From e910005b1a337093109af29c7bf21b32c343ab56 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 4 Feb 2019 19:04:05 +0000 Subject: Revert -I, but add uid/self and gid/self to uidgid accessrules checking --- NEWS | 7 +++++-- doc/libs6/accessrules.html | 15 +++++++++++---- doc/s6-ipcserver-access.html | 7 +++---- doc/upgrade.html | 4 +++- src/conn-tools/s6-ipcserver-access.c | 7 ++----- src/libs6/s6_accessrules_keycheck_uidgid.c | 22 ++++++++++++++++++---- 6 files changed, 42 insertions(+), 20 deletions(-) diff --git a/NEWS b/NEWS index afd4c3c..45f0986 100644 --- a/NEWS +++ b/NEWS @@ -7,8 +7,11 @@ In 2.8.0.0 - Adaptation to skalibs-2.8.0.0. - s6-log can now notify readiness with the new -d option. - s6-log now has a default line limit of 8 kB. - - s6-ipcserver-access now takes a -I option to automatically accept -connections from clients running with the same euid/egid pair. + - In the accessrules library, checking against uidgid now checks the +uid/self key if the client and the server have the same uid, and the +gid/self key if the client and the server have the same gid. That means +s6-ipcserver-access can now be configured to allow/deny/specialcase +connections where the client's credentials are the same as the server's. In 2.7.2.2 diff --git a/doc/libs6/accessrules.html b/doc/libs6/accessrules.html index 821575d..2360cfc 100644 --- a/doc/libs6/accessrules.html +++ b/doc/libs6/accessrules.html @@ -124,10 +124,17 @@ is not S6_ACCESSRULES_NOTFOUND. If no match can be found in the whole list, s6_accessrules_keycheck_uidgid interprets key as a pointer to a structure containing an uid u and a gid g. -The function first looks -for a uid/u match; if it cannot find one, it looks for a -gid/g match. If it cannot find one either, it checks -uid/default and returns the result. +The following checks are performed, in this order (i.e. subsequent +checks are not performed if a match is found): +
  • s6_accessrules_keycheck_reversedns interprets key diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html index 80b7503..b09d74a 100644 --- a/doc/s6-ipcserver-access.html +++ b/doc/s6-ipcserver-access.html @@ -30,7 +30,7 @@ the application program on the s6-ipcserver command line.

    Interface 

    -     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -I ] [ -i rulesdir | -x rulesfile ] prog...
+     s6-ipcserver-access [ -v verbosity ] [ -E | -e ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog...

    in 2.7.2.2

    diff --git a/src/conn-tools/s6-ipcserver-access.c b/src/conn-tools/s6-ipcserver-access.c index 21171fd..97f3204 100644 --- a/src/conn-tools/s6-ipcserver-access.c +++ b/src/conn-tools/s6-ipcserver-access.c @@ -14,7 +14,7 @@ #include #include -#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -I ] [ -i rulesdir | -x rulesfile ] prog..." +#define USAGE "s6-ipcserver-access [ -v verbosity ] [ -e | -E ] [ -l localname ] [ -i rulesdir | -x rulesfile ] prog..." static unsigned int verbosity = 1 ; @@ -118,14 +118,13 @@ int main (int argc, char const *const *argv, char const *const *envp) uid_t uid = 0 ; gid_t gid = 0 ; unsigned int rulestype = 0 ; - int identity = 0 ; int doenv = 1 ; PROG = "s6-ipcserver-access" ; { subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "v:Eel:Ii:x:", &l) ; + int opt = subgetopt_r(argc, argv, "v:Eel:i:x:", &l) ; if (opt == -1) break ; switch (opt) { @@ -133,7 +132,6 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'E' : doenv = 0 ; break ; case 'e' : doenv = 1 ; break ; case 'l' : localname = l.arg ; break ; - case 'I' : identity = 1 ; break ; case 'i' : rules = l.arg ; rulestype = 1 ; break ; case 'x' : rules = l.arg ; rulestype = 2 ; break ; default : dieusage() ; @@ -162,7 +160,6 @@ int main (int argc, char const *const *argv, char const *const *envp) if (!gid0_scan(x, &gid)) strerr_dieinvalid(100, tmp) ; } - if (identity && uid == geteuid() && gid == getegid()) goto accepted ; if (check(¶ms, rules, rulestype, uid, gid)) goto accepted ; if (verbosity >= 2) log_deny(getpid(), uid, gid) ; diff --git a/src/libs6/s6_accessrules_keycheck_uidgid.c b/src/libs6/s6_accessrules_keycheck_uidgid.c index 61a6229..573382c 100644 --- a/src/libs6/s6_accessrules_keycheck_uidgid.c +++ b/src/libs6/s6_accessrules_keycheck_uidgid.c @@ -1,16 +1,30 @@ /* ISC license. */ +#include + #include #include #include s6_accessrules_result_t s6_accessrules_keycheck_uidgid (void const *key, void *data, s6_accessrules_params_t *params, s6_accessrules_backend_func_t_ref check1) { + uidgid_t const *uidgid = key ; char fmt[4 + UINT64_FMT] = "uid/" ; - s6_accessrules_result_t r = (*check1)(fmt, 4 + uid_fmt(fmt+4, ((uidgid_t const *)key)->left), data, params) ; + s6_accessrules_result_t r ; + if (uidgid->left == geteuid()) + { + r = (*check1)("uid/self", 8, data, params) ; + if (r != S6_ACCESSRULES_NOTFOUND) return r ; + } + r = (*check1)(fmt, 4 + uid_fmt(fmt+4, uidgid->left), data, params) ; if (r != S6_ACCESSRULES_NOTFOUND) return r ; + if (uidgid->right == getegid()) + { + r = (*check1)("gid/self", 8, data, params) ; + if (r != S6_ACCESSRULES_NOTFOUND) return r ; + } fmt[0] = 'g' ; - r = (*check1)(fmt, 4 + gid_fmt(fmt+4, ((uidgid_t const *)key)->right), data, params) ; - return (r != S6_ACCESSRULES_NOTFOUND) ? r : - (*check1)("uid/default", 11, data, params) ; + r = (*check1)(fmt, 4 + gid_fmt(fmt+4, uidgid->right), data, params) ; + if (r != S6_ACCESSRULES_NOTFOUND) return r ; + return (*check1)("uid/default", 11, data, params) ; } -- cgit v1.2.3