return;
201 else
203 die("priv_sock_get_result");
208 vsf_two_process_get_priv_data_sock(struct vsf_session* p_sess)
210 char res;
211 unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
212 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_GET_DATA_SOCK);
213 priv_sock_send_int(p_sess->child_fd, port);
214 res = priv_sock_get_result(p_sess->child_fd);
215 if (res == PRIV_SOCK_RESULT_BAD)
217 return -1;
219 else if (res != PRIV_SOCK_RESULT_OK)
221 die("could not get privileged socket");
223 return priv_sock_recv_fd(p_sess->child_fd);
226 void
227 vsf_two_process_pasv_cleanup(struct vsf_session* p_sess)
229 char res;
230 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_CLEANUP);
231 res = priv_sock_get_result(p_sess->child_fd);
232 if (res != PRIV_SOCK_RESULT_OK)
234 die("could not clean up socket");
239 vsf_two_process_pasv_active(struct vsf_session* p_sess)
241 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACTIVE);
242 return priv_sock_get_int(p_sess->child_fd);
245 unsigned short
246 vsf_two_process_listen(struct vsf_session* p_sess)
248 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_LISTEN);
249 return (unsigned short) priv_sock_get_int(p_sess->child_fd);
253 vsf_two_process_get_pasv_fd(struct vsf_session* p_sess)
255 char res;
256 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_PASV_ACCEPT);
257 res = priv_sock_get_result(p_sess->child_fd);
258 if (res == PRIV_SOCK_RESULT_BAD)
260 return priv_sock_get_int(p_sess->child_fd);
262 else if (res != PRIV_SOCK_RESULT_OK)
264 die("could not accept on listening socket");
266 return priv_sock_recv_fd(p_sess->child_fd);
269 void
270 vsf_two_process_chown_upload(struct vsf_session* p_sess, int fd)
272 char res;
273 priv_sock_send_cmd(p_sess->child_fd, PRIV_SOCK_CHOWN);
274 priv_sock_send_fd(p_sess->child_fd, fd);
275 res = priv_sock_get_result(p_sess->child_fd);
276 if (res != PRIV_SOCK_RESULT_OK)
278 die("unexpected failure in vsf_two_process_chown_upload");
282 static void
283 process_login_req(struct vsf_session* p_sess)
285 enum EVSFPrivopLoginResult e_login_result = kVSFLoginNull;
286 char cmd;
287 /* Blocks */
288 cmd = priv_sock_get_cmd(p_sess->parent_fd);
289 if (cmd != PRIV_SOCK_LOGIN)
291 die("bad request");
293 /* Get username and password - we must distrust these */
295 struct mystr password_str = INIT_MYSTR;
296 priv_sock_get_str(p_sess->parent_fd, &p_sess->user_str);
297 priv_sock_get_str(p_sess->parent_fd, &password_str);
298 p_sess->control_use_ssl = priv_sock_get_int(p_sess->parent_fd);
299 p_sess->data_use_ssl = priv_sock_get_int(p_sess->parent_fd);
300 if (!tunable_ssl_enable)
302 p_sess->control_use_ssl = 0;
303 p_sess->data_use_ssl = 0;
305 e_login_result = vsf_privop_do_login(p_sess, &password_str);
306 str_free(&password_str);
308 switch (e_login_result)
310 case kVSFLoginFail:
311 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_BAD);
312 return;
313 break;
314 case kVSFLoginAnon:
315 str_alloc_text(&p_sess->user_str, tunable_ftp_username);
316 common_do_login(p_sess, &p_sess->user_str, 1, 1);
317 break;
318 case kVSFLoginReal:
320 int do_chroot = 0;
321 if (tunable_chroot_local_user)
323 do_chroot = 1;
325 if (tunable_chroot_list_enable)
327 struct mystr chroot_list_file = INIT_MYSTR;
328 int retval = str_fileread(&chroot_list_file,
329 tunable_chroot_list_file,
330 VSFTP_CONF_FILE_MAX);
331 if (vsf_sysutil_retval_is_error(retval))
333 die2("could not read chroot() list file:",
334 tunable_chroot_list_file);
336 if (str_contains_line(&chroot_list_file, &p_sess->user_str))
338 if (do_chroot)
340 do_chroot = 0;
342 else
344 do_chroot = 1;
347 str_free(&chroot_list_file);
349 common_do_login(p_sess, &p_sess->user_str, do_chroot, 0);
351 break;
352 default:
353 bug("weird state in process_login_request");
354 break;
356 /* NOTREACHED */
359 static void
360 common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
361 int do_chroot, int anon)
363 int was_anon = anon;
364 const struct mystr* p_orig_user_str = p_user_str;
365 int newpid;
366 vsf_sysutil_install_null_sighandler(kVSFSysUtilSigCHLD);
367 /* Tells the pre-login child all is OK (it may exit in response) */
368 priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK);
369 if (!p_sess->control_use_ssl)
371 (void) vsf_sysutil_wait();
373 else
375 p_sess->ssl_slave_active = 1;
377 /* Handle loading per-user config options */
378 handle_per_user_config(p_user_str);
379 /* Set this before we fork */
380 p_sess->is_anonymous = anon;
381 priv_sock_close(p_sess);
382 priv_sock_init(p_sess);
383 vsf_sysutil_install_sighandler(kVSFSysUtilSigCHLD, handle_sigchld, 0, 1);
384 if (tunable_isolate_network && !tunable_port_promiscuous)
386 newpid = vsf_sysutil_fork_newnet();
388 else
390 newpid = vsf_sysutil_fork();
392 if (newpid == 0)
394 struct mystr guest_user_str = INIT_MYSTR;
395 struct mystr chroot_str = INIT_MYSTR;
396 struct mystr chdir_str = INIT_MYSTR;
397 struct mystr userdir_str = INIT_MYSTR;
398 unsigned int secutil_option = VSF_SECUTIL_OPTION_USE_GROUPS |
399 VSF_SECUTIL_OPTION_NO_PROCS;
400 /* Child - drop privs and start proper FTP! */
401 /* This PR_SET_PDEATHSIG doesn't work for all possible process tree setups.
402 * The other cases are taken care of by a shutdown() of the command
403 * connection in our SIGTERM handler.
405 vsf_set_die_if_parent_dies();
406 priv_sock_set_child_context(p_sess);
407 if (tunable_guest_enable && !anon)
409 p_sess->is_guest = 1;
410 /* Remap to the guest user */
411 str_alloc_text(&guest_user_str, tunable_guest_username);
412 p_user_str = &guest_user_str;
413 if (!tunable_virtual_use_local_privs)
415 anon = 1;
416 do_chroot = 1;
419 if (do_chroot)
421 secutil_option |= VSF_SECUTIL_OPTION_CHROOT;
423 if (!anon)
425 secutil_option |= VSF_SECUTIL_OPTION_CHANGE_EUID;
427 calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str,
428 p_user_str, p_orig_user_str);
429 vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str,
430 0, secutil_option);
431 if (!str_isempty(&chdir_str))
433 (void) str_chdir(&chdir_str);
435 str_free(&guest_user_str);
436 str_free(&chroot_str);
437 str_free(&chdir_str);
438 str_free(&userdir_str);
439 /* Guard against the config error of having the anonymous ftp tree owned
440 * by the user we are running as
442 if (!tunable_anon_allow_writable_root && was_anon && vsf_sysutil_write_access("/"))
444 die("vsftpd: refusing to run with writable anonymous root");
446 p_sess->is_anonymous = anon;
447 process_post_login(p_sess);
448 bug("should not get here: common_do_login");
450 /* Parent */
451 priv_sock_set_parent_context(p_sess);
452 if (tunable_ssl_enable)
454 ssl_comm_channel_set_producer_context(p_sess);
456 vsf_priv_parent_postlogin(p_sess);
457 bug("should not get here in common_do_login");
460 static void
461 handle_per_user_config(const struct mystr* p_user_str)
463 struct mystr filename_str = INIT_MYSTR;
464 struct vsf_sysutil_statbuf* p_statbuf = 0;
465 struct str_locate_result loc_result;
466 int retval;
467 if (!tunable_user_config_dir)
469 return;
471 /* Security paranoia - ignore if user has a / in it. */
472 loc_result = str_locate_char(p_user_str, '/');
473 if (loc_result.found)
475 return;
477 str_alloc_text(&filename_str, tunable_user_config_dir);
478 str_append_char(&filename_str, '/');
479 str_append_str(&filename_str, p_user_str);
480 retval = str_stat(&filename_str, &p_statbuf);
481 if (!vsf_sysutil_retval_is_error(retval))
483 /* Security - file ownership check now in vsf_parseconf_load_file() */
484 vsf_parseconf_load_file(str_getbuf(&filename_str), 1);
486 else if (vsf_sysutil_get_error() != kVSFSysUtilErrNOENT)
488 die("error opening per-user config file");
490 str_free(&filename_str);
491 vsf_sysutil_free(p_statbuf);
494 static void
495 calculate_chdir_dir(int anon_login, struct mystr* p_userdir_str,
496 struct mystr* p_chroot_str,
497 struct mystr* p_chdir_str,
498 const struct mystr* p_user_str,
499 const struct mystr* p_orig_user_str)
501 if (!anon_login)
503 const struct vsf_sysutil_user* p_user = str_getpwnam(p_user_str);
504 if (p_user == 0)
506 die2("cannot locate user entry:", str_getbuf(p_user_str));
508 str_alloc_text(p_userdir_str, vsf_sysutil_user_get_homedir(p_user));
509 if (tunable_user_sub_token)
511 str_replace_text(p_userdir_str, tunable_user_sub_token,
512 str_getbuf(p_orig_user_str));
515 if (anon_login && tunable_anon_root)
517 str_alloc_text(p_chroot_str, tunable_anon_root);
519 else if (!anon_login && tunable_local_root)
521 str_alloc_text(p_chroot_str, tunable_local_root);
522 if (tunable_user_sub_token)
524 str_replace_text(p_chroot_str, tunable_user_sub_token,
525 str_getbuf(p_orig_user_str));
528 /* If enabled, the chroot() location embedded in the HOMEDIR takes
529 * precedence.
531 if (!anon_login && tunable_passwd_chroot_enable)
533 struct str_locate_result loc_result;
534 loc_result = str_locate_text(p_userdir_str, "/./");
535 if (loc_result.found)
537 str_split_text(p_userdir_str, p_chdir_str, "/./");
538 str_copy(p_chroot_str, p_userdir_str);