POTD skeleton #65.

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2018-05-20 14:15:40 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2018-05-20 14:15:40 +0200
commit: 9c8dc27ee791b24e7325fa065cb57fa9b1339d11 (patch)
tree: 65826a877e400843315c7265491cd39b920408a8
parent: de7939699e83a35015328371c45d4e3df3b06279 (diff)
5 files changed, 50 insertions, 34 deletions
diff --git a/src/main.c b/src/main.c
index 8130676..bb9a5c8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -18,7 +18,7 @@
 
 static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
                                  const char *jail_ports[], const size_t siz);
-static void ssh_protocol_postinit(protocol_ctx *ctx[], const size_t siz);
+static void ssh_protocol_init(protocol_ctx *ctx[], const size_t siz);
 
 
 static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
@@ -34,7 +34,7 @@ static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
     }
 }
 
-static void ssh_protocol_postinit(protocol_ctx *ctx[], const size_t siz)
+static void ssh_protocol_init(protocol_ctx *ctx[], const size_t siz)
 {
     for (size_t i = 0; i < siz; ++i) {
         ABORT_ON_FATAL( proto_listen(ctx[i]),
@@ -117,12 +117,7 @@ int main(int argc, char *argv[])
     proto_ports[1] = "22223";
     assert(SIZEOF(proto_ports) == SIZEOF(jail_ports));
     ssh_protocol_preinit(proto_ports, ssh_proto, jail_ports, proto_siz);
-
-    D2("Main process is dropping privileges to %s:%s", "nobody", "NULL");
-    ABORT_ON_FATAL( change_user_group("nobody", NULL),
-        "Main process dropping privileges" );
-
-    ssh_protocol_postinit(ssh_proto, proto_siz);
+    ssh_protocol_init(ssh_proto, proto_siz);
 
     memset(rdr, 0, sizeof(rdr));
     rdr_ports[0] = "2222";
diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c
index 1aaa974..da60f9f 100644
--- a/src/protocol_ssh.c
+++ b/src/protocol_ssh.c
@@ -18,6 +18,8 @@
 #pragma message "Unsupported libssh version < 0.7.3"
 #endif
 
+static int version_logged = 0;
+
 typedef struct ssh_data {
     ssh_bind sshbind;
     protocol_ctx *ctx;
@@ -58,26 +60,30 @@ struct ssh_channel_callbacks_struct ssh_channel_cb = {
 
 int ssh_init_cb(protocol_ctx *ctx)
 {
-    N("libssh version: %s", ssh_version(0));
-    if (ssh_version(SSH_VERSION_INT(LIBSSH_VERSION_MAJOR,
-                                    LIBSSH_VERSION_MINOR,
-                                    LIBSSH_VERSION_MICRO)) == NULL)
-    {
-        W("This software was compiled/linked for libssh %d.%d.%d,"
-          " which you aren't currently using.",
-          LIBSSH_VERSION_MAJOR, LIBSSH_VERSION_MINOR, LIBSSH_VERSION_MICRO);
-    }
-    if (ssh_version(SSH_VERSION_INT(0,7,3)) == NULL)
-    {
-        W("%s", "Unsupported libssh version < 0.7.3");
-    }
-    if (ssh_version(SSH_VERSION_INT(0,7,4)) != NULL ||
-        ssh_version(SSH_VERSION_INT(0,7,90)) != NULL)
-    {
-        W("%s",
-          "libssh versions > 0.7.3 may suffer "
-          "from problems with the pki key generation/export");
+    if (!version_logged) {
+        N("libssh version: %s", ssh_version(0));
+        if (ssh_version(SSH_VERSION_INT(LIBSSH_VERSION_MAJOR,
+                                        LIBSSH_VERSION_MINOR,
+                                        LIBSSH_VERSION_MICRO)) == NULL)
+        {
+            W("This software was compiled/linked for libssh %d.%d.%d,"
+              " which you aren't currently using.",
+              LIBSSH_VERSION_MAJOR, LIBSSH_VERSION_MINOR, LIBSSH_VERSION_MICRO);
+        }
+        if (ssh_version(SSH_VERSION_INT(0,7,3)) == NULL)
+        {
+            W("%s", "Unsupported libssh version < 0.7.3");
+        }
+        if (ssh_version(SSH_VERSION_INT(0,7,4)) != NULL ||
+            ssh_version(SSH_VERSION_INT(0,7,90)) != NULL)
+        {
+            W("%s",
+              "libssh versions > 0.7.3 may suffer "
+              "from problems with the pki key generation/export");
+        }
+        version_logged = 1;
     }
+
     ctx->cbs = potd_ssh_callbacks;
 
     if (ssh_init())
@@ -138,6 +144,10 @@ int ssh_on_listen(protocol_ctx *ctx)
                 ssh_bind_get_fd(d->sshbind));
             return 1;
         case 0:
+            if (change_default_user_group()) {
+                E_STRERR("%s", "Change user/group");
+                return -1;
+            }
             ssh_mainloop(d);
             break;
     }
@@ -201,17 +211,17 @@ static int gen_default_keys(void)
     if (gen_export_sshkey(SSH_KEYTYPE_RSA, 1024, "./ssh_host_rsa_key")) {
         W("libssh %s key generation failed, using fallback ssh-keygen", "RSA");
         remove("./ssh_host_rsa_key");
-        s |= system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null");
+        s = system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null");
     }
-    if (gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) {
+    if (!s && gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) {
         W("libssh %s key generation failed, using fallback ssh-keygen", "DSA");
         remove("./ssh_host_dsa_key");
-        s |= system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null");
+        s = system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null");
     }
-    if (gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) {
+    if (!s && gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) {
         W("libssh %s key generation failed, using fallback ssh-keygen", "ECDSA");
         remove("./ssh_host_ecdsa_key");
-        s |= system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null");
+        s = system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null");
     }
 
     return s != 0;
@@ -241,7 +251,7 @@ static int gen_export_sshkey(enum ssh_keytypes_e type, int length, const char *p
             W2("Unknown SSH key type: %d", type);
             return 1;
     }
-    N2("Generating %s key with length %d bits and save it on disk: %s",
+    D2("Generating %s key with length %d bits and save it on disk: %s",
         type_str, length, path);
     s = ssh_pki_generate(type, length, &priv_key);
     if (s != SSH_OK) {
diff --git a/src/redirector.c b/src/redirector.c
index 4a577ca..6d5b216 100644
--- a/src/redirector.c
+++ b/src/redirector.c
@@ -157,6 +157,10 @@ pid_t redirector_daemonize(event_ctx *ev_ctx, redirector_ctx *rdr_ctx[], size_t
             W_STRERR("%s", "Server daemonize");
             return -1;
         case 0:
+            if (change_default_user_group()) {
+                E_STRERR("%s", "Change user/group");
+                return -1;
+            }
             N("%s", "Server daemon mainloop");
             redirector_mainloop(ev_ctx, rdr_ctx, siz);
             break;
diff --git a/src/utils.c b/src/utils.c
index 455b90d..aa65c28 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -76,7 +76,7 @@ static void sighandler_master(int signo)
         case SIGINT:
         case SIGTERM:
         case SIGABRT:
-            kill(0, SIGKILL);
+            kill(0, SIGTERM);
             exit(EXIT_FAILURE);
     }
 }
@@ -254,6 +254,11 @@ int change_user_group(const char *user, const char *group)
     return 0;
 }
 
+int change_default_user_group(void)
+{
+    return change_user_group("nobody", NULL);
+}
+
 int safe_chroot(const char *newroot)
 {
     int s;
diff --git a/src/utils.h b/src/utils.h
index 9ea1024..83a7418 100644
--- a/src/utils.h
+++ b/src/utils.h
@@ -28,6 +28,8 @@ int redirect_devnull_to(int fds, ...);
 
 int change_user_group(const char *user, const char *group);
 
+int change_default_user_group(void);
+
 int safe_chroot(const char *newroot);
 
 int dir_is_mountpoint(const char *path);
author	Toni Uhlig <matzeton@googlemail.com>	2018-05-20 14:15:40 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2018-05-20 14:15:40 +0200
commit	9c8dc27ee791b24e7325fa065cb57fa9b1339d11 (patch)
tree	65826a877e400843315c7265491cd39b920408a8
parent	de7939699e83a35015328371c45d4e3df3b06279 (diff)