mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-14 19:07:00 +08:00
Allow the main process to connect to sec-module.
That allows gnutls' to verify the key validity during initialization.
This commit is contained in:
Nikos Mavrogiannopoulos
12
src/main.c
12
src/main.c
@@ -951,9 +951,6 @@ int main(int argc, char** argv)
|
||||
|
||||
run_sec_mod(s);
|
||||
|
||||
/* Initialize certificates */
|
||||
tls_load_certs(s, &creds);
|
||||
|
||||
mslog(s, NULL, LOG_INFO, "initialized %s", PACKAGE_STRING);
|
||||
|
||||
ret = ctl_handler_init(s);
|
||||
@@ -962,6 +959,15 @@ int main(int argc, char** argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/* chdir to our chroot directory, to allow opening the sec-mod
|
||||
* socket if necessary. */
|
||||
if (s->config->chroot_dir)
|
||||
chdir(s->config->chroot_dir);
|
||||
ms_sleep(100); /* give some time for sec-mod to initialize */
|
||||
|
||||
/* Initialize certificates */
|
||||
tls_load_certs(s, &creds);
|
||||
|
||||
sigprocmask(SIG_BLOCK, &blockset, NULL);
|
||||
alarm(MAINTAINANCE_TIME(s));
|
||||
|
||||
|
||||
@@ -319,9 +319,12 @@ void sec_mod_server(struct cfg_st *config, const char *socket_file)
|
||||
}
|
||||
|
||||
ret = check_upeer_id("sec-mod", cfd, config->uid, config->gid);
|
||||
if (ret < 0) /* allow root connections */
|
||||
ret = check_upeer_id("sec-mod", cfd, 0, 0);
|
||||
|
||||
if (ret < 0) {
|
||||
syslog(LOG_ERR,
|
||||
"sec-mod: unauthorized connection");
|
||||
"sec-mod: rejected unauthorized connection");
|
||||
goto cont;
|
||||
}
|
||||
|
||||
|
||||
@@ -51,6 +51,9 @@ SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler)
|
||||
return old_action.sa_handler;
|
||||
}
|
||||
|
||||
/* Checks whether the peer in a socket has the expected @uid and @gid.
|
||||
* Returns zero on success.
|
||||
*/
|
||||
int check_upeer_id(const char *mod, int cfd, int uid, int gid)
|
||||
{
|
||||
int e, ret;
|
||||
@@ -76,7 +79,7 @@ int check_upeer_id(const char *mod, int cfd, int uid, int gid)
|
||||
mod, (unsigned)cr.pid, (unsigned)cr.uid);
|
||||
|
||||
if (cr.uid != uid || cr.gid != gid) {
|
||||
syslog(LOG_ERR,
|
||||
syslog(LOG_DEBUG,
|
||||
"%s received unauthorized request from pid %u and uid %u",
|
||||
mod, (unsigned)cr.pid, (unsigned)cr.uid);
|
||||
return -1;
|
||||
@@ -89,7 +92,7 @@ int check_upeer_id(const char *mod, int cfd, int uid, int gid)
|
||||
|
||||
if (ret == -1) {
|
||||
e = errno;
|
||||
syslog(LOG_ERR, "%s getpeereid error: %s",
|
||||
syslog(LOG_DEBUG, "%s getpeereid error: %s",
|
||||
mod, strerror(e));
|
||||
return -1;
|
||||
}
|
||||
@@ -98,7 +101,7 @@ int check_upeer_id(const char *mod, int cfd, int uid, int gid)
|
||||
"%s received request from a processes with uid %u",
|
||||
mod, (unsigned)euid);
|
||||
if (euid != uid || egid != gid) {
|
||||
syslog(LOG_ERR,
|
||||
syslog(LOG_DEBUG,
|
||||
"%s received unauthorized request from a process with uid %u",
|
||||
mod, (unsigned)euid);
|
||||
return -1;
|
||||
|
||||
Reference in New Issue
Block a user