oneprocess.c 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
  1. /*
  2. * Part of Very Secure FTPd
  3. * Licence: GPL v2
  4. * Author: Chris Evans
  5. * oneprocess.c
  6. *
  7. * Code for the "one process" security model. The one process security model
  8. * is born for the purposes of raw speed at the expense of compromising the
  9. * purity of the security model.
  10. * The one process model will typically be disabled, for security reasons.
  11. * Only sites with huge numbers of concurrent users are likely to feel the
  12. * pain of two processes per session.
  13. */
  14. #include "prelogin.h"
  15. #include "postlogin.h"
  16. #include "privops.h"
  17. #include "session.h"
  18. #include "secutil.h"
  19. #include "str.h"
  20. #include "tunables.h"
  21. #include "utility.h"
  22. #include "sysstr.h"
  23. #include "sysdeputil.h"
  24. #include "sysutil.h"
  25. #include "ptracesandbox.h"
  26. #include "ftppolicy.h"
  27. #include "seccompsandbox.h"
  28. static void one_process_start(void* p_arg);
  29. void
  30. vsf_one_process_start(struct vsf_session* p_sess)
  31. {
  32. if (tunable_ptrace_sandbox)
  33. {
  34. struct pt_sandbox* p_sandbox = ptrace_sandbox_alloc();
  35. if (p_sandbox == 0)
  36. {
  37. die("could not allocate sandbox (only works for 32-bit builds)");
  38. }
  39. policy_setup(p_sandbox, p_sess);
  40. if (ptrace_sandbox_launch_process(p_sandbox,
  41. one_process_start,
  42. (void*) p_sess) <= 0)
  43. {
  44. die("could not launch sandboxed child");
  45. }
  46. /* TODO - could drop privs here. For now, run as root as the attack surface
  47. * is negligible, and running as root permits us to correctly deliver the
  48. * parent death signal upon unexpected crash.
  49. */
  50. (void) ptrace_sandbox_run_processes(p_sandbox);
  51. ptrace_sandbox_free(p_sandbox);
  52. vsf_sysutil_exit(0);
  53. }
  54. else
  55. {
  56. one_process_start((void*) p_sess);
  57. }
  58. }
  59. static void
  60. one_process_start(void* p_arg)
  61. {
  62. struct vsf_session* p_sess = (struct vsf_session*) p_arg;
  63. unsigned int caps = 0;
  64. if (tunable_chown_uploads)
  65. {
  66. caps |= kCapabilityCAP_CHOWN;
  67. }
  68. if (tunable_connect_from_port_20)
  69. {
  70. caps |= kCapabilityCAP_NET_BIND_SERVICE;
  71. }
  72. {
  73. struct mystr user_name = INIT_MYSTR;
  74. struct mystr chdir_str = INIT_MYSTR;
  75. if (tunable_ftp_username)
  76. {
  77. str_alloc_text(&user_name, tunable_ftp_username);
  78. }
  79. if (tunable_anon_root)
  80. {
  81. str_alloc_text(&chdir_str, tunable_anon_root);
  82. }
  83. if (tunable_run_as_launching_user)
  84. {
  85. if (!str_isempty(&chdir_str))
  86. {
  87. str_chdir(&chdir_str);
  88. }
  89. }
  90. else
  91. {
  92. vsf_secutil_change_credentials(&user_name, 0, &chdir_str, caps,
  93. VSF_SECUTIL_OPTION_CHROOT |
  94. VSF_SECUTIL_OPTION_USE_GROUPS |
  95. VSF_SECUTIL_OPTION_NO_PROCS);
  96. }
  97. str_free(&user_name);
  98. str_free(&chdir_str);
  99. }
  100. if (tunable_ptrace_sandbox)
  101. {
  102. ptrace_sandbox_attach_point();
  103. }
  104. seccomp_sandbox_init();
  105. seccomp_sandbox_setup_postlogin(p_sess);
  106. seccomp_sandbox_lockdown();
  107. init_connection(p_sess);
  108. }
  109. void
  110. vsf_one_process_login(struct vsf_session* p_sess,
  111. const struct mystr* p_pass_str)
  112. {
  113. enum EVSFPrivopLoginResult login_result =
  114. vsf_privop_do_login(p_sess, p_pass_str);
  115. switch (login_result)
  116. {
  117. case kVSFLoginFail:
  118. return;
  119. break;
  120. case kVSFLoginAnon:
  121. p_sess->is_anonymous = 1;
  122. process_post_login(p_sess);
  123. break;
  124. case kVSFLoginNull:
  125. /* Fall through. */
  126. case kVSFLoginReal:
  127. /* Fall through. */
  128. default:
  129. bug("bad state in vsf_one_process_login");
  130. break;
  131. }
  132. }
  133. int
  134. vsf_one_process_get_priv_data_sock(struct vsf_session* p_sess)
  135. {
  136. unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
  137. return vsf_privop_get_ftp_port_sock(p_sess, port, 1);
  138. }
  139. void
  140. vsf_one_process_pasv_cleanup(struct vsf_session* p_sess)
  141. {
  142. vsf_privop_pasv_cleanup(p_sess);
  143. }
  144. int
  145. vsf_one_process_pasv_active(struct vsf_session* p_sess)
  146. {
  147. return vsf_privop_pasv_active(p_sess);
  148. }
  149. unsigned short
  150. vsf_one_process_listen(struct vsf_session* p_sess)
  151. {
  152. return vsf_privop_pasv_listen(p_sess);
  153. }
  154. int
  155. vsf_one_process_get_pasv_fd(struct vsf_session* p_sess)
  156. {
  157. return vsf_privop_accept_pasv(p_sess);
  158. }
  159. void
  160. vsf_one_process_chown_upload(struct vsf_session* p_sess, int fd)
  161. {
  162. vsf_privop_do_file_chown(p_sess, fd);
  163. }