Change behavior of "id" configuration directive.

This commit is contained in:
Jordan Bancino 2022-11-08 17:53:01 +00:00
parent efbbf42a6e
commit 8e71cc833c
4 changed files with 79 additions and 50 deletions

View file

@ -5,9 +5,6 @@
server-name "localhost";
base-url "http://localhost:8008";
# Replace this with your UNIX username
id "jordan";
# Make this directory if Telodendria complains that it's missing.
data-dir "./data";

View file

@ -18,10 +18,12 @@ server-name "example.com";
base-url "https://matrix.example.com";
identity-server "https://identity.example.com";
id "_telodendria" "_telodendria";
id "_telodendria";
data-dir "/var/telodendria";
federation "true";
registration "false";
log "file" {
level "warning";
timestampFormat "default";

View file

@ -346,22 +346,6 @@ main(int argc, char **argv)
Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags);
LogConfigUnindent(lc);
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
userInfo = getpwnam(tConfig->uid);
groupInfo = getgrnam(tConfig->gid);
if (!userInfo || !groupInfo)
{
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
}
/* Arguments to pass into the HTTP handler */
matrixArgs.lc = lc;
matrixArgs.config = tConfig;
@ -377,9 +361,31 @@ main(int argc, char **argv)
goto finish;
}
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
if (tConfig->uid && tConfig->gid)
{
userInfo = getpwnam(tConfig->uid);
groupInfo = getgrnam(tConfig->gid);
if (!userInfo || !groupInfo)
{
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
}
}
else
{
Log(lc, LOG_DEBUG, "No user/group info specified in the config.");
}
if (getuid() == 0)
{
#ifndef __OpenBSD__
if (chroot(".") == 0)
{
Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir);
@ -388,30 +394,41 @@ main(int argc, char **argv)
{
Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir);
}
#else
Log(lc, LOG_DEBUG, "Not attempting chroot() after pledge() and unveil().");
#endif
if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0)
if (tConfig->uid && tConfig->gid)
{
Log(lc, LOG_WARNING, "Unable to set process uid/gid.");
if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0)
{
Log(lc, LOG_ERROR, "Unable to set process uid/gid.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid);
}
}
else
{
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid);
Log(lc, LOG_WARNING, "We are running as root, and we are not dropping to another user");
Log(lc, LOG_WARNING, "because none was specified in the configuration file.");
Log(lc, LOG_WARNING, "This is probably a security issue.");
}
}
else
{
Log(lc, LOG_DEBUG, "Not changing root directory, because we are not root.");
Log(lc, LOG_WARNING, "Not setting root directory, because we are not root.");
if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid)
if (tConfig->uid && tConfig->gid)
{
Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration.");
}
else
{
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration.");
if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid)
{
Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration.");
}
else
{
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration.");
}
}
}

View file

@ -157,24 +157,37 @@ TelodendriaConfigParse(HashMap * config, LogConfig * lc)
tConfig->identityServer = NULL;
}
GET_DIRECTIVE("id");
ASSERT_NO_CHILDREN("id");
COPY_VALUE(tConfig->uid, 0);
directive = (ConfigDirective *) HashMapGet(config, "id");
children = ConfigChildrenGet(directive);
value = ConfigValuesGet(directive);
switch (ArraySize(value))
ASSERT_NO_CHILDREN("id");
if (directive)
{
case 1:
Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user.");
tConfig->gid = UtilStringDuplicate(tConfig->uid);
break;
case 2:
COPY_VALUE(tConfig->gid, 1);
break;
default:
Log(lc, LOG_ERROR,
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.",
ArraySize(value));
goto error;
switch (ArraySize(value))
{
case 1:
Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user.");
COPY_VALUE(tConfig->uid, 0);
tConfig->gid = UtilStringDuplicate(tConfig->uid);
break;
case 2:
COPY_VALUE(tConfig->uid, 0);
COPY_VALUE(tConfig->gid, 1);
break;
default:
Log(lc, LOG_ERROR,
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.",
ArraySize(value));
goto error;
}
}
else
{
tConfig->uid = NULL;
tConfig->gid = NULL;
}
GET_DIRECTIVE("data-dir");