/* * Copyright (c) 2016-2023, OARC, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. Neither the name of the copyright holder nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include "daemon.h" #include "log.h" #include "memzero.h" void drop_privileges(void) { struct rlimit rss; struct passwd pwd; struct passwd* result = 0; size_t pwdBufSize; char* pwdBuf; unsigned int s; uid_t oldUID = getuid(); uid_t oldGID = getgid(); uid_t dropUID; gid_t dropGID; const char* user; struct group* grp = 0; /* * Security: getting UID and GUID for nobody */ pwdBufSize = sysconf(_SC_GETPW_R_SIZE_MAX); if (pwdBufSize == -1) pwdBufSize = 16384; pwdBuf = calloc(pwdBufSize, sizeof(char)); if (pwdBuf == NULL) { fprintf(stderr, "unable to allocate buffer for pwdBuf\n"); exit(1); } user = options.user ? options.user : DROPTOUSER; if (options.group) { if (!(grp = getgrnam(options.group))) { if (errno) { fprintf(stderr, "Unable to get group %s: %s\n", options.group, strerror(errno)); } else { fprintf(stderr, "Group %s not found, existing.\n", options.group); } exit(1); } } s = getpwnam_r(user, &pwd, pwdBuf, pwdBufSize, &result); if (result == NULL) { if (s == 0) { fprintf(stderr, "User %s not found, exiting.\n", user); exit(1); } else { fprintf(stderr, "issue with getpwnnam_r call, exiting.\n"); exit(1); } } dropUID = pwd.pw_uid; dropGID = grp ? grp->gr_gid : pwd.pw_gid; dnscap_memzero(pwdBuf, pwdBufSize); free(pwdBuf); /* * Security section: setting memory limit and dropping privileges to nobody */ getrlimit(RLIMIT_DATA, &rss); if (mem_limit_set) { rss.rlim_cur = mem_limit; rss.rlim_max = mem_limit; if (setrlimit(RLIMIT_DATA, &rss) == -1) { fprintf(stderr, "Unable to set the memory limit, exiting\n"); exit(1); } } #if HAVE_SETRESGID if (setresgid(dropGID, dropGID, dropGID) < 0) { fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); exit(1); } #elif HAVE_SETREGID if (setregid(dropGID, dropGID) < 0) { fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); exit(1); } #elif HAVE_SETEGID if (setegid(dropGID) < 0) { fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); exit(1); } #endif #if HAVE_INITGROUPS if (initgroups(pwd.pw_name, dropGID) < 0) { fprintf(stderr, "Unable to init supplemental groups for %s: %s\n", user, strerror(errno)); exit(1); } #elif HAVE_SETGROUPS if (setgroups(0, NULL) < 0) { fprintf(stderr, "Unable to drop supplemental groups: %s\n", strerror(errno)); exit(1); } #endif #if HAVE_SETRESUID if (setresuid(dropUID, dropUID, dropUID) < 0) { fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); exit(1); } #elif HAVE_SETREUID if (setreuid(dropUID, dropUID) < 0) { fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); exit(1); } #elif HAVE_SETEUID if (seteuid(dropUID) < 0) { fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); exit(1); } #endif /* * Testing if privileges are dropped */ if (oldGID != getgid() && (setgid(oldGID) == 1 && setegid(oldGID) != 1)) { fprintf(stderr, "Able to restore back to root, exiting.\n"); fprintf(stderr, "currentUID:%u currentGID:%u\n", getuid(), getgid()); exit(1); } if ((oldUID != getuid() && getuid() == 0) && (setuid(oldUID) != 1 && seteuid(oldUID) != 1)) { fprintf(stderr, "Able to restore back to root, exiting.\n"); fprintf(stderr, "currentUID:%u currentGID:%u\n", getgid(), getgid()); exit(1); } #ifdef USE_SECCOMP if (use_seccomp == FALSE) { return; } #if 0 /* * Setting SCMP_ACT_TRAP means the process will get * a SIGSYS signal when a bad syscall is executed * This is for debugging and should be monitored. */ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); #endif /* * SCMP_ACT_KILL tells the kernel to kill the process * when a syscall we did not filter on is called. * This should be uncommented in production. */ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { fprintf(stderr, "Unable to create seccomp-bpf context\n"); exit(1); } int r = 0; r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(uname), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0); r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0); if (r != 0) { fprintf(stderr, "Unable to apply seccomp-bpf filter\n"); seccomp_release(ctx); exit(1); } r = seccomp_load(ctx); if (r < 0) { seccomp_release(ctx); fprintf(stderr, "Unable to load seccomp-bpf filter\n"); exit(1); } #endif } void write_pid_file(void) { FILE* fp; int fd, flags; struct flock lock; if (!options.pid_file) return; if ((fd = open(options.pid_file, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR)) == -1) { fprintf(stderr, "unable to open PID file %s: %s", options.pid_file, strerror(errno)); exit(1); } if ((flags = fcntl(fd, F_GETFD)) == -1) { fprintf(stderr, "unable to get PID file flags: %s", strerror(errno)); exit(1); } flags |= FD_CLOEXEC; if (fcntl(fd, F_SETFD, flags) == 1) { fprintf(stderr, "unable to set PID file flags: %s", strerror(errno)); exit(1); } lock.l_type = F_WRLCK; lock.l_whence = SEEK_SET; lock.l_start = 0; lock.l_len = 0; if (fcntl(fd, F_SETLK, &lock) == -1) { if (errno == EACCES || errno == EAGAIN) { fprintf(stderr, "PID file locked by other process"); exit(1); } fprintf(stderr, "unable to lock PID file: %s", strerror(errno)); exit(1); } if (ftruncate(fd, 0) == -1) { fprintf(stderr, "unable to truncate PID file: %s", strerror(errno)); exit(1); } fp = fdopen(fd, "w"); if (!fp || fprintf(fp, "%d\n", getpid()) < 1 || fflush(fp)) { fprintf(stderr, "unable to write to PID file: %s", strerror(errno)); exit(1); } } void daemonize(void) { pid_t pid; #ifdef TIOCNOTTY int i; #endif if ((pid = fork()) < 0) { logerr("fork failed: %s", strerror(errno)); exit(1); } else if (pid > 0) exit(0); write_pid_file(); openlog("dnscap", 0, LOG_DAEMON); if (setsid() < 0) { logerr("setsid failed: %s", strerror(errno)); exit(1); } #ifdef TIOCNOTTY if ((i = open("/dev/tty", O_RDWR)) >= 0) { ioctl(i, TIOCNOTTY, NULL); close(i); } #endif logerr("Backgrounded as pid %u", getpid()); }