X-Git-Url: https://www.tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Ftincd.c;h=a13e2661046f58d2ca64df3a423e1e0a1e492f17;hp=4aba579fa5388a948bbdb5a62487dfd7ac8cd9b5;hb=73d77dd416b87b7c4e9b6aa450f64846235cd2b4;hpb=e6e32814584f82ee61f658a71cb435bbb491bd39 diff --git a/src/tincd.c b/src/tincd.c index 4aba579f..a13e2661 100644 --- a/src/tincd.c +++ b/src/tincd.c @@ -1,7 +1,7 @@ /* tincd.c -- the main file for tincd - Copyright (C) 1998-2003 Ivo Timmermans - 2000-2003 Guus Sliepen + Copyright (C) 1998-2005 Ivo Timmermans + 2000-2009 Guus Sliepen This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -17,7 +17,7 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - $Id: tincd.c,v 1.10.4.81 2003/08/02 21:33:52 guus Exp $ + $Id$ */ #include "system.h" @@ -35,10 +35,18 @@ #include #include #include +#include -#include +#include LZO1X_H + +#ifndef HAVE_MINGW +#include +#include +#include +#endif #include +#include "pidfile.h" #include "conf.h" #include "device.h" @@ -71,6 +79,12 @@ bool bypass_security = false; /* If nonzero, disable swapping for this process. */ bool do_mlock = false; +/* If nonzero, chroot to netdir after startup. */ +static bool do_chroot = false; + +/* If !NULL, do setuid to given user after startup */ +static const char *switchuser = NULL; + /* If nonzero, write log entries to a separate file. */ bool use_logfile = false; @@ -79,7 +93,7 @@ char *pidfilename = NULL; /* pid file location */ char *logfilename = NULL; /* log file location */ char **g_argv; /* a copy of the cmdline arguments */ -int exitstatus = 0; +static int status; static struct option const long_options[] = { {"config", required_argument, NULL, 'c'}, @@ -92,6 +106,8 @@ static struct option const long_options[] = { {"debug", optional_argument, NULL, 'd'}, {"bypass-security", no_argument, NULL, 3}, {"mlock", no_argument, NULL, 'L'}, + {"chroot", no_argument, NULL, 'R'}, + {"user", required_argument, NULL, 'U'}, {"logfile", optional_argument, NULL, 4}, {"pidfile", required_argument, NULL, 5}, {NULL, 0, NULL, 0} @@ -117,9 +133,11 @@ static void usage(bool status) " -L, --mlock Lock tinc into main memory.\n" " --logfile[=FILENAME] Write log entries to a logfile.\n" " --pidfile=FILENAME Write PID to FILENAME.\n" + " -R, --chroot chroot to NET dir at startup.\n" + " -U, --user=USER setuid to given USER at startup.\n" " --help Display this help and exit.\n" " --version Output version information and exit.\n\n")); - printf(_("Report bugs to tinc@nl.linux.org.\n")); + printf(_("Report bugs to tinc@tinc-vpn.org.\n")); } } @@ -128,7 +146,7 @@ static bool parse_options(int argc, char **argv) int r; int option_index = 0; - while((r = getopt_long(argc, argv, "c:DLd::k::n:K::", long_options, &option_index)) != EOF) { + while((r = getopt_long(argc, argv, "c:DLd::k::n:K::RU:", long_options, &option_index)) != EOF) { switch (r) { case 0: /* long option */ break; @@ -142,8 +160,13 @@ static bool parse_options(int argc, char **argv) break; case 'L': /* no detach */ +#ifndef HAVE_MLOCKALL + logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()"); + return false; +#else do_mlock = true; break; +#endif case 'd': /* inc debug level */ if(optarg) @@ -208,6 +231,14 @@ static bool parse_options(int argc, char **argv) generate_keys = 1024; break; + case 'R': /* chroot to NETNAME dir */ + do_chroot = true; + break; + + case 'U': /* setuid to USER */ + switchuser = optarg; + break; + case 1: /* show help */ show_help = true; break; @@ -290,8 +321,15 @@ static bool keygen(int bits) char *name = NULL; char *filename; + get_config_string(lookup_config(config_tree, "Name"), &name); + + if(name && !check_id(name)) { + fprintf(stderr, _("Invalid name for myself!\n")); + return false; + } + fprintf(stderr, _("Generating %d bits keys:\n"), bits); - rsa_key = RSA_generate_key(bits, 0xFFFF, indicator, NULL); + rsa_key = RSA_generate_key(bits, 0x10001, indicator, NULL); if(!rsa_key) { fprintf(stderr, _("Error during key generation!\n")); @@ -299,37 +337,42 @@ static bool keygen(int bits) } else fprintf(stderr, _("Done.\n")); - asprintf(&filename, "%s/rsa_key.priv", confbase); - f = ask_and_safe_open(filename, _("private RSA key"), true, "a"); + xasprintf(&filename, "%s/rsa_key.priv", confbase); + f = ask_and_open(filename, _("private RSA key")); if(!f) return false; - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); - + if(disable_old_keys(f)) + fprintf(stderr, _("Warning: old key(s) found and disabled.\n")); + +#ifdef HAVE_FCHMOD + /* Make it unreadable for others. */ + fchmod(fileno(f), 0600); +#endif + PEM_write_RSAPrivateKey(f, rsa_key, NULL, NULL, 0, NULL, NULL); fclose(f); free(filename); - get_config_string(lookup_config(config_tree, "Name"), &name); - if(name) - asprintf(&filename, "%s/hosts/%s", confbase, name); + xasprintf(&filename, "%s/hosts/%s", confbase, name); else - asprintf(&filename, "%s/rsa_key.pub", confbase); + xasprintf(&filename, "%s/rsa_key.pub", confbase); - f = ask_and_safe_open(filename, _("public RSA key"), false, "a"); + f = ask_and_open(filename, _("public RSA key")); if(!f) return false; - if(ftell(f)) - fprintf(stderr, _("Appending key to existing contents.\nMake sure only one key is stored in the file.\n")); + if(disable_old_keys(f)) + fprintf(stderr, _("Warning: old key(s) found and disabled.\n")); PEM_write_RSAPublicKey(f, rsa_key); fclose(f); free(filename); + if(name) + free(name); return true; } @@ -339,28 +382,117 @@ static bool keygen(int bits) */ static void make_names(void) { +#ifdef HAVE_MINGW + HKEY key; + char installdir[1024] = ""; + long len = sizeof(installdir); +#endif + if(netname) - asprintf(&identname, "tinc.%s", netname); + xasprintf(&identname, "tinc.%s", netname); else identname = xstrdup("tinc"); +#ifdef HAVE_MINGW + if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) { + if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) { + if(!logfilename) + xasprintf(&logfilename, "%s/log/%s.log", identname); + if(!confbase) { + if(netname) + xasprintf(&confbase, "%s/%s", installdir, netname); + else + xasprintf(&confbase, "%s", installdir); + } + } + RegCloseKey(key); + if(*installdir) + return; + } +#endif + if(!pidfilename) - asprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname); + xasprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname); if(!logfilename) - asprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname); + xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname); if(netname) { if(!confbase) - asprintf(&confbase, "%s/tinc/%s", CONFDIR, netname); + xasprintf(&confbase, CONFDIR "/tinc/%s", netname); else logger(LOG_INFO, _("Both netname and configuration directory given, using the latter...")); } else { if(!confbase) - asprintf(&confbase, "%s/tinc", CONFDIR); + xasprintf(&confbase, CONFDIR "/tinc"); + } +} + +static void free_names() { + if (identname) free(identname); + if (netname) free(netname); + if (pidfilename) free(pidfilename); + if (logfilename) free(logfilename); + if (confbase) free(confbase); +} + +static bool drop_privs() { +#ifdef HAVE_MINGW + if (switchuser) { + logger(LOG_ERR, _("%s not supported on this platform"), "-U"); + return false; + } + if (do_chroot) { + logger(LOG_ERR, _("%s not supported on this platform"), "-R"); + return false; + } +#else + uid_t uid = 0; + if (switchuser) { + struct passwd *pw = getpwnam(switchuser); + if (!pw) { + logger(LOG_ERR, _("unknown user `%s'"), switchuser); + return false; + } + uid = pw->pw_uid; + if (initgroups(switchuser, pw->pw_gid) != 0 || + setgid(pw->pw_gid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "initgroups", strerror(errno)); + return false; + } + endgrent(); + endpwent(); } + if (do_chroot) { + tzset(); /* for proper timestamps in logs */ + if (chroot(confbase) != 0 || chdir("/") != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "chroot", strerror(errno)); + return false; + } + free(confbase); + confbase = xstrdup(""); + } + if (switchuser) + if (setuid(uid) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), + "setuid", strerror(errno)); + return false; + } +#endif + return true; } +#ifdef HAVE_MINGW +# define setpriority(level) SetPriorityClass(GetCurrentProcess(), level) +#else +# define NORMAL_PRIORITY_CLASS 0 +# define BELOW_NORMAL_PRIORITY_CLASS 10 +# define HIGH_PRIORITY_CLASS -10 +# define setpriority(level) nice(level) +#endif + int main(int argc, char **argv) { program_name = argv[0]; @@ -377,7 +509,7 @@ int main(int argc, char **argv) if(show_version) { printf(_("%s version %s (built %s %s, protocol %d)\n"), PACKAGE, VERSION, __DATE__, __TIME__, PROT_CURRENT); - printf(_("Copyright (C) 1998-2003 Ivo Timmermans, Guus Sliepen and others.\n" + printf(_("Copyright (C) 1998-2009 Ivo Timmermans, Guus Sliepen and others.\n" "See the AUTHORS file for a complete list.\n\n" "tinc comes with ABSOLUTELY NO WARRANTY. This is free software,\n" "and you are welcome to redistribute it under certain conditions;\n" @@ -394,21 +526,7 @@ int main(int argc, char **argv) if(kill_tincd) return !kill_other(kill_tincd); - openlogger("tinc", LOGMODE_STDERR); - - /* Lock all pages into memory if requested */ - - if(do_mlock) -#ifdef HAVE_MLOCKALL - if(mlockall(MCL_CURRENT | MCL_FUTURE)) { - logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", - strerror(errno)); -#else - { - logger(LOG_ERR, _("mlockall() not supported on this platform!")); -#endif - return -1; - } + openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR); g_argv = argv; @@ -418,6 +536,9 @@ int main(int argc, char **argv) RAND_load_file("/dev/urandom", 1024); + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + OpenSSL_add_all_algorithms(); if(generate_keys) { @@ -451,30 +572,74 @@ int main2(int argc, char **argv) if(!detach()) return 1; - - for(;;) { - if(setup_network_connections()) { - int status; - status = main_loop(); - close_network_connections(); +#ifdef HAVE_MLOCKALL + /* Lock all pages into memory if requested. + * This has to be done after daemon()/fork() so it works for child. + * No need to do that in parent as it's very short-lived. */ + if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) { + logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall", + strerror(errno)); + return 1; + } +#endif - ifdebug(CONNECTIONS) - dump_device_stats(); + /* Setup sockets and open device. */ - logger(LOG_NOTICE, _("Terminating")); - return status; - } + if(!setup_network()) + goto end; - logger(LOG_ERR, _("Unrecoverable error")); - cp_trace(); + /* Initiate all outgoing connections. */ - if(do_detach) { - logger(LOG_NOTICE, _("Restarting in %d seconds!"), maxtimeout); - sleep(maxtimeout); - } else { - logger(LOG_ERR, _("Not restarting.")); - return 1; - } - } + try_outgoing_connections(); + + /* Change process priority */ + + char *priority = 0; + + if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) { + if(!strcasecmp(priority, "Normal")) + setpriority(NORMAL_PRIORITY_CLASS); + else if(!strcasecmp(priority, "Low")) + setpriority(BELOW_NORMAL_PRIORITY_CLASS); + else if(!strcasecmp(priority, "High")) + setpriority(HIGH_PRIORITY_CLASS); + else { + logger(LOG_ERR, _("Invalid priority `%s`!"), priority); + goto end; + } + } + + /* drop privileges */ + if (!drop_privs()) + goto end; + + /* Start main loop. It only exits when tinc is killed. */ + + status = main_loop(); + + /* Shutdown properly. */ + + ifdebug(CONNECTIONS) + dump_device_stats(); + + close_network_connections(); + +end: + logger(LOG_NOTICE, _("Terminating")); + +#ifndef HAVE_MINGW + remove_pid(pidfilename); +#endif + + EVP_cleanup(); + ENGINE_cleanup(); + CRYPTO_cleanup_all_ex_data(); + ERR_remove_state(0); + ERR_free_strings(); + + exit_configuration(&config_tree); + free_names(); + + return status; }