nate/swebs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moved seteuid

Browse Source
This commit is contained in:
Nate Choe
2022-06-01 09:24:56 +00:00
parent f8a7584a13
commit 936081ddb5
3 changed files with 39 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/runner.c
View File

@@ -21,6 +21,7 @@
#include <string.h> #include <string.h>
#include <assert.h> #include <assert.h>
#include <pwd.h>
#include <poll.h> #include <poll.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
@@ -54,6 +55,27 @@ void runServer(int connfd, Sitefile *site, Listener *listener,
createLog("Socket type is somehow invalid"); createLog("Socket type is somehow invalid");
return; return;
} }
if (context == NULL) {
createErrorLog("Failed to create context", errno);
exit(EXIT_FAILURE);
}
{
struct passwd *swebs, *root;
swebs = getpwnam("swebs");
if (swebs == NULL)
createLog("Couldn't find swebs user");
else
if (seteuid(swebs->pw_uid))
createErrorLog("seteuid() failed", errno);
root = getpwnam("root");
if (root != NULL) {
/* I don't know why this if statement could be false but we have it
* just in case. */
if (geteuid() == root->pw_uid)
createLog("swebs probably should not be run as root");
}
}
for (;;) { for (;;) {
int i; int i;

20
src/setup.c
View File

@@ -19,7 +19,6 @@
#include <stdarg.h> #include <stdarg.h>
#include <stdlib.h> #include <stdlib.h>
#include <pwd.h>
#include <errno.h> #include <errno.h>
#include <unistd.h> #include <unistd.h>
@@ -153,23 +152,4 @@ NULL
fprintf(stderr, "Couldn't open logs file %s\n", logout); fprintf(stderr, "Couldn't open logs file %s\n", logout);
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
{
struct passwd *swebs, *root;
swebs = getpwnam("swebs");
if (swebs == NULL)
createLog("Couldn't find swebs user");
else
if (seteuid(swebs->pw_uid))
createErrorLog("seteuid() failed", errno);
root = getpwnam("root");
if (root == NULL) {
createLog("Couldn't find root user, quitting");
exit(EXIT_FAILURE);
}
if (geteuid() == root->pw_uid) {
createLog("swebs should not be run as root");
exit(EXIT_FAILURE);
}
}
} }

18
src/sockets.c
View File

@@ -19,6 +19,7 @@
#include <assert.h> #include <assert.h>
#include <stdlib.h> #include <stdlib.h>
#include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#include <sys/socket.h> #include <sys/socket.h>
@@ -82,15 +83,21 @@ Context *createContext(SocketType type, ...) {
certfile = va_arg(ap, char *); certfile = va_arg(ap, char *);
if (gnutls_certificate_allocate_credentials(&ret->creds) if (gnutls_certificate_allocate_credentials(&ret->creds)
< 0) < 0) {
createLog("gnutls_certificate_allocate_credentials() failed");
goto error; goto error;
}
if (gnutls_certificate_set_x509_key_file(ret->creds, if (gnutls_certificate_set_x509_key_file(ret->creds,
certfile, keyfile, certfile, keyfile,
GNUTLS_X509_FMT_PEM) < 0) GNUTLS_X509_FMT_PEM) < 0) {
createLog("gnutls_certificate_set_x509_key_file() failed");
goto error; goto error;
}
if (gnutls_priority_init(&ret->priority, NULL, NULL) if (gnutls_priority_init(&ret->priority, NULL, NULL)
< 0) < 0) {
createLog("gnutls_priority_init() failed");
goto error; goto error;
}
#if GNUTLS_VERSION_NUMBER >= 0x030506 #if GNUTLS_VERSION_NUMBER >= 0x030506
gnutls_certificate_set_known_dh_params(ret->creds, gnutls_certificate_set_known_dh_params(ret->creds,
GNUTLS_SEC_PARAM_MEDIUM); GNUTLS_SEC_PARAM_MEDIUM);
@@ -101,8 +108,13 @@ Context *createContext(SocketType type, ...) {
va_end(ap); va_end(ap);
return ret; return ret;
error: error:
{
int olderrno;
olderrno = errno;
free(ret); free(ret);
errno = olderrno;
return NULL; return NULL;
}
} }
int acceptConnection(Listener *listener) { int acceptConnection(Listener *listener) {