trackrdrd: added privilege separation

c284bab7 · Geoff Simmons · 9182a09b · c284bab7 · c284bab7 · c284bab7
Commit c284bab7 authored Nov 27, 2012 by Geoff Simmons
7 changed files
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -16,7 +16,8 @@ trackrdrd_SOURCES = \
 	activemq/amq.h \
 	activemq/amq.cpp \
 	spmcq.c \
-	worker.c
+	worker.c \
+	sandbox.c

 trackrdrd_LDADD = \
 	$(VARNISHSRC)/lib/libvarnishcompat/libvarnishcompat.la \

--- a/src/config.c
+++ b/src/config.c
@@ -38,10 +38,14 @@
 #include <stdlib.h>
 #include <limits.h>
 #include <math.h>
+#include <unistd.h>
+#include <pwd.h>

 #include "trackrdrd.h"
 #include "libvarnish.h"

+#define DEFAULT_USER "nobody"
+
 static const int facilitynum[8] =
    { LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5,
      LOG_LOCAL6, LOG_LOCAL7 };
@@ -136,6 +140,18 @@ CONF_Add(const char *lval, const char *rval)
        return(0);
    }

+    if (strcmp(lval, "user") == 0) {
+        struct passwd *pw;
+        
+        pw = getpwnam(rval);
+        if (pw == NULL)
+            return(EINVAL);
+        strcpy(config.user_name, pw->pw_name);
+        config.uid = pw->pw_uid;
+        config.gid = pw->pw_gid;
+        return(0);
+    }
+
    return EINVAL;
 }

@@ -166,6 +182,8 @@ conf_ParseLine(char *ptr, char **lval, char **rval)
 void
 CONF_Init(void)
 {
+    struct passwd *pw;
+
    strcpy(config.pid_file, "/var/run/trackrdrd.pid");
    config.varnish_name[0] = '\0';
    config.log_file[0] = '\0';
@@ -179,6 +197,14 @@ CONF_Init(void)
    config.mq_qname[0] = '\0';
    config.nworkers = 1;
    config.restarts = 1;
+    
+    pw = getpwnam(DEFAULT_USER);
+    if (pw == NULL)
+        pw = getpwuid(getuid());
+    AN(pw);
+    strcpy(config.user_name, pw->pw_name);
+    config.uid = pw->pw_uid;
+    config.gid = pw->pw_gid;
 }

 int
@@ -251,4 +277,5 @@ CONF_Dump(void)
    confdump("mq.qname = %s", config.mq_qname);
    confdump("nworkers = %d", config.nworkers);
    confdump("restarts = %d", config.restarts);
+    confdump("user = %s", config.user_name);
 }
--- a/src/sandbox.c
+++ b/src/sandbox.c
+/*-
+ * Copyright (c) 2012 UPLEX Nils Goroll Systemoptimierung
+ * Copyright (c) 2012 Otto Gmbh & Co KG
+ * All rights reserved
+ * Use only with permission
+ *
+ * Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#include <syslog.h>
+#include <unistd.h>
+
+#ifdef __linux__
+#include <sys/prctl.h>
+#endif
+
+#include "vas.h"
+
+#include "trackrdrd.h"
+
+/*--------------------------------------------------------------------*/
+
+/* cf. varnish mgt_sandbox       */
+/* XXX: currently only for Linux */
+
+void
+PRIV_Sandbox(void)
+{
+    if (geteuid() == 0) {
+        XXXAZ(setgid(config.gid));
+        XXXAZ(setuid(config.uid));
+    }
+    else
+        LOG_Log0(LOG_INFO, "Not running as root, no privilege separation");
+
+#ifdef __linux__
+    if (prctl(PR_SET_DUMPABLE, 1) != 0)
+        LOG_Log0(LOG_INFO, "Could not set dumpable bit, core dumps turned off");
+#endif
+}
--- a/src/test/regress.sh
+++ b/src/test/regress.sh
@@ -15,9 +15,12 @@ echo
 echo "TEST: $0"
 echo "... testing log output at debug level against a known checksum"
 CMD="../trackrdrd -D -f varnish.binlog -l - -d -c test.conf"
-# grep out the "initializing" line, which includes the version/revision
-CKSUM=$( $CMD | grep -v initializing | cksum)
-if [ "$CKSUM" != '3698127258 229202' ]; then
+
+# the first sed removes the version/revision from the "initializing" line
+# the second sed removes the user under which the child process runs
+CKSUM=$( $CMD | sed -e 's/\(initializing\) \(.*\)/\1/' | sed -e 's/\(, running as\) \(.*\)/\1/' | cksum)
+
+if [ "$CKSUM" != '646018814 229297' ]; then
    echo "ERROR: Regression test incorrect cksum: $CKSUM"
    exit 1
 fi

--- a/src/test/test.conf
+++ b/src/test/test.conf
 # Test configuration for the varnish log tracking reader
 log.file = /tmp/trackrdrd.log
 pid.file = /tmp/trackrdrd.pid
-processor.log = /tmp/rdrproc.log
 maxdata.scale = 2
 maxopen.scale = 1
+monitor.interval = 0
+nworkers = 0
--- a/src/trackrdrd.c
+++ b/src/trackrdrd.c
@@ -49,6 +49,7 @@
 #include <stdarg.h>
 #include <sys/wait.h>
 #include <sys/types.h>
+#include <pwd.h>

 #ifndef HAVE_EXECINFO_H
 #include "compat/execinfo.h"
@@ -425,13 +426,16 @@ vsl_diag(void *priv, const char *fmt, ...)
 static void
 child_main(struct VSM_data *vd, int endless)
 {
-    /* XXX: privilege separation */
-    
    int errnum;
    const char *errmsg;
    pthread_t monitor;
+    struct passwd *pw;

-    LOG_Log0(LOG_INFO, "Worker process starting");
+    PRIV_Sandbox();
+    pw = getpwuid(geteuid());
+    AN(pw);
+    
+    LOG_Log(LOG_INFO, "Worker process starting, running as %s", pw->pw_name);

    /* install signal handlers */
 #define CHILD(SIG,disp) SIGDISP(SIG,disp)
@@ -529,6 +533,8 @@ main(int argc, char * const *argv)
 	vd = VSM_New();
 	VSL_Setup(vd);

+        CONF_Init();
+
        if (access(DEFAULT_CONFIG, F_OK) == 0) {
            if (access(DEFAULT_CONFIG, R_OK) != 0) {
                perror(DEFAULT_CONFIG);

--- a/src/trackrdrd.h
+++ b/src/trackrdrd.h
@@ -32,9 +32,14 @@
 #include <stdio.h>
 #include <stdbool.h>
 #include <pthread.h>
+#include <sys/types.h>

 #define MIN_TABLE_SCALE 10

+/* sandbox.c */
+
+void PRIV_Sandbox(void);
+
 /* worker.c */

 /**
@@ -151,6 +156,9 @@ struct config {
    char	mq_qname[BUFSIZ];
    unsigned	nworkers;
    unsigned	restarts;
+    char	user_name[BUFSIZ];
+    uid_t	uid;
+    gid_t	gid;
 } config;

 void CONF_Init(void);