Home Explore Help
Register Sign In
wareck
/
ftpz
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
ftpz
/
oneprocess.c

oneprocess.c 4.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. /*
    2. 

  2.  * Part of Very Secure FTPd
    3. 

  3.  * Licence: GPL v2
    4. 

  4.  * Author: Chris Evans
    5. 

  5.  * oneprocess.c
    6. 

  6.  *
    7. 

  7.  * Code for the "one process" security model. The one process security model
    8. 

  8.  * is born for the purposes of raw speed at the expense of compromising the
    9. 

  9.  * purity of the security model.
    10. 

  10.  * The one process model will typically be disabled, for security reasons.
    11. 

  11.  * Only sites with huge numbers of concurrent users are likely to feel the
    12. 

  12.  * pain of two processes per session.
    13. 

  13.  */
    14. 

  14. 

  15. #include "prelogin.h"
    16. 

  16. #include "postlogin.h"
    17. 

  17. #include "privops.h"
    18. 

  18. #include "session.h"
    19. 

  19. #include "secutil.h"
    20. 

  20. #include "str.h"
    21. 

  21. #include "tunables.h"
    22. 

  22. #include "utility.h"
    23. 

  23. #include "sysstr.h"
    24. 

  24. #include "sysdeputil.h"
    25. 

  25. #include "sysutil.h"
    26. 

  26. #include "ptracesandbox.h"
    27. 

  27. #include "ftppolicy.h"
    28. 

  28. #include "seccompsandbox.h"
    29. 

  29. 

  30. static void one_process_start(void* p_arg);
    31. 

  31. 

  32. void
    33. 

  33. vsf_one_process_start(struct vsf_session* p_sess)
    34. 

  34. {
    35. 

  35.   if (tunable_ptrace_sandbox)
    36. 

  36.   {
    37. 

  37.     struct pt_sandbox* p_sandbox = ptrace_sandbox_alloc();
    38. 

  38.     if (p_sandbox == 0)
    39. 

  39.     {
    40. 

  40.       die("could not allocate sandbox (only works for 32-bit builds)");
    41. 

  41.     }
    42. 

  42.     policy_setup(p_sandbox, p_sess);
    43. 

  43.     if (ptrace_sandbox_launch_process(p_sandbox,
    44. 

  44.                                       one_process_start,
    45. 

  45.                                       (void*) p_sess) <= 0)
    46. 

  46.     {
    47. 

  47.       die("could not launch sandboxed child");
    48. 

  48.     }
    49. 

  49.     /* TODO - could drop privs here. For now, run as root as the attack surface
    50. 

  50.      * is negligible, and running as root permits us to correctly deliver the
    51. 

  51.      * parent death signal upon unexpected crash.
    52. 

  52.      */
    53. 

  53.     (void) ptrace_sandbox_run_processes(p_sandbox);
    54. 

  54.     ptrace_sandbox_free(p_sandbox);
    55. 

  55.     vsf_sysutil_exit(0);
    56. 

  56.   }
    57. 

  57.   else
    58. 

  58.   {
    59. 

  59.     one_process_start((void*) p_sess);
    60. 

  60.   }
    61. 

  61. }
    62. 

  62. 

  63. static void
    64. 

  64. one_process_start(void* p_arg)
    65. 

  65. {
    66. 

  66.   struct vsf_session* p_sess = (struct vsf_session*) p_arg;
    67. 

  67.   unsigned int caps = 0;
    68. 

  68.   if (tunable_chown_uploads)
    69. 

  69.   {
    70. 

  70.     caps |= kCapabilityCAP_CHOWN;
    71. 

  71.   }
    72. 

  72.   if (tunable_connect_from_port_20)
    73. 

  73.   {
    74. 

  74.     caps |= kCapabilityCAP_NET_BIND_SERVICE;
    75. 

  75.   }
    76. 

  76.   {
    77. 

  77.     struct mystr user_name = INIT_MYSTR;
    78. 

  78.     struct mystr chdir_str = INIT_MYSTR;
    79. 

  79.     if (tunable_ftp_username)
    80. 

  80.     {
    81. 

  81.       str_alloc_text(&user_name, tunable_ftp_username);
    82. 

  82.     }
    83. 

  83.     if (tunable_anon_root)
    84. 

  84.     {
    85. 

  85.       str_alloc_text(&chdir_str, tunable_anon_root);
    86. 

  86.     }
    87. 

  87.     if (tunable_run_as_launching_user)
    88. 

  88.     {
    89. 

  89.       if (!str_isempty(&chdir_str))
    90. 

  90.       {
    91. 

  91.         str_chdir(&chdir_str);
    92. 

  92.       }
    93. 

  93.     }
    94. 

  94.     else
    95. 

  95.     {
    96. 

  96.       vsf_secutil_change_credentials(&user_name, 0, &chdir_str, caps,
    97. 

  97.           VSF_SECUTIL_OPTION_CHROOT |
    98. 

  98.           VSF_SECUTIL_OPTION_USE_GROUPS |
    99. 

  99.           VSF_SECUTIL_OPTION_NO_PROCS);
    100. 

  100.     }
    101. 

  101.     str_free(&user_name);
    102. 

  102.     str_free(&chdir_str);
    103. 

  103.   }
    104. 

  104.   if (tunable_ptrace_sandbox)
    105. 

  105.   {
    106. 

  106.     ptrace_sandbox_attach_point();
    107. 

  107.   }
    108. 

  108.   seccomp_sandbox_init();
    109. 

  109.   seccomp_sandbox_setup_postlogin(p_sess);
    110. 

  110.   seccomp_sandbox_lockdown();
    111. 

  111.   init_connection(p_sess);
    112. 

  112. }
    113. 

  113. 

  114. void
    115. 

  115. vsf_one_process_login(struct vsf_session* p_sess,
    116. 

  116.                       const struct mystr* p_pass_str)
    117. 

  117. {
    118. 

  118.   enum EVSFPrivopLoginResult login_result =
    119. 

  119.     vsf_privop_do_login(p_sess, p_pass_str);
    120. 

  120.   switch (login_result)
    121. 

  121.   {
    122. 

  122.     case kVSFLoginFail:
    123. 

  123.       return;
    124. 

  124.       break;
    125. 

  125.     case kVSFLoginAnon:
    126. 

  126.       p_sess->is_anonymous = 1;
    127. 

  127.       process_post_login(p_sess);
    128. 

  128.       break;
    129. 

  129.     case kVSFLoginNull:
    130. 

  130.       /* Fall through. */
    131. 

  131.     case kVSFLoginReal:
    132. 

  132.       /* Fall through. */
    133. 

  133.     default:
    134. 

  134.       bug("bad state in vsf_one_process_login");
    135. 

  135.       break;
    136. 

  136.   }
    137. 

  137. }
    138. 

  138. 

  139. int
    140. 

  140. vsf_one_process_get_priv_data_sock(struct vsf_session* p_sess)
    141. 

  141. {
    142. 

  142.   unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
    143. 

  143.   return vsf_privop_get_ftp_port_sock(p_sess, port, 1);
    144. 

  144. }
    145. 

  145. 

  146. void
    147. 

  147. vsf_one_process_pasv_cleanup(struct vsf_session* p_sess)
    148. 

  148. {
    149. 

  149.   vsf_privop_pasv_cleanup(p_sess);
    150. 

  150. }
    151. 

  151. 

  152. int
    153. 

  153. vsf_one_process_pasv_active(struct vsf_session* p_sess)
    154. 

  154. {
    155. 

  155.   return vsf_privop_pasv_active(p_sess);
    156. 

  156. }
    157. 

  157. 

  158. unsigned short
    159. 

  159. vsf_one_process_listen(struct vsf_session* p_sess)
    160. 

  160. {
    161. 

  161.   return vsf_privop_pasv_listen(p_sess);
    162. 

  162. }
    163. 

  163. 

  164. int
    165. 

  165. vsf_one_process_get_pasv_fd(struct vsf_session* p_sess)
    166. 

  166. {
    167. 

  167.   return vsf_privop_accept_pasv(p_sess);
    168. 

  168. }
    169. 

  169. 

  170. void
    171. 

  171. vsf_one_process_chown_upload(struct vsf_session* p_sess, int fd)
    172. 

  172. {
    173. 

  173.   vsf_privop_do_file_chown(p_sess, fd);
    174. 

  174. }
    175. 

  175.