diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-07-30 11:38:27 +0200 |
---|---|---|
committer | Stef Walter <stefw@redhat.com> | 2014-09-25 09:46:53 +0200 |
commit | 5cc0a71cbacedfb1c8ba6c3ba4642b9bc2679f02 (patch) | |
tree | 98994678658d64d5341857bb204039210178f64b | |
parent | a30d2d18323f2c16c8836a68860167d0a17e3f31 (diff) | |
download | p11-kit-5cc0a71cbacedfb1c8ba6c3ba4642b9bc2679f02.tar.gz |
remote: Allow restricting the connecting user and group
-rw-r--r-- | p11-kit/p11-kit.c | 33 | ||||
-rw-r--r-- | p11-kit/remote.c | 46 | ||||
-rw-r--r-- | p11-kit/remote.h | 3 |
3 files changed, 70 insertions, 12 deletions
diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c index effcebb..345b1e8 100644 --- a/p11-kit/p11-kit.c +++ b/p11-kit/p11-kit.c @@ -49,6 +49,9 @@ #include <stdio.h> #include <stdlib.h> #include <unistd.h> +#include <sys/types.h> +#include <grp.h> +#include <pwd.h> #include "tool.h" @@ -130,8 +133,10 @@ int p11_kit_remote (int argc, char *argv[]) { - CK_FUNCTION_LIST *module; char *socket_file = NULL; + CK_FUNCTION_LIST *module; + uid_t uid = -1; + gid_t gid = -1; int opt; int ret; @@ -139,17 +144,21 @@ p11_kit_remote (int argc, opt_verbose = 'v', opt_help = 'h', opt_socket = 's', + opt_user = 'u', + opt_group = 'g', }; struct option options[] = { { "verbose", no_argument, NULL, opt_verbose }, { "help", no_argument, NULL, opt_help }, { "socket", required_argument, NULL, opt_socket }, + { "user", required_argument, NULL, opt_user }, + { "group", required_argument, NULL, opt_group }, { 0 }, }; p11_tool_desc usages[] = { - { 0, "usage: p11-kit remote <module> -s <socket-file>" }, + { 0, "usage: p11-kit remote <module> -s <socket-file> -u <allowed-user> -g <allowed-group>" }, { 0 }, }; @@ -161,6 +170,24 @@ p11_kit_remote (int argc, case opt_socket: socket_file = strdup(optarg); break; + case opt_group: { + const struct group* grp = getgrnam(optarg); + if (grp == NULL) { + p11_message ("unknown group: %s", optarg); + return 2; + } + gid = grp->gr_gid; + break; + } + case opt_user: { + const struct passwd* pwd = getpwnam(optarg); + if (pwd == NULL) { + p11_message ("unknown user: %s", optarg); + return 2; + } + uid = pwd->pw_uid; + break; + } case opt_help: case '?': p11_tool_usage (usages, options); @@ -188,7 +215,7 @@ p11_kit_remote (int argc, if (module == NULL) return 1; - ret = p11_kit_remote_serve_module (module, socket_file); + ret = p11_kit_remote_serve_module (module, socket_file, uid, gid); p11_kit_module_release (module); return ret; diff --git a/p11-kit/remote.c b/p11-kit/remote.c index b6f7681..a9f03c6 100644 --- a/p11-kit/remote.c +++ b/p11-kit/remote.c @@ -55,6 +55,8 @@ #include <sys/wait.h> #include <sys/un.h> +#include "unix-peer.h" + #ifdef HAVE_SIGHANDLER_T # define SIGHANDLER_T sighandler_t #elif HAVE_SIG_T @@ -204,7 +206,9 @@ static void handle_children(int signo) int p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, - const char *socket_file) + const char *socket_file, + uid_t uid, + gid_t gid) { p11_virtual virt; p11_buffer options; @@ -216,6 +220,8 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, struct sockaddr_un sa; fd_set rd_set; sigset_t emptyset, blockset; + uid_t tuid; + gid_t tgid; sigemptyset(&blockset); sigemptyset(&emptyset); @@ -246,13 +252,14 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, return 1; } -#if 0 - rc = chown(SOCKET_FILE, config->uid, config->gid); - if (rc == -1) { - e = errno; - p11_message ("could not chown socket %s: %s", socket_file, strerror(e)); + if (uid != -1 && gid != -1) { + rc = chown(socket_file, uid, gid); + if (rc == -1) { + e = errno; + p11_message ("could not chown socket %s: %s", socket_file, strerror(e)); + return 1; + } } -#endif /* run as daemon */ if (daemon(0,0) == -1) { @@ -300,7 +307,29 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, continue; } - /* XXX: check the uid of the peer */ + /* check the uid of the peer */ + rc = p11_get_upeer_id(cfd, &tuid, &tgid, NULL); + if (rc == -1) { + e = errno; + p11_message ("could not check uid from socket %s: %s", socket_file, strerror(e)); + goto cont; + } + + if (uid != -1) { + if (uid != tuid) { + p11_message ("connecting uid (%u) doesn't match expected (%u)", + (unsigned)tuid, (unsigned)uid); + goto cont; + } + } + + if (gid != -1) { + if (gid != tgid) { + p11_message ("connecting gid (%u) doesn't match expected (%u)", + (unsigned)tgid, (unsigned)gid); + goto cont; + } + } pid = fork(); switch(pid) { @@ -316,6 +345,7 @@ p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, children_avail++; break; } + cont: close(cfd); } diff --git a/p11-kit/remote.h b/p11-kit/remote.h index b72750a..e1bfde3 100644 --- a/p11-kit/remote.h +++ b/p11-kit/remote.h @@ -44,7 +44,8 @@ extern "C" { #ifdef P11_KIT_FUTURE_UNSTABLE_API int p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, - const char *socket); + const char *socket, + uid_t, gid_t); #endif |