forked from checkedc/checkedc-vsftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
oneprocess.c
179 lines (166 loc) · 4.51 KB
/
oneprocess.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
/*
* Part of Very Secure FTPd
* Licence: GPL v2
* Author: Chris Evans
* oneprocess.c
*
* Code for the "one process" security model. The one process security model
* is born for the purposes of raw speed at the expense of compromising the
* purity of the security model.
* The one process model will typically be disabled, for security reasons.
* Only sites with huge numbers of concurrent users are likely to feel the
* pain of two processes per session.
*/
#include "prelogin.h"
#include "postlogin.h"
#include "privops.h"
#include "session.h"
#include "secutil.h"
#include "str.h"
#include "tunables.h"
#include "utility.h"
#include "sysstr.h"
#include "sysdeputil.h"
#include "sysutil.h"
#include "ptracesandbox.h"
#include "ftppolicy.h"
#include "seccompsandbox.h"
#pragma CHECKED_SCOPE on
static void one_process_start(_Ptr<void> p_arg);
void
vsf_one_process_start(struct vsf_session* p_sess : itype(_Ptr<struct vsf_session>))
{
if (tunable_ptrace_sandbox)
{
_Ptr<struct pt_sandbox> p_sandbox = ptrace_sandbox_alloc();
if (p_sandbox == 0)
{
die("could not allocate sandbox (only works for 32-bit builds)");
}
policy_setup(p_sandbox, p_sess);
if (ptrace_sandbox_launch_process(p_sandbox,
one_process_start,
(_Ptr<void>) p_sess) <= 0)
{
die("could not launch sandboxed child");
}
/* TODO - could drop privs here. For now, run as root as the attack surface
* is negligible, and running as root permits us to correctly deliver the
* parent death signal upon unexpected crash.
*/
(void) ptrace_sandbox_run_processes(p_sandbox);
ptrace_sandbox_free(p_sandbox);
vsf_sysutil_exit(0);
}
else
{
one_process_start((_Ptr<void>) p_sess);
}
}
static void
one_process_start(_Ptr<void> p_arg)
{
_Ptr<struct vsf_session> p_sess = 0;
_Unchecked {
p_sess = _Assume_bounds_cast<_Ptr<struct vsf_session>>(p_arg);
}
unsigned int caps = 0;
if (tunable_chown_uploads)
{
caps |= kCapabilityCAP_CHOWN;
}
if (tunable_connect_from_port_20)
{
caps |= kCapabilityCAP_NET_BIND_SERVICE;
}
{
struct mystr user_name = INIT_MYSTR;
struct mystr chdir_str = INIT_MYSTR;
if (tunable_ftp_username)
{
str_alloc_text(&user_name, tunable_ftp_username);
}
if (tunable_anon_root)
{
str_alloc_text(&chdir_str, tunable_anon_root);
}
if (tunable_run_as_launching_user)
{
if (!str_isempty(&chdir_str))
{
str_chdir(&chdir_str);
}
}
else
{
vsf_secutil_change_credentials(&user_name, 0, &chdir_str, caps,
VSF_SECUTIL_OPTION_CHROOT |
VSF_SECUTIL_OPTION_USE_GROUPS |
VSF_SECUTIL_OPTION_NO_PROCS);
}
str_free(&user_name);
str_free(&chdir_str);
}
if (tunable_ptrace_sandbox)
{
ptrace_sandbox_attach_point();
}
seccomp_sandbox_init();
seccomp_sandbox_setup_postlogin(p_sess);
seccomp_sandbox_lockdown();
init_connection(p_sess);
}
void
vsf_one_process_login(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>), const struct mystr *p_pass_str : itype(_Ptr<const struct mystr>))
{
enum EVSFPrivopLoginResult login_result =
vsf_privop_do_login(p_sess, p_pass_str);
switch (login_result)
{
case kVSFLoginFail:
return;
break;
case kVSFLoginAnon:
p_sess->is_anonymous = 1;
process_post_login(p_sess);
break;
case kVSFLoginNull:
/* Fall through. */
case kVSFLoginReal:
/* Fall through. */
default:
bug("bad state in vsf_one_process_login");
break;
}
}
int
vsf_one_process_get_priv_data_sock(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>))
{
unsigned short port = vsf_sysutil_sockaddr_get_port(p_sess->p_port_sockaddr);
return vsf_privop_get_ftp_port_sock(p_sess, port, 1);
}
void
vsf_one_process_pasv_cleanup(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>))
{
vsf_privop_pasv_cleanup(p_sess);
}
int
vsf_one_process_pasv_active(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>))
{
return vsf_privop_pasv_active(p_sess);
}
unsigned short
vsf_one_process_listen(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>))
{
return vsf_privop_pasv_listen(p_sess);
}
int
vsf_one_process_get_pasv_fd(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>))
{
return vsf_privop_accept_pasv(p_sess);
}
void
vsf_one_process_chown_upload(struct vsf_session *p_sess : itype(_Ptr<struct vsf_session>), int fd)
{
vsf_privop_do_file_chown(p_sess, fd);
}