/*----- Static variables --------------------------------------------------*/
+ static sel_state sel;
static const char *pidfile = 0;
static const char *logname = 0;
static FILE *logfp = 0;
die(EXIT_FAILURE, "unexpected background tag `%s'", q);
}
+ static void dolog(int prio, const char *msg, ...)
+ {
+ va_list ap;
+ dstr d = DSTR_INIT;
+ const char *cat;
+
+ va_start(ap, msg);
+ dstr_vputf(&d, msg, &ap);
+ va_end(ap);
+ if (f & f_syslog) syslog(prio, "%s", d.buf);
+ if (logfp) {
+ switch (prio) {
+ case LOG_WARNING: cat = "warning"; break;
+ case LOG_DEBUG: cat = "debug"; break;
+ case LOG_ERR: cat = "error"; break;
+ default: cat = "message"; break;
+ }
+ writelog(cat, d.buf);
+ }
+ if (prio == LOG_WARNING && (f & f_warn))
+ fprintf(stderr, "Warning: %s\n", d.buf);
+ dstr_destroy(&d);
+ }
+
static void checkfg(void)
{ if (bgtag) die(EXIT_FAILURE, "unexpected foreground response"); }
q = str_getword(&p);
if (!q)
return;
- if (strcmp(q, "WARN") == 0) {
- if (f & f_syslog)
- syslog(LOG_WARNING, "%s", p);
- if (logfp)
- writelog("warning", p);
- if (f & f_warn)
- fprintf(stderr, "Warning: %s\n", p);
- } else if (strcmp(q, "TRACE") == 0) {
- if (f & f_syslog)
- syslog(LOG_DEBUG, "%s", p);
- if (logfp)
- writelog("debug", p);
- } else if (!(f & f_command)) {
- if (f & f_syslog)
- syslog(LOG_ERR, "unexpected output `%s %s'", q, p);
- if (logfp) {
- dstr d = DSTR_INIT;
- dstr_putf(&d, "unexpected output `%s %s'", q, p);
- writelog("error", d.buf);
- dstr_destroy(&d);
- }
- } else if (strcmp(q, "FAIL") == 0) {
+ if (strcmp(q, "WARN") == 0)
+ dolog(LOG_WARNING, p);
+ else if (strcmp(q, "TRACE") == 0)
+ dolog(LOG_DEBUG, p);
+ else if (!(f & f_command))
+ dolog(LOG_ERR, "unexpected output `%s %s'", q, p);
+ else if (strcmp(q, "FAIL") == 0) {
checkfg();
die(EXIT_FAILURE, "%s", p);
} else if (strcmp(q, "INFO") == 0) {
}
}
+ static void eline(char *p, size_t len, void *b)
+ {
+ if (p)
+ dolog(LOG_WARNING, "(stderr): %s", p);
+ else {
+ selbuf_destroy(b);
+ close(fd);
+ }
+ }
+
static void setup(const char *cmd)
{
dstr d = DSTR_INIT;
else if (logname)
die(EXIT_FAILURE, d.buf);
if (f & f_syslog)
- syslog(LOG_ERR, d.buf);
+ syslog(LOG_ERR, "%s", d.buf);
dstr_destroy(&d);
}
}
static void sigdie(int sig)
{ cleanup(); signal(sig, SIG_DFL); raise(sig); }
+ static void putarg(string_v *av, const char *fmt, ...)
+ {
+ va_list ap;
+ dstr d = DSTR_INIT;
+
+ va_start(ap, fmt);
+ dstr_vputf(&d, fmt, &ap);
+ dstr_putz(&d);
+ va_end(ap);
+ DA_UNSHIFT(av, xstrdup(d.buf));
+ dstr_destroy(&d);
+ }
+
static void version(FILE *fp)
{ pquis(fp, "$, TrIPE version " VERSION "\n"); }
\n\
-D, --daemon Become a background task after connecting.\n\
-d, --directory=DIR Select current directory [default " CONFIGDIR "].\n\
+ -U, --setuid=USER Set uid to USER after initialization.\n\
+ -G, --setgid=GROUP Set gid to GROUP after initialization.\n\
-a, --admin-socket=FILE Select socket to connect to\n\
[default " SOCKETDIR "/tripesock].\n\
-P, --pidfile=FILE Write process-id to FILE.\n\
string_v spawnopts = DA_INIT;
char *p;
FILE *pidfp = 0;
+ int i;
+ size_t sz;
+ uid_t u = -1;
+ gid_t g = -1;
+ int pfd[2], efd[2];
+ pid_t kid;
+ struct sigaction sa;
+ sigset_t newmask, oldmask;
+ struct sockaddr_un sun;
+ selbuf bu, bs, be;
+ dstr d = DSTR_INIT;
+ sig hup;
ego(argv[0]);
{ "version", 0, 0, 'v' },
{ "usage", 0, 0, 'u' },
{ "daemon", 0, 0, 'D' },
+ { "uid", OPTF_ARGREQ, 0, 'U' },
+ { "setuid", OPTF_ARGREQ, 0, 'U' },
+ { "gid", OPTF_ARGREQ, 0, 'G' },
+ { "setgid", OPTF_ARGREQ, 0, 'G' },
{ "directory", OPTF_ARGREQ, 0, 'd' },
{ "admin-socket", OPTF_ARGREQ, 0, 'a' },
{ "spawn", 0, 0, 's' },
{ 0, 0, 0, 0 }
};
- int i = mdwopt(argc, argv, "+hvuDd:a:sp:S:lwf:nP:", opts, 0, 0, 0);
+ i = mdwopt(argc, argv, "+hvuDU:G:d:a:sp:S:lwf:nP:", opts, 0, 0, 0);
if (i < 0)
break;
switch (i) {
case 'D':
f |= f_daemon | f_noinput;
break;
+ case 'U':
+ u = u_getuser(optarg, &g);
+ break;
+ case 'G':
+ g = u_getgroup(optarg);
+ break;
case 'd':
dir = optarg;
break;
die(EXIT_FAILURE, "couldn't open `%s' for writing: %s",
pidfile, strerror(errno));
}
+ sel_init(&sel);
+ sig_init(&sel);
signal(SIGINT, sigdie);
signal(SIGQUIT, sigdie);
signal(SIGTERM, sigdie);
/* --- Connect to the server --- */
if (f & f_spawn) {
- int pfd[2];
- pid_t kid;
- struct sigaction sa;
- sigset_t newmask, oldmask;
-
sa.sa_handler = reap;
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_NOCLDSTOP;
#endif
sigaction(SIGCHLD, &sa, 0);
- DA_UNSHIFT(&spawnopts, (char *)sock);
- DA_UNSHIFT(&spawnopts, "-a");
- DA_UNSHIFT(&spawnopts, "-d.");
- DA_UNSHIFT(&spawnopts, "-F");
- DA_UNSHIFT(&spawnopts, (char *)spawnpath);
DA_PUSH(&spawnopts, 0);
- if (socketpair(PF_UNIX, SOCK_STREAM, 0, pfd))
+ if (g != (gid_t)-1) putarg(&spawnopts, "-G%lu", (unsigned long)g);
+ if (u != (uid_t)-1) putarg(&spawnopts, "-U%lu", (unsigned long)u);
+ putarg(&spawnopts, "-a%s", sock);
+ putarg(&spawnopts, "-d.");
+ putarg(&spawnopts, "-F");
+ putarg(&spawnopts, "%s", spawnpath);
+ if (socketpair(PF_UNIX, SOCK_STREAM, 0, pfd) || pipe(efd))
die(EXIT_FAILURE, "error from socketpair: %s", strerror(errno));
sigemptyset(&newmask);
sigaddset(&newmask, SIGCHLD);
if (!kid) {
dup2(pfd[1], STDIN_FILENO);
dup2(pfd[1], STDOUT_FILENO);
- close(pfd[0]);
- close(pfd[1]);
+ dup2(efd[1], STDERR_FILENO);
+ close(pfd[0]); close(pfd[1]);
+ close(efd[0]); close(efd[1]);
if (logfp) fclose(logfp);
if (pidfp) fclose(pidfp);
closelog();
}
sigprocmask(SIG_SETMASK, &oldmask, 0);
fd = pfd[0];
- close(pfd[1]);
+ close(pfd[1]); close(efd[1]);
+ selbuf_init(&be, &sel, efd[0], eline, &be);
} else {
- struct sockaddr_un sun;
- size_t sz = strlen(sock) + 1;
+ sz = strlen(sock) + 1;
if (sz > sizeof(sun.sun_path))
die(EXIT_FAILURE, "socket name `%s' too long", sock);
memset(&sun, 0, sizeof(sun));
}
}
+ u_setugid(u, g);
if (f & f_daemon) {
if (daemonize())
die(EXIT_FAILURE, "error becoming daemon: %s", strerror(errno));
if (optind == argc)
setup("WATCH -A+tw");
if (!(f & f_noinput) && optind == argc) {
- sel_state sel;
- selbuf bu, bs;
-
- sel_init(&sel);
selbuf_init(&bu, &sel, STDIN_FILENO, uline, &bu);
selbuf_init(&bs, &sel, fd, sline, &bs);
for (;;) {
/* --- If there's a command, submit it --- */
if (optind < argc) {
- dstr d = DSTR_INIT;
setup((f & f_warn) ? "WATCH -A+w" : "WATCH -A");
while (optind < argc)
u_quotify(&d, argv[optind++]);
/* --- Pull everything else out of the box --- */
- {
- sel_state sel;
- selbuf b;
- sig hup;
-
- sel_init(&sel);
- selbuf_init(&b, &sel, fd, cline, 0);
+ selbuf_init(&bs, &sel, fd, cline, 0);
- if (f & f_syslog)
- openlog(QUIS, 0, LOG_DAEMON);
- if (logfp) {
- sig_init(&sel);
- sig_add(&hup, SIGHUP, sighup, 0);
- }
- for (;;) {
- if (sel_select(&sel) && errno != EINTR && errno != EAGAIN)
- die(EXIT_FAILURE, "select failed: %s", strerror(errno));
- }
+ if (f & f_syslog)
+ openlog(QUIS, 0, LOG_DAEMON);
+ if (logfp)
+ sig_add(&hup, SIGHUP, sighup, 0);
+ for (;;) {
+ if (sel_select(&sel) && errno != EINTR && errno != EAGAIN)
+ die(EXIT_FAILURE, "select failed: %s", strerror(errno));
}
return (0);
{ 'x', T_KEYEXCH, "key exchange" },
{ 'm', T_KEYMGMT, "key management" },
{ 'l', T_CHAL, "challenge management" },
+ { 'v', T_PRIVSEP, "privilege separation" },
{ 'p', T_PACKET, "packet contents" },
{ 'c', T_CRYPTO, "crypto details" },
{ 'A', T_ALL, "all of the above" },
*
* Returns: ---
*
- * Use: Main message token formatting driver.
+ * Use: Main message token formatting driver. The arguments are
+ * interleaved formatting tokens and their parameters, finally
+ * terminated by an entry @A_END@.
+ *
+ * Tokens recognized:
+ *
+ * * "*..." ... -- pretokenized @dstr_putf@-like string
+ *
+ * * "?ADDR" SOCKADDR -- a socket address, to be converted
+ *
+ * * "?B64" BUFFER SIZE -- binary data to be base64-encoded
+ *
+ * * "?TOKENS" VECTOR -- null-terminated vector of tokens
+ *
+ * * "?PEER" PEER -- peer's name
+ *
+ * * "?ERRNO" ERRNO -- system error code
+ *
+ * * "[!]..." ... -- @dstr_putf@-like string as single token
*/
- static void a_vformat(dstr *d, const char *fmt, va_list ap)
+ void a_vformat(dstr *d, const char *fmt, va_list ap)
{
dstr dd = DSTR_INIT;
while (fmt) {
if (*fmt == '*') {
- dstr_putc(d, ' ');
+ if (d->len) dstr_putc(d, ' ');
dstr_vputf(d, fmt + 1, &ap);
} else if (*fmt == '?') {
if (strcmp(fmt, "?ADDR") == 0) {
close(sock.fd);
unlink(sockname);
FOREACH_PEER(p, { p_destroy(p); });
+ ps_quit();
exit(0);
}
}
}
+static void acmd_algs(admin *a, unsigned ac, char *av[])
+{
+ a_info(a,
+ "kx-group=%s", gg->ops->name,
+ "kx-group-order-bits=%lu", (unsigned long)mp_bits(gg->r),
+ "kx-group-elt-bits=%lu", (unsigned long)gg->nbits,
+ A_END);
+ a_info(a,
+ "hash=%s", algs.h->name,
+ "mgf=%s", algs.mgf->name,
+ "hash-sz=%lu", (unsigned long)algs.h->hashsz,
+ A_END);
+ a_info(a,
+ "cipher=%s", algs.c->name,
+ "cipher-keysz=%lu", (unsigned long)algs.cksz,
+ "cipher-blksz=%lu", (unsigned long)algs.c->blksz,
+ A_END);
+ a_info(a,
+ "cipher-data-limit=%lu", (unsigned long)algs.expsz,
+ A_END);
+ a_info(a,
+ "mac=%s", algs.m->name,
+ "mac-keysz=%lu", (unsigned long)algs.mksz,
+ "mac-tagsz=%lu", (unsigned long)algs.tagsz,
+ A_END);
+ a_ok(a);
+}
+
static void acmd_list(admin *a, unsigned ac, char *av[])
{
FOREACH_PEER(p, { a_info(a, "%s", p_name(p), A_END); });
static const acmd acmdtab[] = {
{ "add", "[OPTIONS] PEER ADDR ...", 2, 0xffff, acmd_add },
{ "addr", "PEER", 1, 1, acmd_addr },
+ { "algs", 0, 0, 0, acmd_algs },
{ "bgcancel", "TAG", 1, 1, acmd_bgcancel },
{ "checkchal", "CHAL", 1, 1, acmd_checkchal },
{ "daemon", 0, 0, 0, acmd_daemon },
/* --- @a_init@ --- *
*
* Arguments: @const char *name@ = socket name to create
+ * @uid_t u@ = user to own the socket
+ * @gid_t g@ = group to own the socket
*
* Returns: ---
*
* Use: Creates the admin listening socket.
*/
- void a_init(const char *name)
+ void a_init(const char *name, uid_t u, gid_t g)
{
int fd;
int n = 5;
goto again;
}
chmod(sun.sun_path, 0600);
+ if (chown(sun.sun_path, u, g)) {
+ T( trace(T_ADMIN,
+ "admin: failed to give away socket: %s",
+ strerror(errno)); )
+ }
fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC);
if (listen(fd, 5))
die(EXIT_FAILURE, "couldn't listen on socket: %s", strerror(errno));