tincd.c -- the main file for tincd
Copyright (C) 1998-2005 Ivo Timmermans
2000-2009 Guus Sliepen <guus@tinc-vpn.org>
+ 2009 Michael Tokarev <mjt@tls.msk.ru>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-
- $Id$
*/
#include "system.h"
#include LZO1X_H
+#ifndef HAVE_MINGW
+#include <pwd.h>
+#include <grp.h>
+#include <time.h>
+#endif
+
#include <getopt.h>
#include "pidfile.h"
/* If nonzero, disable swapping for this process. */
bool do_mlock = false;
+/* If nonzero, chroot to netdir after startup. */
+static bool do_chroot = false;
+
+/* If !NULL, do setuid to given user after startup */
+static const char *switchuser = NULL;
+
/* If nonzero, write log entries to a separate file. */
bool use_logfile = false;
{"debug", optional_argument, NULL, 'd'},
{"bypass-security", no_argument, NULL, 3},
{"mlock", no_argument, NULL, 'L'},
+ {"chroot", no_argument, NULL, 'R'},
+ {"user", required_argument, NULL, 'U'},
{"logfile", optional_argument, NULL, 4},
{"pidfile", required_argument, NULL, 5},
{NULL, 0, NULL, 0}
#ifdef HAVE_MINGW
static struct WSAData wsa_state;
+CRITICAL_SECTION mutex;
#endif
static void usage(bool status)
" -L, --mlock Lock tinc into main memory.\n"
" --logfile[=FILENAME] Write log entries to a logfile.\n"
" --pidfile=FILENAME Write PID to FILENAME.\n"
+ " -R, --chroot chroot to NET dir at startup.\n"
+ " -U, --user=USER setuid to given USER at startup.\n"
" --help Display this help and exit.\n"
" --version Output version information and exit.\n\n"));
printf(_("Report bugs to tinc@tinc-vpn.org.\n"));
int r;
int option_index = 0;
- while((r = getopt_long(argc, argv, "c:DLd::k::n:K::", long_options, &option_index)) != EOF) {
+ while((r = getopt_long(argc, argv, "c:DLd::k::n:K::RU:", long_options, &option_index)) != EOF) {
switch (r) {
case 0: /* long option */
break;
break;
case 'L': /* no detach */
+#ifndef HAVE_MLOCKALL
+ logger(LOG_ERR, _("%s not supported on this platform"), "mlockall()");
+ return false;
+#else
do_mlock = true;
break;
+#endif
case 'd': /* inc debug level */
if(optarg)
generate_keys &= ~7; /* Round it to bytes */
} else
- generate_keys = 1024;
+ generate_keys = 2048;
+ break;
+
+ case 'R': /* chroot to NETNAME dir */
+ do_chroot = true;
+ break;
+
+ case 'U': /* setuid to USER */
+ switchuser = optarg;
break;
case 1: /* show help */
} else
fprintf(stderr, _("Done.\n"));
- asprintf(&filename, "%s/rsa_key.priv", confbase);
+ xasprintf(&filename, "%s/rsa_key.priv", confbase);
f = ask_and_open(filename, _("private RSA key"));
if(!f)
free(filename);
if(name)
- asprintf(&filename, "%s/hosts/%s", confbase, name);
+ xasprintf(&filename, "%s/hosts/%s", confbase, name);
else
- asprintf(&filename, "%s/rsa_key.pub", confbase);
+ xasprintf(&filename, "%s/rsa_key.pub", confbase);
f = ask_and_open(filename, _("public RSA key"));
#endif
if(netname)
- asprintf(&identname, "tinc.%s", netname);
+ xasprintf(&identname, "tinc.%s", netname);
else
identname = xstrdup("tinc");
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\tinc", 0, KEY_READ, &key)) {
if(!RegQueryValueEx(key, NULL, 0, 0, installdir, &len)) {
if(!logfilename)
- asprintf(&logfilename, "%s/log/%s.log", identname);
+ xasprintf(&logfilename, "%s/log/%s.log", identname);
if(!confbase) {
if(netname)
- asprintf(&confbase, "%s/%s", installdir, netname);
+ xasprintf(&confbase, "%s/%s", installdir, netname);
else
- asprintf(&confbase, "%s", installdir);
+ xasprintf(&confbase, "%s", installdir);
}
}
RegCloseKey(key);
#endif
if(!pidfilename)
- asprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname);
+ xasprintf(&pidfilename, LOCALSTATEDIR "/run/%s.pid", identname);
if(!logfilename)
- asprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname);
+ xasprintf(&logfilename, LOCALSTATEDIR "/log/%s.log", identname);
if(netname) {
if(!confbase)
- asprintf(&confbase, CONFDIR "/tinc/%s", netname);
+ xasprintf(&confbase, CONFDIR "/tinc/%s", netname);
else
logger(LOG_INFO, _("Both netname and configuration directory given, using the latter..."));
} else {
if(!confbase)
- asprintf(&confbase, CONFDIR "/tinc");
+ xasprintf(&confbase, CONFDIR "/tinc");
}
}
if (confbase) free(confbase);
}
+static bool drop_privs() {
+#ifdef HAVE_MINGW
+ if (switchuser) {
+ logger(LOG_ERR, _("%s not supported on this platform"), "-U");
+ return false;
+ }
+ if (do_chroot) {
+ logger(LOG_ERR, _("%s not supported on this platform"), "-R");
+ return false;
+ }
+#else
+ uid_t uid = 0;
+ if (switchuser) {
+ struct passwd *pw = getpwnam(switchuser);
+ if (!pw) {
+ logger(LOG_ERR, _("unknown user `%s'"), switchuser);
+ return false;
+ }
+ uid = pw->pw_uid;
+ if (initgroups(switchuser, pw->pw_gid) != 0 ||
+ setgid(pw->pw_gid) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "initgroups", strerror(errno));
+ return false;
+ }
+ endgrent();
+ endpwent();
+ }
+ if (do_chroot) {
+ tzset(); /* for proper timestamps in logs */
+ if (chroot(confbase) != 0 || chdir("/") != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "chroot", strerror(errno));
+ return false;
+ }
+ free(confbase);
+ confbase = xstrdup("");
+ }
+ if (switchuser)
+ if (setuid(uid) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"),
+ "setuid", strerror(errno));
+ return false;
+ }
+#endif
+ return true;
+}
+
+#ifdef HAVE_MINGW
+# define setpriority(level) SetPriorityClass(GetCurrentProcess(), level)
+#else
+# define NORMAL_PRIORITY_CLASS 0
+# define BELOW_NORMAL_PRIORITY_CLASS 10
+# define HIGH_PRIORITY_CLASS -10
+# define setpriority(level) nice(level)
+#endif
+
int main(int argc, char **argv)
{
program_name = argv[0];
openlogger("tinc", use_logfile?LOGMODE_FILE:LOGMODE_STDERR);
- /* Lock all pages into memory if requested */
-
- if(do_mlock)
-#ifdef HAVE_MLOCKALL
- if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
- logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
- strerror(errno));
-#else
- {
- logger(LOG_ERR, _("mlockall() not supported on this platform!"));
-#endif
- return -1;
- }
-
g_argv = argv;
init_configuration(&config_tree);
int main2(int argc, char **argv)
{
+ InitializeCriticalSection(&mutex);
+ EnterCriticalSection(&mutex);
#endif
if(!detach())
return 1;
-
+
+#ifdef HAVE_MLOCKALL
+ /* Lock all pages into memory if requested.
+ * This has to be done after daemon()/fork() so it works for child.
+ * No need to do that in parent as it's very short-lived. */
+ if(do_mlock && mlockall(MCL_CURRENT | MCL_FUTURE) != 0) {
+ logger(LOG_ERR, _("System call `%s' failed: %s"), "mlockall",
+ strerror(errno));
+ return 1;
+ }
+#endif
/* Setup sockets and open device. */
- if(!setup_network_connections())
+ if(!setup_network())
+ goto end;
+
+ /* Initiate all outgoing connections. */
+
+ try_outgoing_connections();
+
+ /* Change process priority */
+
+ char *priority = 0;
+
+ if(get_config_string(lookup_config(config_tree, "ProcessPriority"), &priority)) {
+ if(!strcasecmp(priority, "Normal"))
+ setpriority(NORMAL_PRIORITY_CLASS);
+ else if(!strcasecmp(priority, "Low"))
+ setpriority(BELOW_NORMAL_PRIORITY_CLASS);
+ else if(!strcasecmp(priority, "High"))
+ setpriority(HIGH_PRIORITY_CLASS);
+ else {
+ logger(LOG_ERR, _("Invalid priority `%s`!"), priority);
+ goto end;
+ }
+ }
+
+ /* drop privileges */
+ if (!drop_privs())
goto end;
/* Start main loop. It only exits when tinc is killed. */
exit_configuration(&config_tree);
free_names();
-
+
return status;
}