X-Git-Url: http://git.meshlink.io/?p=meshlink;a=blobdiff_plain;f=src%2Ftincd.c;h=48f5faf88ce2dd987a18f84643dda8902a09f8cb;hp=457aafd3369767f5d8aefcb4b276b0961a119f0d;hb=075e6828a7533e7daa790225f17aa6bb39703278;hpb=b0a80007e8945a11d7ce25aab096c5ee58ce0ad5 diff --git a/src/tincd.c b/src/tincd.c index 457aafd3..48f5faf8 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd - Copyright (C) 1998-2004 Ivo Timmermans - 2000-2004 Guus Sliepen + Copyright (C) 1998-2005 Ivo Timmermans + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -31,17 +31,19 @@ #include #endif -#include -#include -#include -#include +#include LZO1X_H -#include +#ifndef HAVE_MINGW +#include +#include +#include +#endif #include -#include "pidfile.h" #include "conf.h" +#include "control.h" +#include "crypto.h" #include "device.h" #include "logger.h" #include "net.h" @@ -60,23 +62,23 @@ bool show_help = false; /* If nonzero, print the version on standard output and exit. */ bool show_version = false; -/* If nonzero, it will attempt to kill a running tincd and exit. */ -int kill_tincd = 0; - -/* If nonzero, generate public/private keypair for this host/net. */ -int generate_keys = 0; - /* If nonzero, use null ciphers and skip all key exchanges. */ bool bypass_security = false; /* If nonzero, disable swapping for this process. */ bool do_mlock = false; +/* If nonzero, chroot to netdir after startup. */ +static bool do_chroot = false; + +/* If !NULL, do setuid to given user after startup */ +static const char *switchuser = NULL; + /* If nonzero, write log entries to a separate file. */ bool use_logfile = false; char *identname = NULL; /* program name for syslog */ -char *pidfilename = NULL; /* pid file location */ +char *controlsocketname = NULL; /* control socket location */ char *logfilename = NULL; /* log file location */ char **g_argv; /* a copy of the cmdline arguments */ @@ -84,22 +86,23 @@ static int status; static struct option const long_options[] = { {"config", required_argument, NULL, 'c'}, - {"kill", optional_argument, NULL, 'k'}, {"net", required_argument, NULL, 'n'}, {"help", no_argument, NULL, 1}, {"version", no_argument, NULL, 2}, {"no-detach", no_argument, NULL, 'D'}, - {"generate-keys", optional_argument, NULL, 'K'}, {"debug", optional_argument, NULL, 'd'}, {"bypass-security", no_argument, NULL, 3}, {"mlock", no_argument, NULL, 'L'}, + {"chroot", no_argument, NULL, 'R'}, + {"user", required_argument, NULL, 'U'}, {"logfile", optional_argument, NULL, 4}, - {"pidfile", required_argument, NULL, 5}, + {"controlsocket", required_argument, NULL, 5}, {NULL, 0, NULL, 0} }; #ifdef HAVE_MINGW static struct WSAData wsa_state; +CRITICAL_SECTION mutex; #endif static void usage(bool status) @@ -109,17 +112,17 @@ static void usage(bool status) program_name); else { printf(_("Usage: %s [option]...\n\n"), program_name); - printf(_(" -c, --config=DIR Read configuration options from DIR.\n" - " -D, --no-detach Don't fork and detach.\n" - " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n" - " -k, --kill[=SIGNAL] Attempt to kill a running tincd and exit.\n" - " -n, --net=NETNAME Connect to net NETNAME.\n" - " -K, --generate-keys[=BITS] Generate public/private RSA keypair.\n" - " -L, --mlock Lock tinc into main memory.\n" - " --logfile[=FILENAME] Write log entries to a logfile.\n" - " --pidfile=FILENAME Write PID to FILENAME.\n" - " --help Display this help and exit.\n" - " --version Output version information and exit.\n\n")); + printf(_( " -c, --config=DIR Read configuration options from DIR.\n" + " -D, --no-detach Don't fork and detach.\n" + " -d, --debug[=LEVEL] Increase debug level or set it to LEVEL.\n" + " -n, --net=NETNAME Connect to net NETNAME.\n" + " -L, --mlock Lock tinc into main memory.\n" + " --logfile[=FILENAME] Write log entries to a logfile.\n" + " --controlsocket=FILENAME Open control socket at FILENAME.\n" + " --bypass-security Disables meta protocol security, for debugging.\n" + " -R, --chroot chroot to NET dir at startup.\n" + " -U, --user=USER setuid to given USER at startup.\n" " --help Display this help and exit.\n" + " --version Output version information and exit.\n\n")); printf(_("Report bugs to tinc@tinc-vpn.org.\n")); } } @@ -129,7 +132,7 @@ static bool parse_options(int argc, char **argv) int r; int option_index = 0; - while((r = getopt_long(argc, argv, "c:DLd::k::n:K::", long_options, &option_index)) != EOF) { + while((r = getopt_long(argc, argv, "c:DLd::n:RU:", long_options, &option_index)) != EOF) { switch (r) { case 0: /* long option */ break; @@ -143,8 +146,13 @@ static bool parse_options(int argc, char **argv) break; case 'L': /* no detach */ +#ifndef HAVE_MLOCKALL + logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()"); + return false; +#else do_mlock = true; break; +#endif case 'd': /* inc debug level */ if(optarg) @@ -153,60 +161,16 @@ static bool parse_options(int argc, char **argv) debug_level++; break; - case 'k': /* kill old tincds */ -#ifndef HAVE_MINGW - if(optarg) { - if(!strcasecmp(optarg, "HUP")) - kill_tincd = SIGHUP; - else if(!strcasecmp(optarg, "TERM")) - kill_tincd = SIGTERM; - else if(!strcasecmp(optarg, "KILL")) - kill_tincd = SIGKILL; - else if(!strcasecmp(optarg, "USR1")) - kill_tincd = SIGUSR1; - else if(!strcasecmp(optarg, "USR2")) - kill_tincd = SIGUSR2; - else if(!strcasecmp(optarg, "WINCH")) - kill_tincd = SIGWINCH; - else if(!strcasecmp(optarg, "INT")) - kill_tincd = SIGINT; - else if(!strcasecmp(optarg, "ALRM")) - kill_tincd = SIGALRM; - else { - kill_tincd = atoi(optarg); - - if(!kill_tincd) { - fprintf(stderr, _("Invalid argument `%s'; SIGNAL must be a number or one of HUP, TERM, KILL, USR1, USR2, WINCH, INT or ALRM.\n"), - optarg); - usage(true); - return false; - } - } - } else - kill_tincd = SIGTERM; -#else - kill_tincd = 1; -#endif - break; - case 'n': /* net name given */ netname = xstrdup(optarg); break; - case 'K': /* generate public/private keypair */ - if(optarg) { - generate_keys = atoi(optarg); - - if(generate_keys < 512) { - fprintf(stderr, _("Invalid argument `%s'; BITS must be a number equal to or greater than 512.\n"), - optarg); - usage(true); - return false; - } + case 'R': /* chroot to NETNAME dir */ + do_chroot = true; + break; - generate_keys &= ~7; /* Round it to bytes */ - } else - generate_keys = 1024; + case 'U': /* setuid to USER */ + switchuser = optarg; break; case 1: /* show help */ @@ -227,8 +191,8 @@ static bool parse_options(int argc, char **argv) logfilename = xstrdup(optarg); break; - case 5: /* write PID to a file */ - pidfilename = xstrdup(optarg); + case 5: /* open control socket here */ + controlsocketname = xstrdup(optarg); break; case '?': @@ -243,103 +207,6 @@ static bool parse_options(int argc, char **argv) return true; } -/* This function prettyprints the key generation process */ - -static void indicator(int a, int b, void *p) -{ - switch (a) { - case 0: - fprintf(stderr, "."); - break; - - case 1: - fprintf(stderr, "+"); - break; - - case 2: - fprintf(stderr, "-"); - break; - - case 3: - switch (b) { - case 0: - fprintf(stderr, " p\n"); - break; - - case 1: - fprintf(stderr, " q\n"); - break; - - default: - fprintf(stderr, "?"); - } - break; - - default: - fprintf(stderr, "?"); - } -} - -/* - Generate a public/private RSA keypair, and ask for a file to store - them in. -*/ -static bool keygen(int bits) -{ - RSA *rsa_key; - FILE *f; - char *name = NULL; - char *filename; - - fprintf(stderr, _("Generating %d bits keys:\n"), bits); - rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); - - if(!rsa_key) { - fprintf(stderr, _("Error during key generation!\n")); - return false; - } else - fprintf(stderr, _("Done.\n")); - - asprintf(&filename, "%s/rsa_key.priv", confbase); - f = ask_and_open(filename, _("private RSA key"), "a"); - - if(!f) - return false; - -#ifdef HAVE_FCHMOD - /* Make it unreadable for others. */ - fchmod(fileno(f), 0600); -#endif - - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); - - PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); - fclose(f); - free(filename); - - get_config_string(lookup_config(config_tree, "Name"), &name); - - if(name) - asprintf(&filename, "%s/hosts/%s", confbase, name); - else - asprintf(&filename, "%s/rsa_key.pub", confbase); - - f = ask_and_open(filename, _("public RSA key"), "a"); - - if(!f) - return false; - - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); - - PEM_write_RSAPublicKey(f, rsa_key); - fclose(f); - free(filename); - - return true; -} - /* Set all files and paths according to netname */ @@ -348,11 +215,11 @@ static void make_names(void) #ifdef HAVE_MINGW HKEY key; char installdir[1024] = ""; - long len = sizeof(installdir); + long len = sizeof installdir; #endif if(netname) - asprintf(&identname, "tinc.%s", netname); + xasprintf(&identname, "tinc.%s", netname); else identname = xstrdup("tinc"); @@ -360,12 +227,12 @@ static void make_names(void) if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) { if(!logfilename) - asprintf(&logfilename, "%s/log/%s.log", identname); + xasprintf(&logfilename, "%s/log/%s.log", identname); if(!confbase) { if(netname) - asprintf(&confbase, "%s/%s", installdir, netname); + xasprintf(&confbase, "%s/%s", installdir, netname); else - asprintf(&confbase, "%s", installdir); + xasprintf(&confbase, "%s", installdir); } } RegCloseKey(key); @@ -374,23 +241,88 @@ static void make_names(void) } #endif - if(!pidfilename) - asprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname); + if(!controlsocketname) + xasprintf(&controlsocketname, "%s/run/%s.control/socket", LOCALSTATEDIR, identname); if(!logfilename) - asprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname); + xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname); if(netname) { if(!confbase) - asprintf(&confbase, CONFDIR "/tinc/%s", netname); + xasprintf(&confbase, CONFDIR "/tinc/%s", netname); else logger(LOG_INFO, _("Both netname and configuration directory given, using the latter...")); } else { if(!confbase) - asprintf(&confbase, CONFDIR "/tinc"); + xasprintf(&confbase, CONFDIR "/tinc"); } } +static void free_names() { + if (identname) free(identname); + if (netname) free(netname); + if (controlsocketname) free(controlsocketname); + if (logfilename) free(logfilename); + if (confbase) free(confbase); +} + +static bool drop_privs() { +#ifdef HAVE_MINGW + if (switchuser) { + logger(LOG_ERR, _("%s not supported on this platform"), "-U"); + return false; + } + if (do_chroot) { + logger(LOG_ERR, _("%s not supported on this platform"), "-R"); + return false; + } +#else + uid_t uid = 0; + if (switchuser) { + struct passwd *pw = getpwnam(switchuser); + if (!pw) { + logger(LOG_ERR, _("unknown user `%s'"), switchuser); + return false; + } + uid = pw->pw_uid; + if (initgroups(switchuser, pw->pw_gid) != 0 || + setgid(pw->pw_gid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "initgroups", strerror(errno)); + return false; + } + endgrent(); + endpwent(); + } + if (do_chroot) { + tzset(); /* for proper timestamps in logs */ + if (chroot(confbase) != 0 || chdir("/") != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "chroot", strerror(errno)); + return false; + } + free(confbase); + confbase = xstrdup(""); + } + if (switchuser) + if (setuid(uid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "setuid", strerror(errno)); + return false; + } +#endif + return true; +} + +#ifdef HAVE_MINGW +# define setpriority(level) SetPriorityClass(GetCurrentProcess(), level) +#else +# define NORMAL_PRIORITY_CLASS 0 +# define BELOW_NORMAL_PRIORITY_CLASS 10 +# define HIGH_PRIORITY_CLASS -10 +# define setpriority(level) nice(level) +#endif + int main(int argc, char **argv) { program_name = argv[0]; @@ -407,7 +339,7 @@ int main(int argc, char **argv) if(show_version) { printf(_("%s version %s (built %s %s, protocol %d)\n"), PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf(_("Copyright (C) 1998-2004 Ivo Timmermans, Guus Sliepen and others.\n" + printf(_("Copyright (C) 1998-2009 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -421,39 +353,24 @@ int main(int argc, char **argv) return 0; } - if(kill_tincd) - return !kill_other(kill_tincd); - openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR); - /* Lock all pages into memory if requested */ - - if(do_mlock) -#ifdef HAVE_MLOCKALL - if(mlockall(MCL_CURRENT | MCL_FUTURE)) { - logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", - strerror(errno)); -#else - { - logger(LOG_ERR, _("mlockall() not supported on this platform!")); -#endif - return -1; + if(!event_init()) { + logger(LOG_ERR, _("Error initializing libevent!")); + return 1; } + if(!init_control()) + return 1; + g_argv = argv; init_configuration(&config_tree); /* Slllluuuuuuurrrrp! */ - RAND_load_file("/dev/urandom", 1024); - - OpenSSL_add_all_algorithms(); - - if(generate_keys) { - read_server_config(); - return !keygen(generate_keys); - } + srand(time(NULL)); + crypto_init(); if(!read_server_config()) return 1; @@ -477,15 +394,52 @@ int main(int argc, char **argv) int main2(int argc, char **argv) { + InitializeCriticalSection(&mutex); + EnterCriticalSection(&mutex); #endif if(!detach()) return 1; - + +#ifdef HAVE_MLOCKALL + /* Lock all pages into memory if requested. + * This has to be done after daemon()/fork() so it works for child. + * No need to do that in parent as it's very short-lived. */ + if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", + strerror(errno)); + return 1; + } +#endif /* Setup sockets and open device. */ - if(!setup_network_connections()) + if(!setup_network()) + goto end; + + /* Initiate all outgoing connections. */ + + try_outgoing_connections(); + + /* Change process priority */ + + char *priority = 0; + + if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) { + if(!strcasecmp(priority, "Normal")) + setpriority(NORMAL_PRIORITY_CLASS); + else if(!strcasecmp(priority, "Low")) + setpriority(BELOW_NORMAL_PRIORITY_CLASS); + else if(!strcasecmp(priority, "High")) + setpriority(HIGH_PRIORITY_CLASS); + else { + logger(LOG_ERR, _("Invalid priority `%s`!"), priority); + goto end; + } + } + + /* drop privileges */ + if (!drop_privs()) goto end; /* Start main loop. It only exits when tinc is killed. */ @@ -494,17 +448,22 @@ int main2(int argc, char **argv) /* Shutdown properly. */ - close_network_connections(); - ifdebug(CONNECTIONS) dump_device_stats(); + close_network_connections(); + end: logger(LOG_NOTICE, _("Terminating")); #ifndef HAVE_MINGW - remove_pid(pidfilename); + exit_control(); #endif - + + crypto_exit(); + + exit_configuration(&config_tree); + free_names(); + return status; }