aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2018-05-20 14:15:40 +0200
committerToni Uhlig <matzeton@googlemail.com>2018-05-20 14:15:40 +0200
commit9c8dc27ee791b24e7325fa065cb57fa9b1339d11 (patch)
tree65826a877e400843315c7265491cd39b920408a8
parentde7939699e83a35015328371c45d4e3df3b06279 (diff)
POTD skeleton #65.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
-rw-r--r--src/main.c11
-rw-r--r--src/protocol_ssh.c60
-rw-r--r--src/redirector.c4
-rw-r--r--src/utils.c7
-rw-r--r--src/utils.h2
5 files changed, 50 insertions, 34 deletions
diff --git a/src/main.c b/src/main.c
index 8130676..bb9a5c8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -18,7 +18,7 @@
static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
const char *jail_ports[], const size_t siz);
-static void ssh_protocol_postinit(protocol_ctx *ctx[], const size_t siz);
+static void ssh_protocol_init(protocol_ctx *ctx[], const size_t siz);
static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
@@ -34,7 +34,7 @@ static void ssh_protocol_preinit(const char *ssh_ports[], protocol_ctx *ctx[],
}
}
-static void ssh_protocol_postinit(protocol_ctx *ctx[], const size_t siz)
+static void ssh_protocol_init(protocol_ctx *ctx[], const size_t siz)
{
for (size_t i = 0; i < siz; ++i) {
ABORT_ON_FATAL( proto_listen(ctx[i]),
@@ -117,12 +117,7 @@ int main(int argc, char *argv[])
proto_ports[1] = "22223";
assert(SIZEOF(proto_ports) == SIZEOF(jail_ports));
ssh_protocol_preinit(proto_ports, ssh_proto, jail_ports, proto_siz);
-
- D2("Main process is dropping privileges to %s:%s", "nobody", "NULL");
- ABORT_ON_FATAL( change_user_group("nobody", NULL),
- "Main process dropping privileges" );
-
- ssh_protocol_postinit(ssh_proto, proto_siz);
+ ssh_protocol_init(ssh_proto, proto_siz);
memset(rdr, 0, sizeof(rdr));
rdr_ports[0] = "2222";
diff --git a/src/protocol_ssh.c b/src/protocol_ssh.c
index 1aaa974..da60f9f 100644
--- a/src/protocol_ssh.c
+++ b/src/protocol_ssh.c
@@ -18,6 +18,8 @@
#pragma message "Unsupported libssh version < 0.7.3"
#endif
+static int version_logged = 0;
+
typedef struct ssh_data {
ssh_bind sshbind;
protocol_ctx *ctx;
@@ -58,26 +60,30 @@ struct ssh_channel_callbacks_struct ssh_channel_cb = {
int ssh_init_cb(protocol_ctx *ctx)
{
- N("libssh version: %s", ssh_version(0));
- if (ssh_version(SSH_VERSION_INT(LIBSSH_VERSION_MAJOR,
- LIBSSH_VERSION_MINOR,
- LIBSSH_VERSION_MICRO)) == NULL)
- {
- W("This software was compiled/linked for libssh %d.%d.%d,"
- " which you aren't currently using.",
- LIBSSH_VERSION_MAJOR, LIBSSH_VERSION_MINOR, LIBSSH_VERSION_MICRO);
- }
- if (ssh_version(SSH_VERSION_INT(0,7,3)) == NULL)
- {
- W("%s", "Unsupported libssh version < 0.7.3");
- }
- if (ssh_version(SSH_VERSION_INT(0,7,4)) != NULL ||
- ssh_version(SSH_VERSION_INT(0,7,90)) != NULL)
- {
- W("%s",
- "libssh versions > 0.7.3 may suffer "
- "from problems with the pki key generation/export");
+ if (!version_logged) {
+ N("libssh version: %s", ssh_version(0));
+ if (ssh_version(SSH_VERSION_INT(LIBSSH_VERSION_MAJOR,
+ LIBSSH_VERSION_MINOR,
+ LIBSSH_VERSION_MICRO)) == NULL)
+ {
+ W("This software was compiled/linked for libssh %d.%d.%d,"
+ " which you aren't currently using.",
+ LIBSSH_VERSION_MAJOR, LIBSSH_VERSION_MINOR, LIBSSH_VERSION_MICRO);
+ }
+ if (ssh_version(SSH_VERSION_INT(0,7,3)) == NULL)
+ {
+ W("%s", "Unsupported libssh version < 0.7.3");
+ }
+ if (ssh_version(SSH_VERSION_INT(0,7,4)) != NULL ||
+ ssh_version(SSH_VERSION_INT(0,7,90)) != NULL)
+ {
+ W("%s",
+ "libssh versions > 0.7.3 may suffer "
+ "from problems with the pki key generation/export");
+ }
+ version_logged = 1;
}
+
ctx->cbs = potd_ssh_callbacks;
if (ssh_init())
@@ -138,6 +144,10 @@ int ssh_on_listen(protocol_ctx *ctx)
ssh_bind_get_fd(d->sshbind));
return 1;
case 0:
+ if (change_default_user_group()) {
+ E_STRERR("%s", "Change user/group");
+ return -1;
+ }
ssh_mainloop(d);
break;
}
@@ -201,17 +211,17 @@ static int gen_default_keys(void)
if (gen_export_sshkey(SSH_KEYTYPE_RSA, 1024, "./ssh_host_rsa_key")) {
W("libssh %s key generation failed, using fallback ssh-keygen", "RSA");
remove("./ssh_host_rsa_key");
- s |= system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null");
+ s = system("ssh-keygen -t rsa -b 1024 -f ./ssh_host_rsa_key -N '' >/dev/null 2>/dev/null");
}
- if (gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) {
+ if (!s && gen_export_sshkey(SSH_KEYTYPE_DSS, 1024, "./ssh_host_dsa_key")) {
W("libssh %s key generation failed, using fallback ssh-keygen", "DSA");
remove("./ssh_host_dsa_key");
- s |= system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null");
+ s = system("ssh-keygen -t dsa -b 1024 -f ./ssh_host_dsa_key -N '' >/dev/null 2>/dev/null");
}
- if (gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) {
+ if (!s && gen_export_sshkey(SSH_KEYTYPE_ECDSA, 1024, "./ssh_host_ecdsa_key")) {
W("libssh %s key generation failed, using fallback ssh-keygen", "ECDSA");
remove("./ssh_host_ecdsa_key");
- s |= system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null");
+ s = system("ssh-keygen -t ecdsa -b 256 -f ./ssh_host_ecdsa_key -N '' >/dev/null 2>/dev/null");
}
return s != 0;
@@ -241,7 +251,7 @@ static int gen_export_sshkey(enum ssh_keytypes_e type, int length, const char *p
W2("Unknown SSH key type: %d", type);
return 1;
}
- N2("Generating %s key with length %d bits and save it on disk: %s",
+ D2("Generating %s key with length %d bits and save it on disk: %s",
type_str, length, path);
s = ssh_pki_generate(type, length, &priv_key);
if (s != SSH_OK) {
diff --git a/src/redirector.c b/src/redirector.c
index 4a577ca..6d5b216 100644
--- a/src/redirector.c
+++ b/src/redirector.c
@@ -157,6 +157,10 @@ pid_t redirector_daemonize(event_ctx *ev_ctx, redirector_ctx *rdr_ctx[], size_t
W_STRERR("%s", "Server daemonize");
return -1;
case 0:
+ if (change_default_user_group()) {
+ E_STRERR("%s", "Change user/group");
+ return -1;
+ }
N("%s", "Server daemon mainloop");
redirector_mainloop(ev_ctx, rdr_ctx, siz);
break;
diff --git a/src/utils.c b/src/utils.c
index 455b90d..aa65c28 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -76,7 +76,7 @@ static void sighandler_master(int signo)
case SIGINT:
case SIGTERM:
case SIGABRT:
- kill(0, SIGKILL);
+ kill(0, SIGTERM);
exit(EXIT_FAILURE);
}
}
@@ -254,6 +254,11 @@ int change_user_group(const char *user, const char *group)
return 0;
}
+int change_default_user_group(void)
+{
+ return change_user_group("nobody", NULL);
+}
+
int safe_chroot(const char *newroot)
{
int s;
diff --git a/src/utils.h b/src/utils.h
index 9ea1024..83a7418 100644
--- a/src/utils.h
+++ b/src/utils.h
@@ -28,6 +28,8 @@ int redirect_devnull_to(int fds, ...);
int change_user_group(const char *user, const char *group);
+int change_default_user_group(void);
+
int safe_chroot(const char *newroot);
int dir_is_mountpoint(const char *path);