Commit d3a3f0e6 authored by Jan Včelák's avatar Jan Včelák 🚀

Merge branch 'too_early_priv_drop' into 'master'

parents 7c0f189a ad487518
......@@ -35,7 +35,7 @@ const error_table_t knot_error_msgs[] = {
{ KNOT_ECONNREFUSED, "Connection refused." },
{ KNOT_EISCONN, "Already connected." },
{ KNOT_EADDRINUSE, "Address already in use." },
{ KNOT_ENOENT, "Resource not found." },
{ KNOT_ENOENT, "Not exists." },
{ KNOT_ERANGE, "Value is out of range." },
/* General errors. */
......
......@@ -76,6 +76,16 @@ static void conf_init_iface(void *scanner, char* ifname)
this_iface->name = ifname;
}
static void conf_set_iface(void *scanner, struct sockaddr_storage *ss, int family, char* addr, int port)
{
int ret = sockaddr_set(ss, family, addr, port);
if (ret != KNOT_EOK) {
cf_error(scanner, "invalid address for '%s': %s@%d\n",
this_iface->name, addr, port);
}
free(addr);
}
static void conf_start_iface(void *scanner, char* ifname)
{
conf_init_iface(scanner, ifname);
......@@ -525,20 +535,16 @@ interface:
}
}
| interface ADDRESS IPA ';' {
sockaddr_set(&this_iface->addr, AF_INET, $3.t, CONFIG_DEFAULT_PORT);
free($3.t);
conf_set_iface(scanner, &this_iface->addr, AF_INET, $3.t, CONFIG_DEFAULT_PORT);
}
| interface ADDRESS IPA '@' NUM ';' {
sockaddr_set(&this_iface->addr, AF_INET, $3.t, $5.i);
free($3.t);
conf_set_iface(scanner, &this_iface->addr, AF_INET, $3.t, $5.i);
}
| interface ADDRESS IPA6 ';' {
sockaddr_set(&this_iface->addr, AF_INET6, $3.t, CONFIG_DEFAULT_PORT);
free($3.t);
conf_set_iface(scanner, &this_iface->addr, AF_INET6, $3.t, CONFIG_DEFAULT_PORT);
}
| interface ADDRESS IPA6 '@' NUM ';' {
sockaddr_set(&this_iface->addr, AF_INET, $3.t, $5.i);
free($3.t);
conf_set_iface(scanner, &this_iface->addr, AF_INET6, $3.t, $5.i);
}
;
......@@ -701,34 +707,28 @@ remote:
}
}
| remote ADDRESS IPA ';' {
sockaddr_set(&this_remote->addr, AF_INET, $3.t, CONFIG_DEFAULT_PORT);
conf_set_iface(scanner, &this_remote->addr, AF_INET, $3.t, CONFIG_DEFAULT_PORT);
this_remote->prefix = IPV4_PREFIXLEN;
free($3.t);
}
| remote ADDRESS IPA '/' NUM ';' {
sockaddr_set(&this_remote->addr, AF_INET, $3.t, 0);
conf_set_iface(scanner, &this_remote->addr, AF_INET, $3.t, 0);
SET_NUM(this_remote->prefix, $5.i, 0, IPV4_PREFIXLEN, "prefix length");
free($3.t);
}
| remote ADDRESS IPA '@' NUM ';' {
sockaddr_set(&this_remote->addr, AF_INET, $3.t, $5.i);
conf_set_iface(scanner, &this_remote->addr, AF_INET, $3.t, $5.i);
this_remote->prefix = IPV4_PREFIXLEN;
free($3.t);
}
| remote ADDRESS IPA6 ';' {
sockaddr_set(&this_remote->addr, AF_INET6, $3.t, CONFIG_DEFAULT_PORT);
conf_set_iface(scanner, &this_remote->addr, AF_INET6, $3.t, CONFIG_DEFAULT_PORT);
this_remote->prefix = IPV6_PREFIXLEN;
free($3.t);
}
| remote ADDRESS IPA6 '/' NUM ';' {
sockaddr_set(&this_remote->addr, AF_INET6, $3.t, 0);
conf_set_iface(scanner, &this_remote->addr, AF_INET6, $3.t, 0);
SET_NUM(this_remote->prefix, $5.i, 0, IPV6_PREFIXLEN, "prefix length");
free($3.t);
}
| remote ADDRESS IPA6 '@' NUM ';' {
sockaddr_set(&this_remote->addr, AF_INET6, $3.t, $5.i);
conf_set_iface(scanner, &this_remote->addr, AF_INET6, $3.t, $5.i);
this_remote->prefix = IPV6_PREFIXLEN;
free($3.t);
}
| remote KEY TEXT ';' {
if (this_remote->key != 0) {
......@@ -739,12 +739,10 @@ remote:
free($3.t);
}
| remote VIA IPA ';' {
sockaddr_set(&this_remote->via, AF_INET, $3.t, 0);
free($3.t);
conf_set_iface(scanner, &this_remote->via, AF_INET, $3.t, 0);
}
| remote VIA IPA6 ';' {
sockaddr_set(&this_remote->via, AF_INET6, $3.t, 0);
free($3.t);
conf_set_iface(scanner, &this_remote->via, AF_INET6, $3.t, 0);
}
| remote VIA TEXT ';' {
conf_remote_set_via(scanner, $3.t);
......
......@@ -817,21 +817,15 @@ const char* conf_find_default()
int conf_open(const char* path)
{
/* Check path. */
if (!path) {
return KNOT_EINVAL;
}
/* Find real path of the config file */
char *config_realpath = realpath(path, NULL);
if (config_realpath == NULL) {
return KNOT_ENOMEM;
return knot_map_errno(EINVAL, ENOENT);
}
/* Check if exists. */
struct stat st;
if (stat(config_realpath, &st) != 0) {
return KNOT_ENOENT;
/* Check if accessible. */
if (access(path, F_OK | R_OK) != 0) {
return KNOT_EACCES;
}
/* Create new config. */
......
......@@ -262,40 +262,51 @@ int main(int argc, char **argv)
knot_crypto_init_threads();
atexit(knot_crypto_deinit);
/* Initialize log. */
log_init();
/* Verbose mode. */
if (verbose) {
int mask = LOG_MASK(LOG_INFO)|LOG_MASK(LOG_DEBUG);
log_levels_add(LOGT_STDOUT, LOG_ANY, mask);
}
/* Initialize pseudorandom number generator. */
srand(time(NULL));
/* POSIX 1003.1e capabilities. */
setup_capabilities();
/* Default logging to std out/err. */
log_init();
/* Open configuration. */
log_server_info("Reading configuration '%s' ...\n", config_fn);
int conf_ret = conf_open(config_fn);
int res = conf_open(config_fn);
conf_t *config = conf();
if (conf_ret != KNOT_EOK) {
if (conf_ret == KNOT_ENOENT) {
log_server_error("Couldn't open configuration file "
"'%s'.\n", config_fn);
} else {
log_server_error("Failed to load configuration '%s'.\n",
config_fn);
}
if (res != KNOT_EOK) {
log_server_fatal("Couldn't load configuration '%s': %s\n",
config_fn, knot_strerror(res));
return EXIT_FAILURE;
}
/* Initialize logging subsystem.
* @note We're logging since now. */
log_reconfigure(config, NULL);
conf_add_hook(config, CONF_LOG, log_reconfigure, NULL);
/* Initialize server. */
server_t server;
res = server_init(&server);
if (res != KNOT_EOK) {
log_server_fatal("Could not initialize server: %s\n",
knot_strerror(res));
log_close();
return EXIT_FAILURE;
}
/* Reconfigure server interfaces.
* @note This MUST be done before we drop privileges. */
server_reconfigure(config, &server);
conf_add_hook(config, CONF_ALL, server_reconfigure, &server);
log_server_info("Configured %zu interfaces and %zu zones.\n",
list_size(&config->ifaces), hattrie_weight(config->zones));
/* Alter privileges. */
log_update_privileges(config->uid, config->gid);
if (proc_update_privileges(config->uid, config->gid) != KNOT_EOK) {
server_deinit(&server);
log_close();
return EXIT_FAILURE;
}
......@@ -306,6 +317,8 @@ int main(int argc, char **argv)
if (daemonize) {
pidfile = pid_check_and_create();
if (pidfile == NULL) {
server_deinit(&server);
log_close();
return EXIT_FAILURE;
}
......@@ -329,28 +342,6 @@ int main(int argc, char **argv)
/* Now we're going multithreaded. */
rcu_register_thread();
/* Initialize configuration hooks. */
log_reconfigure(config, NULL);
conf_add_hook(config, CONF_LOG, log_reconfigure, NULL);
/* Initialize server. */
server_t server;
int res = server_init(&server);
if (res != KNOT_EOK) {
log_server_fatal("Could not initialize server: %s\n",
knot_strerror(res));
rcu_unregister_thread();
pid_cleanup(pidfile);
log_close();
return EXIT_FAILURE;
}
/* Reconfigure server interfaces. */
server_reconfigure(config, &server);
conf_add_hook(config, CONF_ALL, server_reconfigure, &server);
log_server_info("Configured %zu interfaces and %zu zones.\n",
list_size(&config->ifaces), hattrie_weight(config->zones));
/* Populate zone database and add reconfiguration hook. */
log_server_info("Loading zones...\n");
server_update_zones(config, &server);
......
......@@ -62,14 +62,6 @@ int net_unbound_socket(int type, struct sockaddr_storage *ss)
return socket;
}
/* Make the socket IPv6 only to allow 'any' for IPv4 and IPv6 at the same time. */
if (ss->ss_family == AF_INET6) {
/* Do not support mapping IPv4 in IPv6 sockets. */
int flag = 1;
(void) setsockopt(socket, IPPROTO_IPV6, IPV6_V6ONLY,
&flag, sizeof(flag));
}
return socket;
}
......@@ -94,6 +86,12 @@ int net_bound_socket(int type, struct sockaddr_storage *ss)
unlink(addr_str);
}
/* Make the socket IPv6 only to allow 'any' for IPv4 and IPv6 at the same time. */
if (ss->ss_family == AF_INET6) {
(void) setsockopt(socket, IPPROTO_IPV6, IPV6_V6ONLY,
&flag, sizeof(flag));
}
/* Bind to specified address. */
int ret = bind(socket, (struct sockaddr *)ss, sockaddr_len(ss));
if (ret < 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment