X-Git-Url: http://git.meshlink.io/?a=blobdiff_plain;f=src%2Ftincd.c;h=48f5faf88ce2dd987a18f84643dda8902a09f8cb;hb=075e6828a7533e7daa790225f17aa6bb39703278;hp=c0c12addae28f763228cb3f56c4430b068610998;hpb=f8733d1935ed83399c4851a31f4be710eb8c825f;p=meshlink

diff --git a/src/tincd.c b/src/tincd.c
index c0c12add..48f5faf8 100644
--- a/src/tincd.c
+++ b/src/tincd.c
@@ -1,7 +1,7 @@
 /*
     tincd.c -- the main file for tincd
     Copyright (C) 1998-2005 Ivo Timmermans
-                  2000-2007 Guus Sliepen <guus@tinc-vpn.org>
+                  2000-2009 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -33,6 +33,12 @@
 
 #include LZO1X_H
 
+#ifndef HAVE_MINGW
+#include <pwd.h>
+#include <grp.h>
+#include <time.h>
+#endif
+
 #include <getopt.h>
 
 #include "conf.h"
@@ -62,6 +68,12 @@ bool bypass_security = false;
 /* If nonzero, disable swapping for this process. */
 bool do_mlock = false;
 
+/* If nonzero, chroot to netdir after startup. */
+static bool do_chroot = false;
+
+/* If !NULL, do setuid to given user after startup */
+static const char *switchuser = NULL;
+
 /* If nonzero, write log entries to a separate file. */
 bool use_logfile = false;
 
@@ -81,6 +93,8 @@ static struct option const long_options[] = {
 	{"debug", optional_argument, NULL, 'd'},
 	{"bypass-security", no_argument, NULL, 3},
 	{"mlock", no_argument, NULL, 'L'},
+	{"chroot", no_argument, NULL, 'R'},
+	{"user", required_argument, NULL, 'U'},
 	{"logfile", optional_argument, NULL, 4},
 	{"controlsocket", required_argument, NULL, 5},
 	{NULL, 0, NULL, 0}
@@ -88,6 +102,7 @@ static struct option const long_options[] = {
 
 #ifdef HAVE_MINGW
 static struct WSAData wsa_state;
+CRITICAL_SECTION mutex;
 #endif
 
 static void usage(bool status)
@@ -104,7 +119,9 @@ static void usage(bool status)
 				"  -L, --mlock                   Lock tinc into main memory.\n"
 				"      --logfile[=FILENAME]      Write log entries to a logfile.\n"
 				"      --controlsocket=FILENAME  Open control socket at FILENAME.\n"
-				"      --help                    Display this help and exit.\n"
+				"      --bypass-security         Disables meta protocol security, for debugging.\n"
+				"  -R, --chroot                  chroot to NET dir at startup.\n"
+				"  -U, --user=USER               setuid to given USER at startup.\n"				"      --help                    Display this help and exit.\n"
 				"      --version                 Output version information and exit.\n\n"));
 		printf(_("Report bugs to tinc@tinc-vpn.org.\n"));
 	}
@@ -115,7 +132,7 @@ static bool parse_options(int argc, char **argv)
 	int r;
 	int option_index = 0;
 
-	while((r = getopt_long(argc, argv, "c:DLd::n:", long_options, &option_index)) != EOF) {
+	while((r = getopt_long(argc, argv, "c:DLd::n:RU:", long_options, &option_index)) != EOF) {
 		switch (r) {
 			case 0:				/* long option */
 				break;
@@ -129,8 +146,13 @@ static bool parse_options(int argc, char **argv)
 				break;
 
 			case 'L':				/* no detach */
+#ifndef HAVE_MLOCKALL
+				logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()");
+				return false;
+#else
 				do_mlock = true;
 				break;
+#endif
 
 			case 'd':				/* inc debug level */
 				if(optarg)
@@ -143,6 +165,14 @@ static bool parse_options(int argc, char **argv)
 				netname = xstrdup(optarg);
 				break;
 
+			case 'R':				/* chroot to NETNAME dir */
+				do_chroot = true;
+				break;
+
+			case 'U':				/* setuid to USER */
+				switchuser = optarg;
+				break;
+
 			case 1:					/* show help */
 				show_help = true;
 				break;
@@ -185,11 +215,11 @@ static void make_names(void)
 #ifdef HAVE_MINGW
 	HKEY key;
 	char installdir[1024] = "";
-	long len = sizeof(installdir);
+	long len = sizeof installdir;
 #endif
 
 	if(netname)
-		asprintf(&identname, "tinc.%s", netname);
+		xasprintf(&identname, "tinc.%s", netname);
 	else
 		identname = xstrdup("tinc");
 
@@ -197,12 +227,12 @@ static void make_names(void)
 	if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
 		if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) {
 			if(!logfilename)
-				asprintf(&logfilename, "%s/log/%s.log", identname);
+				xasprintf(&logfilename, "%s/log/%s.log", identname);
 			if(!confbase) {
 				if(netname)
-					asprintf(&confbase, "%s/%s", installdir, netname);
+					xasprintf(&confbase, "%s/%s", installdir, netname);
 				else
-					asprintf(&confbase, "%s", installdir);
+					xasprintf(&confbase, "%s", installdir);
 			}
 		}
 		RegCloseKey(key);
@@ -212,22 +242,87 @@ static void make_names(void)
 #endif
 
 	if(!controlsocketname)
-		asprintf(&controlsocketname, LOCALSTATEDIR "/run/%s.control", identname);
+		xasprintf(&controlsocketname, "%s/run/%s.control/socket", LOCALSTATEDIR, identname);
 
 	if(!logfilename)
-		asprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname);
+		xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname);
 
 	if(netname) {
 		if(!confbase)
-			asprintf(&confbase, CONFDIR "/tinc/%s", netname);
+			xasprintf(&confbase, CONFDIR "/tinc/%s", netname);
 		else
 			logger(LOG_INFO, _("Both netname and configuration directory given, using the latter..."));
 	} else {
 		if(!confbase)
-			asprintf(&confbase, CONFDIR "/tinc");
+			xasprintf(&confbase, CONFDIR "/tinc");
+	}
+}
+
+static void free_names() {
+	if (identname) free(identname);
+	if (netname) free(netname);
+	if (controlsocketname) free(controlsocketname);
+	if (logfilename) free(logfilename);
+	if (confbase) free(confbase);
+}
+
+static bool drop_privs() {
+#ifdef HAVE_MINGW
+	if (switchuser) {
+		logger(LOG_ERR, _("%s not supported on this platform"), "-U");
+		return false;
+	}
+	if (do_chroot) {
+		logger(LOG_ERR, _("%s not supported on this platform"), "-R");
+		return false;
+	}
+#else
+	uid_t uid = 0;
+	if (switchuser) {
+		struct passwd *pw = getpwnam(switchuser);
+		if (!pw) {
+			logger(LOG_ERR, _("unknown user `%s'"), switchuser);
+			return false;
+		}
+		uid = pw->pw_uid;
+		if (initgroups(switchuser, pw->pw_gid) != 0 ||
+		    setgid(pw->pw_gid) != 0) {
+			logger(LOG_ERR, _("System call `%s' failed: %s"),
+			       "initgroups", strerror(errno));
+			return false;
+		}
+		endgrent();
+		endpwent();
+	}
+	if (do_chroot) {
+		tzset();	/* for proper timestamps in logs */
+		if (chroot(confbase) != 0 || chdir("/") != 0) {
+			logger(LOG_ERR, _("System call `%s' failed: %s"),
+			       "chroot", strerror(errno));
+			return false;
+		}
+		free(confbase);
+		confbase = xstrdup("");
 	}
+	if (switchuser)
+		if (setuid(uid) != 0) {
+			logger(LOG_ERR, _("System call `%s' failed: %s"),
+			       "setuid", strerror(errno));
+			return false;
+		}
+#endif
+	return true;
 }
 
+#ifdef HAVE_MINGW
+# define setpriority(level) SetPriorityClass(GetCurrentProcess(), level)
+#else
+# define NORMAL_PRIORITY_CLASS 0
+# define BELOW_NORMAL_PRIORITY_CLASS 10
+# define HIGH_PRIORITY_CLASS -10
+# define setpriority(level) nice(level)
+#endif
+
 int main(int argc, char **argv)
 {
 	program_name = argv[0];
@@ -244,7 +339,7 @@ int main(int argc, char **argv)
 	if(show_version) {
 		printf(_("%s version %s (built %s %s, protocol %d)\n"), PACKAGE,
 			   VERSION, __DATE__, __TIME__, PROT_CURRENT);
-		printf(_("Copyright (C) 1998-2007 Ivo Timmermans, Guus Sliepen and others.\n"
+		printf(_("Copyright (C) 1998-2009 Ivo Timmermans, Guus Sliepen and others.\n"
 				"See the AUTHORS file for a complete list.\n\n"
 				"tinc comes with ABSOLUTELY NO WARRANTY.  This is free software,\n"
 				"and you are welcome to redistribute it under certain conditions;\n"
@@ -268,20 +363,6 @@ int main(int argc, char **argv)
 	if(!init_control())
 		return 1;
 
-	/* Lock all pages into memory if requested */
-
-	if(do_mlock)
-#ifdef HAVE_MLOCKALL
-		if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
-			logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
-				   strerror(errno));
-#else
-	{
-		logger(LOG_ERR, _("mlockall() not supported on this platform!"));
-#endif
-		return -1;
-	}
-
 	g_argv = argv;
 
 	init_configuration(&config_tree);
@@ -313,15 +394,52 @@ int main(int argc, char **argv)
 
 int main2(int argc, char **argv)
 {
+	InitializeCriticalSection(&mutex);
+	EnterCriticalSection(&mutex);
 #endif
 
 	if(!detach())
 		return 1;
-		
+
+#ifdef HAVE_MLOCKALL
+	/* Lock all pages into memory if requested.
+	 * This has to be done after daemon()/fork() so it works for child.
+	 * No need to do that in parent as it's very short-lived. */
+	if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) {
+		logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
+		   strerror(errno));
+		return 1;
+	}
+#endif
 
 	/* Setup sockets and open device. */
 
-	if(!setup_network_connections())
+	if(!setup_network())
+		goto end;
+
+	/* Initiate all outgoing connections. */
+
+	try_outgoing_connections();
+
+	/* Change process priority */
+
+        char *priority = 0;
+
+        if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
+                if(!strcasecmp(priority, "Normal"))
+                        setpriority(NORMAL_PRIORITY_CLASS);
+                else if(!strcasecmp(priority, "Low"))
+                        setpriority(BELOW_NORMAL_PRIORITY_CLASS);
+                else if(!strcasecmp(priority, "High"))
+                        setpriority(HIGH_PRIORITY_CLASS);
+                else {
+                        logger(LOG_ERR, _("Invalid priority `%s`!"), priority);
+                        goto end;
+                }
+        }
+
+	/* drop privileges */
+	if (!drop_privs())
 		goto end;
 
 	/* Start main loop. It only exits when tinc is killed. */
@@ -330,11 +448,11 @@ int main2(int argc, char **argv)
 
 	/* Shutdown properly. */
 
-	close_network_connections();
-
 	ifdebug(CONNECTIONS)
 		dump_device_stats();
 
+	close_network_connections();
+
 end:
 	logger(LOG_NOTICE, _("Terminating"));
 
@@ -344,5 +462,8 @@ end:
 
 	crypto_exit();
 
+	exit_configuration(&config_tree);
+	free_names();
+
 	return status;
 }