From 8e71cc833cc828a28ea281e6c3eefc061ca13195 Mon Sep 17 00:00:00 2001 From: Jordan Bancino Date: Tue, 8 Nov 2022 17:53:01 +0000 Subject: [PATCH] Change behavior of "id" configuration directive. --- contrib/development.conf | 3 -- contrib/production.conf | 4 ++- src/Telodendria.c | 77 ++++++++++++++++++++++++---------------- src/TelodendriaConfig.c | 45 ++++++++++++++--------- 4 files changed, 79 insertions(+), 50 deletions(-) diff --git a/contrib/development.conf b/contrib/development.conf index 1910b66..b957131 100644 --- a/contrib/development.conf +++ b/contrib/development.conf @@ -5,9 +5,6 @@ server-name "localhost"; base-url "http://localhost:8008"; -# Replace this with your UNIX username -id "jordan"; - # Make this directory if Telodendria complains that it's missing. data-dir "./data"; diff --git a/contrib/production.conf b/contrib/production.conf index 6eadb61..5aec0d9 100644 --- a/contrib/production.conf +++ b/contrib/production.conf @@ -18,10 +18,12 @@ server-name "example.com"; base-url "https://matrix.example.com"; identity-server "https://identity.example.com"; -id "_telodendria" "_telodendria"; +id "_telodendria"; data-dir "/var/telodendria"; + federation "true"; registration "false"; + log "file" { level "warning"; timestampFormat "default"; diff --git a/src/Telodendria.c b/src/Telodendria.c index e489ac0..5907e6e 100644 --- a/src/Telodendria.c +++ b/src/Telodendria.c @@ -346,22 +346,6 @@ main(int argc, char **argv) Log(lc, LOG_DEBUG, "Flags: %x", tConfig->flags); LogConfigUnindent(lc); - Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid()); - - userInfo = getpwnam(tConfig->uid); - groupInfo = getgrnam(tConfig->gid); - - if (!userInfo || !groupInfo) - { - Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration."); - exit = EXIT_FAILURE; - goto finish; - } - else - { - Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam()."); - } - /* Arguments to pass into the HTTP handler */ matrixArgs.lc = lc; matrixArgs.config = tConfig; @@ -377,9 +361,31 @@ main(int argc, char **argv) goto finish; } + Log(lc, LOG_DEBUG, "Running as uid:gid: %d:%d.", getuid(), getgid()); + + if (tConfig->uid && tConfig->gid) + { + userInfo = getpwnam(tConfig->uid); + groupInfo = getgrnam(tConfig->gid); + + if (!userInfo || !groupInfo) + { + Log(lc, LOG_ERROR, "Unable to locate the user/group specified in the configuration."); + exit = EXIT_FAILURE; + goto finish; + } + else + { + Log(lc, LOG_DEBUG, "Found user/group information using getpwnam() and getgrnam()."); + } + } + else + { + Log(lc, LOG_DEBUG, "No user/group info specified in the config."); + } + if (getuid() == 0) { -#ifndef __OpenBSD__ if (chroot(".") == 0) { Log(lc, LOG_DEBUG, "Changed the root directory to: %s.", tConfig->dataDir); @@ -388,30 +394,41 @@ main(int argc, char **argv) { Log(lc, LOG_WARNING, "Unable to chroot into directory: %s.", tConfig->dataDir); } -#else - Log(lc, LOG_DEBUG, "Not attempting chroot() after pledge() and unveil()."); -#endif - if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0) + if (tConfig->uid && tConfig->gid) { - Log(lc, LOG_WARNING, "Unable to set process uid/gid."); + if (setgid(groupInfo->gr_gid) != 0 || setuid(userInfo->pw_uid) != 0) + { + Log(lc, LOG_ERROR, "Unable to set process uid/gid."); + exit = EXIT_FAILURE; + goto finish; + } + else + { + Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid); + } } else { - Log(lc, LOG_DEBUG, "Set uid/gid to %s:%s.", tConfig->uid, tConfig->gid); + Log(lc, LOG_WARNING, "We are running as root, and we are not dropping to another user"); + Log(lc, LOG_WARNING, "because none was specified in the configuration file."); + Log(lc, LOG_WARNING, "This is probably a security issue."); } } else { - Log(lc, LOG_DEBUG, "Not changing root directory, because we are not root."); + Log(lc, LOG_WARNING, "Not setting root directory, because we are not root."); - if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid) + if (tConfig->uid && tConfig->gid) { - Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration."); - } - else - { - Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration."); + if (getuid() != userInfo->pw_uid || getgid() != groupInfo->gr_gid) + { + Log(lc, LOG_WARNING, "Not running as the uid/gid specified in the configuration."); + } + else + { + Log(lc, LOG_DEBUG, "Running as the uid/gid specified in the configuration."); + } } } diff --git a/src/TelodendriaConfig.c b/src/TelodendriaConfig.c index ed009b0..cec9077 100644 --- a/src/TelodendriaConfig.c +++ b/src/TelodendriaConfig.c @@ -157,24 +157,37 @@ TelodendriaConfigParse(HashMap * config, LogConfig * lc) tConfig->identityServer = NULL; } - GET_DIRECTIVE("id"); - ASSERT_NO_CHILDREN("id"); - COPY_VALUE(tConfig->uid, 0); + directive = (ConfigDirective *) HashMapGet(config, "id"); + children = ConfigChildrenGet(directive); + value = ConfigValuesGet(directive); - switch (ArraySize(value)) + ASSERT_NO_CHILDREN("id"); + + if (directive) { - case 1: - Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user."); - tConfig->gid = UtilStringDuplicate(tConfig->uid); - break; - case 2: - COPY_VALUE(tConfig->gid, 1); - break; - default: - Log(lc, LOG_ERROR, - "Wrong value count in directive 'id': got '%d', but expected 1 or 2.", - ArraySize(value)); - goto error; + + switch (ArraySize(value)) + { + case 1: + Log(lc, LOG_WARNING, "No run group specified; assuming it's the same as the user."); + COPY_VALUE(tConfig->uid, 0); + tConfig->gid = UtilStringDuplicate(tConfig->uid); + break; + case 2: + COPY_VALUE(tConfig->uid, 0); + COPY_VALUE(tConfig->gid, 1); + break; + default: + Log(lc, LOG_ERROR, + "Wrong value count in directive 'id': got '%d', but expected 1 or 2.", + ArraySize(value)); + goto error; + } + } + else + { + tConfig->uid = NULL; + tConfig->gid = NULL; } GET_DIRECTIVE("data-dir");