/* * Part of Very Secure FTPd * Licence: GPL v2 * Author: Chris Evans * oneprocess.c * * Code for the "one process" security model. The one process security model * is born for the purposes of raw speed at the expense of compromising the * purity of the security model. * The one process model will typically be disabled, for security reasons. * Only sites with huge numbers of concurrent users are likely to feel the * pain of two processes per session. */ #include "prelogin.h" #include "postlogin.h" #include "privops.h" #include "session.h" #include "secutil.h" #include "str.h" #include "tunables.h" #include "utility.h" #include "sysstr.h" #include "sysdeputil.h" #include "sysutil.h" #include "ptracesandbox.h" #include "ftppolicy.h" #include "seccompsandbox.h" static void one_process_start(void* p_arg); void vsf_one_process_start(struct vsf_session* p_sess) { if (tunable_ptrace_sandbox) { struct pt_sandbox* p_sandbox = ptrace_sandbox_alloc(); if (p_sandbox == 0) { die("could not allocate sandbox (only works for 32-bit builds)"); } policy_setup(p_sandbox, p_sess); if (ptrace_sandbox_launch_process(p_sandbox, one_process_start, (void*) p_sess) <= 0) { die("could not launch sandboxed child"); } /* TODO - could drop privs here. For now, run as root as the attack surface * is negligible, and running as root permits us to correctly deliver the * parent death signal upon unexpected crash. */ (void) ptrace_sandbox_run_processes(p_sandbox); ptrace_sandbox_free(p_sandbox); vsf_sysutil_exit(0); } else { one_process_start((void*) p_sess); } } static void one_process_start(void* p_arg) { struct vsf_session* p_sess = (struct vsf_session*) p_arg; unsigned int caps = 0; if (tunable_chown_uploads) { caps |= kCapabilityCAP_CHOWN; } if (tunable_connect_from_port_20) { caps |= kCapabilityCAP_NET_BIND_SERVICE; } { struct mystr user_name = INIT_MYSTR; struct mystr chdir_str = INIT_MYSTR; if (tunable_ftp_username) { str_alloc_text(&user_name, tunable_ftp_username); } if (tunable_anon_root) { str_alloc_text(&chdir_str, tunable_anon_root); } if (tunable_run_as_launching_user) { if (!str_isempty(&chdir_str)) { str_chdir(&chdir_str); } } else { vsf_secutil_change_credentials(&user_name, 0, &chdir_str, caps, VSF_SECUTIL_OPTION_CHROOT | VSF_SECUTIL_OPTION_USE_GROUPS | VSF_SECUTIL_OPTION_NO_PROCS); } str_free(&user_name); str_free(&chdir_str); } if (tunable_ptrace_sandbox) { ptrace_sandbox_attach_point(); } seccomp_sandbox_init(); seccomp_sandbox_setup_postlogin(p_sess); seccomp_sandbox_lockdown(); init_connection(p_sess); } void vsf_one_process_login(struct vsf_session* p_sess, const struct mystr* p_pass_str) { enum EVSFPrivopLoginResult login_result = vsf_privop_do_login(p_sess, p_pass_str); switch (login_result) { case kVSFLoginFail: return; break; case kVSFLoginAnon: p_sess->is_anonymous = 1; process_post_login(p_sess); break; case kVSFLoginNull: /* Fall through. */ case kVSFLoginReal: /* Fall through. */ default: bug("bad state in vsf_one_process_login"); break; } } int vsf_one_process_get_priv_data_sock(struct vsf_session* p_sess) { unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr); return vsf_privop_get_ftp_port_sock(p_sess, port, 1); } void vsf_one_process_pasv_cleanup(struct vsf_session* p_sess) { vsf_privop_pasv_cleanup(p_sess); } int vsf_one_process_pasv_active(struct vsf_session* p_sess) { return vsf_privop_pasv_active(p_sess); } unsigned short vsf_one_process_listen(struct vsf_session* p_sess) { return vsf_privop_pasv_listen(p_sess); } int vsf_one_process_get_pasv_fd(struct vsf_session* p_sess) { return vsf_privop_accept_pasv(p_sess); } void vsf_one_process_chown_upload(struct vsf_session* p_sess, int fd) { vsf_privop_do_file_chown(p_sess, fd); }