Add option to change user and group after initialization. Naughtily

[fwd] / fw.c

/* -*-c-*-
 *
 * $Id: fw.c,v 1.7 2000/03/23 00:37:33 mdw Exp $
 *
 * Port forwarding thingy
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of the `fw' port forwarder.
 *
 * `fw' is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * `fw' is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with `fw'; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: fw.c,v $
 * Revision 1.7  2000/03/23 00:37:33  mdw
 * Add option to change user and group after initialization.  Naughtily
 * reassign short equivalents of --grammar and --options.
 *
 * Revision 1.6  1999/12/22 15:44:10  mdw
 * Make syslog a separate option, and do it better.
 *
 * Revision 1.5  1999/10/22 22:47:50  mdw
 * Grammar changes.  Also, don't enable SIGINT if it's currently ignored.
 *
 * Revision 1.4  1999/10/10 16:46:12  mdw
 * New resolver to initialize.  Also, include options for grammar and
 * options references.
 *
 * Revision 1.3  1999/07/26 23:30:42  mdw
 * Major reconstruction work for new design.
 *
 * Revision 1.2  1999/07/03 13:55:17  mdw
 * Various changes.  Add configuration grammar to help text.  Change to
 * root directory and open syslog when forking into background.
 *
 * Revision 1.1.1.1  1999/07/01 08:56:23  mdw
 * Initial revision.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include "config.h"

#include <ctype.h>
#include <errno.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#include <unistd.h>
#include <syslog.h>

#include <grp.h>
#include <pwd.h>

#include <mLib/bres.h>
#include <mLib/dstr.h>
#include <mLib/mdwopt.h>
#include <mLib/quis.h>
#include <mLib/report.h>
#include <mLib/sel.h>
#include <mLib/sig.h>
#include <mLib/sub.h>

#include "conf.h"
#include "endpt.h"
#include "exec.h"
#include "fattr.h"
#include "fw.h"
#include "scan.h"
#include "source.h"

/*----- Global variables --------------------------------------------------*/

sel_state *sel;                         /* Multiplexor for nonblocking I/O */

/*----- Static variables --------------------------------------------------*/

static unsigned flags = 0;              /* Global state flags */
static unsigned active = 0;             /* Number of active things */

#define FW_SYSLOG 1u
#define FW_QUIET 2u
#define FW_SET 4u

/*----- Main code ---------------------------------------------------------*/

/* --- @fw_log@ --- *
 *
 * Arguments:   @time_t t@ = when the connection occurred or (@-1@)
 *              @const char *fmt@ = format string to fill in
 *              @...@ = other arguments
 *
 * Returns:     ---
 *
 * Use:         Logs a connection.
 */

void fw_log(time_t t, const char *fmt, ...)
{
  struct tm *tm;
  dstr d = DSTR_INIT;
  va_list ap;

  if (flags & FW_QUIET)
    return;

  if (t == -1)
    t = time(0);
  tm = localtime(&t);
  DENSURE(&d, 64);
  d.len += strftime(d.buf, d.sz, "%Y-%m-%d %H:%M:%S ", tm);
  va_start(ap, fmt);
  dstr_vputf(&d, fmt, ap);
  va_end(ap);
  if (flags & FW_SYSLOG)
    syslog(LOG_NOTICE, "%s", d.buf);
  else {
    DPUTC(&d, '\n');
    dstr_write(&d, stderr);
  }
  DDESTROY(&d);
}

/* --- @fw_inc@, @fw_dec@ --- *
 *
 * Arguments:   ---
 *
 * Returns:     ---
 *
 * Use:         Increments or decrements the active thing count.  `fw' won't
 *              quit while there are active things.
 */

void fw_inc(void) { flags |= FW_SET; active++; }
void fw_dec(void) { if (active) active--; }

/* --- @fw_exit@ --- *
 *
 * Arguments:   ---
 *
 * Returns:     ---
 *
 * Use:         Exits when appropriate.
 */

static void fw_exit(void)
{
  endpt_killall();
  source_killall();
}

/* --- @fw_tidy@ --- *
 *
 * Arguments:   @int n@ = signal number
 *              @void *p@ = an uninteresting argument
 *
 * Returns:     ---
 *
 * Use:         Handles various signals and causes a clean tidy-up.
 */

static void fw_tidy(int n, void *p)
{
  const char *sn = "unexpected signal (bug!)";
  if (n == SIGTERM)
    sn = "SIGTERM";
  else if (n == SIGINT)
    sn = "SIGINT";

  fw_log(-1, "closing down on %s", sn);
  fw_exit();
}

/* --- Standard GNU help options --- */

static void version(FILE *fp)
{
  pquis(fp, "$ version " VERSION "\n");
}

static void usage(FILE *fp)
{
  pquis(fp, "Usage: $ [-dql] [-f file] [config statements...]\n");
}

static void help(FILE *fp)
{
  version(fp);
  fputc('\n', fp);
  usage(fp);
  pquis(fp, "\n\
An excessively full-featured port-forwarder, which subsumes large chunks\n\
of the functionality of inetd, netcat, and normal cat.  Options available\n\
are:\n\
\n\
-h, --help        Display this help message.\n\
-v, --version     Display the program's version number.\n\
-u, --usage       Display a terse usage summary.\n\
\n\
-G, --grammar     Show a summary of the configuration language.\n\
-O, --options     Show a summary of the source and target options.\n\
\n\
-f, --file=FILE   Read configuration from a file.\n\
-q, --quiet       Don't emit any logging information.\n\
-d, --daemon      Fork into background after initializing.\n\
-l, --syslog      Send log output to the system logger.\n\
-s, --setuid=USER Change uid to USER after initializing sources.\n\
-g, --setgid=GRP  Change gid to GRP after initializing sources.\n\
\n\
Configuration may be supplied in one or more configuration files, or on\n\
the command line (or both).  If no `-f' option is present, and no\n\
configuration is given on the command line, the standard input stream is\n\
read.\n\
\n\
Configuration is free-form.  Comments begin with a `#' character and\n\
continue to the end of the line.  Each command line argument is considered\n\
to be a separate line.\n\
\n\
The grammar is fairly complicated.  For a summary, run `$ --grammar'.\n\
For a summary of the various options, run `$ --options'.\n\
");
}

/* --- Other helpful options --- */

static void grammar(FILE *fp)
{
  version(fp);
  pquis(fp, "\n\
Grammar summary\n\
\n\
Basic syntax\n\
        file ::= empty | file stmt [`;']\n\
        stmt ::= option-stmt | fw-stmt\n\
        fw-stmt ::= `fw' source options [`to'|`->'] target options\n\
        options ::= `{' option-seq `}'\n\
        option-seq ::= empty | option-stmt [`;'] option-seq\n\
\n\
Option syntax\n\
        option-stmt ::= q-option\n\
        q-option ::= option\n\
             | prefix `.' q-option\n\
             | prefix `{' option-seq `}'\n\
        prefix ::= word\n\
\n\
File source and target\n\
        source ::= file\n\
        target ::= file\n\
        file ::= `file' [`.'] fspec [`,' fspec]\n\
        fspec ::= fd-spec | name-spec | null-spec\n\
        fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout'\n\
        name-spec ::= [[`:']`file'[`:']] file-name\n\
        file-name ::= path-seq | [ path-seq ]\n\
        path-seq ::= path-elt | path-seq path-elt\n\
        path-elt ::= `/' | word\n\
        null-spec ::= [`:']`null'[`:']\n\
\n\
Exec source and target\n\
        source ::= exec\n\
        target ::= exec\n\
        exec ::= `exec' [`.'] cmd-spec\n\
        cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]'\n\
        arg-seq ::= word | arg-seq word\n\
        shell-cmd ::= word\n\
        argv0 ::= word\n\
\n\
Socket source and target\n\
        source ::= socket-source\n\
        target ::= socket-target\n\
        socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr\n\
        socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr\n\
\n\
        inet-source-addr ::= [port] port\n\
        inet-target-addr ::= address [`:'] port\n\
        address ::= addr-elt | address addr-elt\n\
        addr-elt ::= `.' | word\n\
\n\
        unix-source-addr ::= file-name\n\
        unix-target-addr ::= file-name\n\
");
}

static void options(FILE *fp)
{
  version(fp);
  pquis(fp, "\n\
Options summary\n\
\n\
File attributes (`fattr')\n\
        prefix.fattr.mode [=] mode\n\
        prefix.fattr.owner [=] user\n\
        prefix.fattr.group [=] group\n\
\n\
File options\n\
        file.create [=] yes|no\n\
        file.open [=] no|truncate|append\n\
        file.fattr.*\n\
\n\
Exec options\n\
        exec.logging [=] yes|no\n\
        exec.dir [=] file-name\n\
        exec.root [=] file-name\n\
        exec.user [=] user\n\
        exec.group [=] group\n\
        exec.rlimit.limit[.hard|.soft] [=] value\n\
        exec.env.clear\n\
        exec.env.unset var\n\
        exec.env.[set] var [=] value\n\
\n\
Socket options\n\
        socket.conn [=] number|unlimited|one-shot\n\
        socket.logging [=] yes|no\n\
        socket.inet.[allow|deny] [from] address [/ address]\n\
        socket.unix.fattr.*\n\
");
}

/* --- @main@ --- *
 *
 * Arguments:   @int argc@ = number of command line arguments
 *              @char *argv[]@ = vector of argument strings
 *
 * Returns:     ---
 *
 * Use:         Simple port-forwarding server.
 */

int main(int argc, char *argv[])
{
  unsigned f = 0;
  sel_state sst;
  sig s_term, s_int;
  scanner sc;
  uid_t drop = -1;
  gid_t dropg = -1;

  enum {
    f_bogus = 1,
    f_file = 2,
    f_syslog = 4,
    f_fork = 8
  };

  /* --- Initialize things --- */

  ego(argv[0]);
  sel = &sst;
  sel_init(sel);
  sub_init();
  sig_init(sel);
  bres_init(sel);
  bres_exec(0);
  exec_init();
  fattr_init(&fattr_global);
  scan_create(&sc);

  /* --- Set up some signal handlers --- *
   *
   * Don't enable @SIGINT@ if the caller already disabled it.
   */

  {
    struct sigaction sa;

    sig_add(&s_term, SIGTERM, fw_tidy, 0);
    sigaction(SIGINT, 0, &sa);
    if (sa.sa_handler != SIG_IGN)
      sig_add(&s_int, SIGINT, fw_tidy, 0);
  }

  atexit(fw_exit);

  /* --- Parse command line options --- */

  for (;;) {
    static struct option opts[] = {

      /* --- Standard GNU help options --- */

      { "help",         0,              0,      'h' },
      { "version",      0,              0,      'v' },
      { "usage",        0,              0,      'u' },

      /* --- Other help options --- */

      { "grammar",      0,              0,      'g' },
      { "options",      0,              0,      'o' },

      /* --- Other useful arguments --- */

      { "file",         OPTF_ARGREQ,    0,      'f' },
      { "fork",         0,              0,      'd' },
      { "daemon",       0,              0,      'd' },
      { "syslog",       0,              0,      'l' },
      { "log",          0,              0,      'l' },
      { "quiet",        0,              0,      'q' },
      { "setuid",       OPTF_ARGREQ,    0,      's' },
      { "uid",          OPTF_ARGREQ,    0,      's' },
      { "setgid",       OPTF_ARGREQ,    0,      'g' },
      { "gid",          OPTF_ARGREQ,    0,      'g' },

      /* --- Magic terminator --- */

      { 0,              0,              0,      0 }
    };
    int i = mdwopt(argc, argv, "+hvu GO f:dls:g:", opts, 0, 0, 0);

    if (i < 0)
      break;
    switch (i) {
      case 'h':
        help(stdout);
        exit(0);
        break;
      case 'v':
        version(stdout);
        exit(0);
        break;
      case 'u':
        usage(stdout);
        exit(0);
        break;
      case 'G':
        grammar(stdout);
        exit(0);
        break;
      case 'O':
        options(stdout);
        exit(0);
        break;
      case 'f':
        if (strcmp(optarg, "-") == 0)
          scan_add(&sc, scan_file(stdin, "<stdin>", SCF_NOCLOSE));
        else {
          FILE *fp;
          if ((fp = fopen(optarg, "r")) == 0)
            die(1, "couldn't open file `%s': %s", optarg, strerror(errno));
          scan_add(&sc, scan_file(fp, optarg, 0));
        }
        f |= f_file;
        break;
      case 'd':
        f |= f_fork;
        break;
      case 'l':
        f |= f_syslog;
        break;
      case 'q':
        flags |= FW_QUIET;
        break;
      case 's':
        if (isdigit((unsigned char )optarg[0])) {
          char *q;
          drop = strtol(optarg, &q, 0);
          if (*q)
            die(1, "bad uid `%s'", optarg);
        } else {
          struct passwd *pw = getpwnam(optarg);
          if (!pw)
            die(1, "unknown user `%s'", optarg);
          drop = pw->pw_uid;
        }
        break;
      case 'g':
        if (isdigit((unsigned char )optarg[0])) {
          char *q;
          dropg = strtol(optarg, &q, 0);
          if (*q)
            die(1, "bad gid `%s'", optarg);
        } else {
          struct group *gr = getgrnam(optarg);
          if (!gr)
            die(1, "unknown group `%s'", optarg);
          dropg = gr->gr_gid;
        }
        break;
      default:
        f |= f_bogus;
        break;
    }
  }

  if (f & f_bogus) {
    usage(stderr);
    exit(1);
  }

  /* --- Deal with the remaining arguments --- */

  if (optind < argc)
    scan_add(&sc, scan_argv(argv + optind));
  else if (f & f_file)
    /* Cool */;
  else if (!isatty(STDIN_FILENO))
    scan_add(&sc, scan_file(stdin, "<stdin>", SCF_NOCLOSE));
  else {
    moan("no configuration given and stdin is a terminal.");
    moan("type `%s --help' for usage information.", QUIS);
    exit(1);
  }

  /* --- Parse the configuration now gathered --- */

  conf_parse(&sc);

  /* --- Drop privileges --- */

#ifdef HAVE_SETGROUPS
  if ((dropg != -1 && (setgid(dropg) || setgroups(1, &dropg))) ||
#else
  if ((dropg != -1 && setgid(dropg)) ||
#endif
      (drop != -1 && setuid(drop)))
    die(1, "couldn't drop privileges: %s", strerror(errno));

  /* --- Fork into the background --- */

  if (f & f_fork) {
    pid_t kid;

    kid = fork();
    if (kid == -1)
      die(1, "couldn't fork: %s", strerror(errno));
    if (kid != 0)
      _exit(0);

    close(0); close(1); close(2);
    chdir("/");
    setsid();

    kid = fork();
    if (kid != 0)
      _exit(0);
  }

  if (f & f_syslog) {
    flags |= FW_SYSLOG;
    openlog(QUIS, 0, LOG_DAEMON);
  }

  /* --- Let rip --- */

  if (!(flags & FW_SET))
    moan("nothing to do!");
  signal(SIGPIPE, SIG_IGN);
  while (active)
    sel_select(sel);
  return (0);
}

/*----- That's all, folks -------------------------------------------------*/