/*
tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans
- 2000-2008 Guus Sliepen <guus@tinc-vpn.org>
+ 2000-2009 Guus Sliepen <guus@tinc-vpn.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include LZO1X_H
+#ifndef HAVE_MINGW
+#include <pwd.h>
+#include <grp.h>
+#include <time.h>
+#endif
+
#include <getopt.h>
#include "pidfile.h"
/* If nonzero, disable swapping for this process. */
bool do_mlock = false;
+/* If nonzero, chroot to netdir after startup. */
+static bool do_chroot = false;
+
+/* If !NULL, do setuid to given user after startup */
+static const char *switchuser = NULL;
+
/* If nonzero, write log entries to a separate file. */
bool use_logfile = false;
{"debug", optional_argument, NULL, 'd'},
{"bypass-security", no_argument, NULL, 3},
{"mlock", no_argument, NULL, 'L'},
+ {"chroot", no_argument, NULL, 'R'},
+ {"user", required_argument, NULL, 'U'},
{"logfile", optional_argument, NULL, 4},
{"pidfile", required_argument, NULL, 5},
{NULL, 0, NULL, 0}
" -L, --mlock Lock tinc into main memory.\n"
" --logfile[=FILENAME] Write log entries to a logfile.\n"
" --pidfile=FILENAME Write PID to FILENAME.\n"
+ " -R, --chroot chroot to NET dir at startup.\n"
+ " -U, --user=USER setuid to given USER at startup.\n"
" --help Display this help and exit.\n"
" --version Output version information and exit.\n\n"));
printf(_("Report bugs to tinc@tinc-vpn.org.\n"));
int r;
int option_index = 0;
- while((r = getopt_long(argc, argv, "c:DLd::k::n:K::", long_options, &option_index)) != EOF) {
+ while((r = getopt_long(argc, argv, "c:DLd::k::n:K::RU:", long_options, &option_index)) != EOF) {
switch (r) {
case 0: /* long option */
break;
break;
case 'L': /* no detach */
+#ifndef HAVE_MLOCKALL
+ logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()");
+ return false;
+#else
do_mlock = true;
break;
+#endif
case 'd': /* inc debug level */
if(optarg)
generate_keys = 1024;
break;
+ case 'R': /* chroot to NETNAME dir */
+ do_chroot = true;
+ break;
+
+ case 'U': /* setuid to USER */
+ switchuser = optarg;
+ break;
+
case 1: /* show help */
show_help = true;
break;
char *name = NULL;
char *filename;
+ get_config_string(lookup_config(config_tree, "Name"), &name);
+
+ if(name && !check_id(name)) {
+ fprintf(stderr, _("Invalid name for myself!\n"));
+ return false;
+ }
+
fprintf(stderr, _("Generating %d bits keys:\n"), bits);
rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL);
fprintf(stderr, _("Done.\n"));
asprintf(&filename, "%s/rsa_key.priv", confbase);
- f = ask_and_open(filename, _("private RSA key"), "a");
+ f = ask_and_open(filename, _("private RSA key"));
if(!f)
return false;
+
+ if(disable_old_keys(f))
+ fprintf(stderr, _("Warning: old key(s) found and disabled.\n"));
#ifdef HAVE_FCHMOD
/* Make it unreadable for others. */
fchmod(fileno(f), 0600);
#endif
- if(ftell(f))
- fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
-
PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL);
fclose(f);
free(filename);
- get_config_string(lookup_config(config_tree, "Name"), &name);
-
if(name)
asprintf(&filename, "%s/hosts/%s", confbase, name);
else
asprintf(&filename, "%s/rsa_key.pub", confbase);
- f = ask_and_open(filename, _("public RSA key"), "a");
+ f = ask_and_open(filename, _("public RSA key"));
if(!f)
return false;
- if(ftell(f))
- fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n"));
+ if(disable_old_keys(f))
+ fprintf(stderr, _("Warning: old key(s) found and disabled.\n"));
PEM_write_RSAPublicKey(f, rsa_key);
fclose(f);
free(filename);
+ if(name)
+ free(name);
return true;
}
if (confbase) free(confbase);
}
+static bool drop_privs() {
+#ifdef HAVE_MINGW
+ if (switchuser) {
+ logger(LOG_ERR, _("%s not supported on this platform"), "-U");
+ return false;
+ }
+ if (do_chroot) {
+ logger(LOG_ERR, _("%s not supported on this platform"), "-R");
+ return false;
+ }
+#else
+ uid_t uid = 0;
+ if (switchuser) {
+ struct passwd *pw = getpwnam(switchuser);
+ if (!pw) {
+ logger(LOG_ERR, _("unknown user `%s'"), switchuser);
+ return false;
+ }
+ uid = pw->pw_uid;
+ if (initgroups(switchuser, pw->pw_gid) != 0 ||
+ setgid(pw->pw_gid) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "initgroups", strerror(errno));
+ return false;
+ }
+ endgrent();
+ endpwent();
+ }
+ if (do_chroot) {
+ tzset(); /* for proper timestamps in logs */
+ if (chroot(confbase) != 0 || chdir("/") != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "chroot", strerror(errno));
+ return false;
+ }
+ free(confbase);
+ confbase = xstrdup("");
+ }
+ if (switchuser)
+ if (setuid(uid) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "setuid", strerror(errno));
+ return false;
+ }
+#endif
+ return true;
+}
+
int main(int argc, char **argv)
{
program_name = argv[0];
if(show_version) {
printf(_("%s version %s (built %s %s, protocol %d)\n"), PACKAGE,
VERSION, __DATE__, __TIME__, PROT_CURRENT);
- printf(_("Copyright (C) 1998-2008 Ivo Timmermans, Guus Sliepen and others.\n"
+ printf(_("Copyright (C) 1998-2009 Ivo Timmermans, Guus Sliepen and others.\n"
"See the AUTHORS file for a complete list.\n\n"
"tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n"
"and you are welcome to redistribute it under certain conditions;\n"
openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR);
- /* Lock all pages into memory if requested */
-
- if(do_mlock)
-#ifdef HAVE_MLOCKALL
- if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
- logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
- strerror(errno));
-#else
- {
- logger(LOG_ERR, _("mlockall() not supported on this platform!"));
-#endif
- return -1;
- }
-
g_argv = argv;
init_configuration(&config_tree);
if(!detach())
return 1;
-
+
+#ifdef HAVE_MLOCKALL
+ /* Lock all pages into memory if requested.
+ * This has to be done after daemon()/fork() so it works for child.
+ * No need to do that in parent as it's very short-lived. */
+ if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
+ strerror(errno));
+ return 1;
+ }
+#endif
/* Setup sockets and open device. */
- if(!setup_network_connections())
+ if(!setup_network())
goto end;
+ /* Change process priority */
+
+ char *priority = 0;
+
+ if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
+ if(!strcasecmp(priority, "Normal")) {
+#ifdef HAVE_MINGW
+ SetPriorityClass(GetCurrentProcess(), NORMAL_PRIORITY_CLASS);
+#else
+ nice(0);
+#endif
+ } else if(!strcasecmp(priority, "Low")) {
+#ifdef HAVE_MINGW
+ SetPriorityClass(GetCurrentProcess(), BELOW_NORMAL_PRIORITY_CLASS);
+#else
+ nice(10);
+#endif
+ } else if(!strcasecmp(priority, "High")) {
+#ifdef HAVE_MINGW
+ SetPriorityClass(GetCurrentProcess(), HIGH_PRIORITY_CLASS);
+#else
+ nice(-10);
+#endif
+ } else {
+ logger(LOG_ERR, _("Invalid priority `%s`!"), priority);
+ goto end;
+ }
+ }
+
+ /* drop privileges */
+ if (!drop_privs())
+ goto end;
+
+ /* Initiate all outgoing connections. */
+
+ try_outgoing_connections();
+
/* Start main loop. It only exits when tinc is killed. */
status = main_loop();
exit_configuration(&config_tree);
free_names();
-
+
return status;
}