From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <ar@cs.msu.ru>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
sa.local.altlinux.org
X-Spam-Level:
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=ham autolearn_force=no
version=3.4.1
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cs.msu.ru;
s=dkim;
h=Subject:In-Reply-To:Content-Type:MIME-Version:References:Message-ID
:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=RymGYlbiddcC4sfSE9PgcdTTGrVt1I/dy3FI4gfYTfM=; b=T3zr537Mb5ks3jrxHHzRZvRYqf
pVvcygTaBCn5QrWSVt3k4IjNUU8cb0t58kBKHCLw/23nYqoJDWQl0jO/aVwD2Qt20/wsw4yPxsVdD
JLr62YZ2VjIs8LvUAN2EvlsDSt+aHQOM6x9nlowf+yDdyvtPfNFBAfaXX0W/TjDAd40lIL9Oi6mkA
dRWrxdWWfpHjc13Gz5oTunMVQrBXVB8REUUorTRomM7UtmNDHixLXS4RAlqnP+fNYx8TiGSATG1t9
AlevCFrD0eN6ExC7tQpiVh2tV5vRDoHjbvswqm+iEuKS4xkKW8KzcmD9Y+JtGosJP5MYKszrm7DDT
qz3m8Qrg==;
Date: Thu, 17 Sep 2020 16:11:56 +0300
From: Arseny Maslennikov <ar@cs.msu.ru>
To: Alex Gladkov <legion@altlinux.ru>, devel@lists.altlinux.org
Message-ID: <20200917131156.GH286846@cello>
References: <cover.1576183643.git.legion@altlinux.org>
<9bca7626b593f896de4283cba2d6290ec99eb4f2.1576183643.git.legion@altlinux.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="6cMF9JLEeZkfJjkP"
Content-Disposition: inline
In-Reply-To: <9bca7626b593f896de4283cba2d6290ec99eb4f2.1576183643.git.legion@altlinux.org>
OpenPGP: url=http://grep.cs.msu.ru/~ar/pgp-key.asc
X-SA-Exim-Connect-IP: 10.7.5.179
X-SA-Exim-Mail-From: ar@cs.msu.ru
X-SA-Exim-Version: 4.2.1
X-SA-Exim-Scanned: Yes (on mail.cs.msu.ru)
Cc: ldv@altlinux.org
Subject: Re: [devel] [PATCH hasher-priv v1 1/3] config.c
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
<mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
<mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 13:12:00 -0000
Archived-At: <http://lore.altlinux.org/devel/20200917131156.GH286846@cello/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>
--6cMF9JLEeZkfJjkP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Fri, Dec 13, 2019 at 12:42:03PM +0100, Alex Gladkov wrote:
> diff --git a/hasher-priv/config.c b/hasher-priv/config.c
> index e3fedcd..6b6bdb1 100644
> --- a/hasher-priv/config.c
> +++ b/hasher-priv/config.c
> @@ -1,6 +1,7 @@
>
> /*
> Copyright (C) 2003-2019 Dmitry V. Levin <ldv@altlinux.org>
> + Copyright (C) 2019 Alexey Gladkov <legion@altlinux.org>
>
> Configuration support module for the hasher-priv program.
>
> @@ -19,13 +20,17 @@
> #include <unistd.h>
> #include <limits.h>
> #include <pwd.h>
> +#include <grp.h>
>
> #include "priv.h"
> #include "xmalloc.h"
> +#include "logging.h"
>
> const char *const *chroot_prefix_list;
> const char *chroot_prefix_path;
> const char *change_user1, *change_user2;
> +char *server_control_group = NULL;
> +char *server_pidfile = NULL;
> const char *term;
> const char *x11_display, *x11_key;
> str_list_t allowed_devices;
> @@ -33,6 +38,8 @@ str_list_t allowed_mountpoints;
> str_list_t requested_mountpoints;
> uid_t change_uid1, change_uid2;
> gid_t change_gid1, change_gid2;
> +gid_t server_gid;
> +unsigned long server_session_timeout = 0;
> mode_t change_umask = 022;
> int change_nice = 8;
> int makedev_console;
> @@ -42,6 +49,7 @@ int share_caller_network = 0;
> int share_ipc = -1;
> int share_network = -1;
> int share_uts = -1;
> +int server_log_priority = -1;
> change_rlimit_t change_rlimit[] = {
>
> /* Per-process CPU limit, in seconds. */
> @@ -209,7 +217,7 @@ parse_rlim(const char *name, const char *value, const char *optname,
> }
>
> static unsigned long
> -str2wlim(const char *name, const char *value, const char *filename)
> +str2ul(const char *name, const char *value, const char *filename)
> {
> char *p = 0;
> unsigned long long n;
> @@ -229,7 +237,7 @@ static void
> modify_wlim(unsigned long *pval, const char *value,
> const char *optname, const char *filename, int is_system)
> {
> - unsigned long val = str2wlim(optname, value, filename);
> + unsigned long val = str2ul(optname, value, filename);
>
> if (is_system || *pval == 0 || (val > 0 && val < *pval))
> *pval = val;
> @@ -633,3 +641,134 @@ parse_env(void)
> if ((e = getenv("requested_mountpoints")))
> parse_str_list(e, &requested_mountpoints);
> }
> +
> +static void
> +check_server_control_group(void)
Bad (IOW, unlucky) naming; especially since in a later patch
hasher-privd deals with cgroups.
Is this related to the socket inode's gid in /run?
> +{
> + struct group *gr;
> +
> + if (!server_control_group || !*server_control_group)
> + error(EXIT_FAILURE, 0, "config: undefined: control_group");
> +
> + gr = getgrnam(server_control_group);
> +
> + if (!gr || !gr->gr_name)
> + error(EXIT_FAILURE, 0, "config: control_group: %s lookup failure", server_control_group);
> +
> + server_gid = gr->gr_gid;
> +}
> +
> +static void
> +set_server_config(const char *name, const char *value, const char *filename)
> +{
> + if (!strcasecmp("priority", name)) {
> + server_log_priority = logging_level(value);
> + } else if (!strcasecmp("session_timeout", name)) {
> + server_session_timeout = str2ul(name, value, filename);
> + } else if (!strcasecmp("pidfile", name)) {
> + free(server_pidfile);
> + server_pidfile = xstrdup(value);
> + } else if (!strcasecmp("control_group", name)) {
> + free(server_control_group);
> + server_control_group = xstrdup(value);
> + } else {
> + bad_option_name(name, filename);
> + }
> +}
> +
> +static void
> +read_server_config(int fd, const char *name)
> +{
> + FILE *fp = fdopen(fd, "r");
> + char buf[BUFSIZ];
> + unsigned line;
> +
> + if (!fp)
> + error(EXIT_FAILURE, errno, "fdopen: %s", name);
> +
> + for (line = 1; fgets(buf, BUFSIZ, fp); ++line) {
> + const char *start, *left;
> + char *eq, *right, *end;
> +
> + for (start = buf; *start && isspace(*start); ++start)
> + ;
> +
> + if (!*start || '#' == *start)
> + continue;
> +
> + if (!(eq = strchr(start, '=')))
> + error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
> + name, line);
> +
> + left = start;
> + right = eq + 1;
> +
> + for (; eq > left; --eq)
> + if (!isspace(eq[-1]))
> + break;
> +
> + if (left == eq)
> + error(EXIT_FAILURE, 0, "%s: syntax error at line %u",
> + name, line);
> +
> + *eq = '\0';
> + end = right + strlen(right);
> +
> + for (; right < end; ++right)
> + if (!isspace(*right))
> + break;
> +
> + for (; end > right; --end)
> + if (!isspace(end[-1]))
> + break;
> +
> + *end = '\0';
> + set_server_config(left, right, name);
> + }
> +
> + if (ferror(fp))
> + error(EXIT_FAILURE, errno, "fgets: %s", name);
> +
> + if (fclose(fp))
> + error(EXIT_FAILURE, errno, "fclose: %s", name);
> +}
> +
> +static void
> +load_server_config(const char *name)
> +{
> + struct stat st;
> + int fd = open(name, O_RDONLY | O_NOFOLLOW | O_NOCTTY);
> +
> + if (fd < 0)
> + error(EXIT_FAILURE, errno, "open: %s", name);
> +
> + if (fstat(fd, &st) < 0)
> + error(EXIT_FAILURE, errno, "fstat: %s", name);
> +
> + stat_root_ok_validator(&st, name);
> +
> + if (!S_ISREG(st.st_mode))
> + error(EXIT_FAILURE, 0, "%s: not a regular file", name);
> +
> + if (st.st_size > MAX_CONFIG_SIZE)
> + error(EXIT_FAILURE, 0, "%s: file too large: %lu",
> + name, (unsigned long) st.st_size);
> +
> + read_server_config(fd, name);
> +}
> +
> +void
> +configure_server(void)
> +{
> + safe_chdir("/", stat_root_ok_validator);
> + safe_chdir("etc/hasher-priv", stat_root_ok_validator);
> + load_server_config("server");
> + check_server_control_group();
> +}
> +
> +void
> +free_server_configuration(void)
> +{
> + free(server_pidfile);
> + free(server_control_group);
> +}
--6cMF9JLEeZkfJjkP
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE56JD3UKTLEu/ddrm9dQjyAYL01AFAl9jYJwACgkQ9dQjyAYL
01DVPg/+NKu74Q8TgNhzy4phiIPKmdzhLmGLJgUiSI+3IJscFY9XRKM+UTXFfkkC
ayU0QzHeFq1qArmV2jTGNvXN/9ny08pTn/YjmR6vEcHHzSPna2xBbakGO7bgB9/c
rfZ1lh6W0e9uFyE9woD9WjpyPB7cfXcRtvEpMPAzTp/Wb0nahDyRDgMj/zJ379oE
T7qRfO+v4AAd1k+2HPwOHJHMZpggemDVHYyIBzIizhR9f1XTsHDYtIBpSZpwhOha
JgH+mq6N4RyKNMWSpxlU6BmUscjIVwkOa8wHm4dm6DnniVDq4MN3ZdPAg1gDkFIi
gPfBGe8sV4NTBzbo5dVvyevBqWINIoYCrYfEynGj37D4gZqMKjX15qBdLInzbRMH
OkwIdLmR0yZQdPLNZT3+lTfwyI0SWWIElJdZBxUjENFaF07psv7kqqvj27xgstCc
02BfKxWSnzoIeO3MUzjNM5PYgzp+qeov0gRfVTqMTZapMB8H4t2v5hBjqh8MVfo9
W3bLvl1M+PcklO04711wxQXxaL3mdKkF6h43QnhRzW22swrG1jSk4HgyFsyMm/s/
RybaUXxfMbmmXqx0gw8M+GY2sNDntnztH/abrKxwohqQd8CRtcNOwr2FSdNrp6OR
RUK7hQwnogq3OBEXWqTrd4EJzJ3qj+JE5HMewZmdOW536F4ni2s=
=cOK/
-----END PGP SIGNATURE-----
--6cMF9JLEeZkfJjkP--