Change behavior of "id" configuration directive.

This commit is contained in:
Jordan Bancino 2022-11-08 17:53:01 +00:00
parent efbbf42a6e
commit 8e71cc833c
4 changed files with 79 additions and 50 deletions

View file

@ -5,9 +5,6 @@
server-name "localhost"; server-name "localhost";
base-url "http://localhost:8008"; base-url "http://localhost:8008";
# Replace this with your UNIX username
id "jordan";
# Make this directory if Telodendria complains that it's missing. # Make this directory if Telodendria complains that it's missing.
data-dir "./data"; data-dir "./data";

View file

@ -18,10 +18,12 @@ server-name "example.com";
base-url "https://matrix.example.com"; base-url "https://matrix.example.com";
identity-server "https://identity.example.com"; identity-server "https://identity.example.com";
id "_telodendria" "_telodendria"; id "_telodendria";
data-dir "/var/telodendria"; data-dir "/var/telodendria";
federation "true"; federation "true";
registration "false"; registration "false";
log "file" { log "file" {
level "warning"; level "warning";
timestampFormat "default"; timestampFormat "default";

View file

@ -346,22 +346,6 @@ main(int argc, char **argv)
Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags); Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags);
LogConfigUnindent(lc); LogConfigUnindent(lc);
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
userInfo = getpwnam(tConfig->uid);
groupInfo = getgrnam(tConfig->gid);
if (!userInfo || !groupInfo)
{
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
}
/* Arguments to pass into the HTTP handler */ /* Arguments to pass into the HTTP handler */
matrixArgs.lc = lc; matrixArgs.lc = lc;
matrixArgs.config = tConfig; matrixArgs.config = tConfig;
@ -377,9 +361,31 @@ main(int argc, char **argv)
goto finish; goto finish;
} }
Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid());
if (tConfig->uid && tConfig->gid)
{
userInfo = getpwnam(tConfig->uid);
groupInfo = getgrnam(tConfig->gid);
if (!userInfo || !groupInfo)
{
Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam().");
}
}
else
{
Log(lc, LOG_DEBUG, "No user/group info specified in the config.");
}
if (getuid() == 0) if (getuid() == 0)
{ {
#ifndef __OpenBSD__
if (chroot(".") == 0) if (chroot(".") == 0)
{ {
Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir); Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir);
@ -388,30 +394,41 @@ main(int argc, char **argv)
{ {
Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir); Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir);
} }
#else
Log(lc, LOG_DEBUG, "Not attempting chroot() after pledge() and unveil().");
#endif
if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0) if (tConfig->uid && tConfig->gid)
{ {
Log(lc, LOG_WARNING, "Unable to set process uid/gid."); if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0)
{
Log(lc, LOG_ERROR, "Unable to set process uid/gid.");
exit = EXIT_FAILURE;
goto finish;
}
else
{
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid);
}
} }
else else
{ {
Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid); Log(lc, LOG_WARNING, "We are running as root, and we are not dropping to another user");
Log(lc, LOG_WARNING, "because none was specified in the configuration file.");
Log(lc, LOG_WARNING, "This is probably a security issue.");
} }
} }
else else
{ {
Log(lc, LOG_DEBUG, "Not changing root directory, because we are not root."); Log(lc, LOG_WARNING, "Not setting root directory, because we are not root.");
if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid) if (tConfig->uid && tConfig->gid)
{ {
Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration."); if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid)
} {
else Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration.");
{ }
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration."); else
{
Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration.");
}
} }
} }

View file

@ -157,24 +157,37 @@ TelodendriaConfigParse(HashMap * config, LogConfig * lc)
tConfig->identityServer = NULL; tConfig->identityServer = NULL;
} }
GET_DIRECTIVE("id"); directive = (ConfigDirective *) HashMapGet(config, "id");
ASSERT_NO_CHILDREN("id"); children = ConfigChildrenGet(directive);
COPY_VALUE(tConfig->uid, 0); value = ConfigValuesGet(directive);
switch (ArraySize(value)) ASSERT_NO_CHILDREN("id");
if (directive)
{ {
case 1:
Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user."); switch (ArraySize(value))
tConfig->gid = UtilStringDuplicate(tConfig->uid); {
break; case 1:
case 2: Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user.");
COPY_VALUE(tConfig->gid, 1); COPY_VALUE(tConfig->uid, 0);
break; tConfig->gid = UtilStringDuplicate(tConfig->uid);
default: break;
Log(lc, LOG_ERROR, case 2:
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.", COPY_VALUE(tConfig->uid, 0);
ArraySize(value)); COPY_VALUE(tConfig->gid, 1);
goto error; break;
default:
Log(lc, LOG_ERROR,
"Wrong value count in directive 'id': got '%d', but expected 1 or 2.",
ArraySize(value));
goto error;
}
}
else
{
tConfig->uid = NULL;
tConfig->gid = NULL;
} }
GET_DIRECTIVE("data-dir"); GET_DIRECTIVE("data-dir");