miniroon

Simplistic macaroon-based authorization for Unix systems
git clone https://ccx.te2000.cz/git/miniroon
Log | Files | Refs

commit c7890bbe0a836b61dd6052cd6d468080d850d58e
parent f724fcf66ad2f1cf9d9d51a379aae2346d9caf56
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Tue, 27 Aug 2024 16:42:47 +0000

Exec argv in ucspi-socketserver

Diffstat:
Msrc/Makefile | 13++++++++++---
Msrc/ucspi-socksserver-access.c | 52++++++++++++++++++++++++++++++++++++++--------------
Msrc/ucspi-socksserver.c | 13++++---------
3 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/src/Makefile b/src/Makefile @@ -2,7 +2,10 @@ tools_simple:=argv0exec nosuid pidns_run safelink spawn-pty fdsend fdrecv fdrecvto socketpair ptsname mtime_to_uuidv7 ucspi-socksserver ucspi-socksserver-connected tools_libcap:=applyuidgid-caps -tools=$(tools_simple) $(tools_libcap) + +tools_libs6:=ucspi-socksserver-access + +tools=$(tools_simple) $(tools_libcap) $(tools_libs6) all: $(tools) .PHONY: all @@ -18,13 +21,17 @@ define link_simple = $(1): $(1).o ../link ../link -o '$$@' '$(1).o' endef - $(foreach var,$(tools_simple),$(eval $(call link_simple,$(var)))) define link_libcap = $(1): $(1).o ../link ../link -o '$$@' '$(1).o' -lcap endef - $(foreach var,$(tools_libcap),$(eval $(call link_libcap,$(var)))) +define link_libs6 = +$(1): $(1).o ../link + ../link -o '$$@' '$(1).o' -ls6 +endef +$(foreach var,$(tools_libs6),$(eval $(call link_libs6,$(var)))) + diff --git a/src/ucspi-socksserver-access.c b/src/ucspi-socksserver-access.c @@ -26,8 +26,11 @@ typedef struct app_options_s { char const * port; char const * addr_type; char const * addr; + unsigned char socks_version; } app_options; +const app_options const * options = NULL; + typedef struct check_result_s { s6_accessrules_result_t accepted; s6_accessrules_params_t params; @@ -81,22 +84,29 @@ void socks4_reply_fail() close(1); } +void socks_reply_fail_generic(socks5_reply_t status) { + if (options->socks_version == 5) { + socks5_reply_fail(status); + } else { + socks4_reply_fail(); + } +} -void check_access_ip(app_options *opt, check_result *result) { +void check_access_ip(check_result *result) { ip46 ip; - if (!ip46_scan(opt->addr_type, &ip)) { + if (!ip46_scan(options->addr, &ip)) { strerr_dieinvalid(100, "SOCKS_ADDR") ; } - switch (opt->rulestype) + switch (options->rulestype) { case 1 : - result->accepted = s6_accessrules_ip46_fs(&ip, (void *)opt->rules, &result->params); + result->accepted = s6_accessrules_ip46_fs(&ip, (void *)options->rules, &result->params); break; case 2 : { cdb c = CDB_ZERO ; - if (!cdb_init(&c, opt->rules)) { - strerr_diefu2sys(111, "cdb_init ", opt->rules); + if (!cdb_init(&c, options->rules)) { + strerr_diefu2sys(111, "cdb_init ", options->rules); } result->accepted = s6_accessrules_ip46_cdb(&ip, &c, &result->params); if (result->accepted == S6_ACCESSRULES_ALLOW) { @@ -108,19 +118,19 @@ void check_access_ip(app_options *opt, check_result *result) { } } -s6_accessrules_result_t check_access_dns(app_options *opt, check_result *result) { - switch (opt->rulestype) +s6_accessrules_result_t check_access_dns(check_result *result) { + switch (options->rulestype) { case 1 : - result->accepted = s6_accessrules_reversedns_fs(opt->addr, (void *)opt->rules, &result->params); + result->accepted = s6_accessrules_reversedns_fs(options->addr, (void *)options->rules, &result->params); break; case 2 : { cdb c = CDB_ZERO ; - if (!cdb_init(&c, opt->rules)) { - strerr_diefu2sys(111, "cdb_init ", opt->rules); + if (!cdb_init(&c, options->rules)) { + strerr_diefu2sys(111, "cdb_init ", options->rules); } - result->accepted = s6_accessrules_reversedns_cdb(opt->addr, &c, &result->params); + result->accepted = s6_accessrules_reversedns_cdb(options->addr, &c, &result->params); if (result->accepted == S6_ACCESSRULES_ALLOW) { cdb_free(&c); } @@ -155,10 +165,21 @@ int main (int argc, char const *const *argv) if (!argc) dieusage() ; if (!*argv[0]) dieusage() ; + char const * env_socks_version = required_getenv("SOCKS_VERSION"); + if(strcmp(env_socks_version, "4") == 0) { + opt.socks_version = 5; + } else if (strcmp(env_socks_version, "5") == 0) { + opt.socks_version = 5; + } else { + strerr_dieinvalid(100, "SOCKS_VERSION") ; + } + opt.port = required_getenv("SOCKS_PORT"); opt.addr_type = required_getenv("SOCKS_ADDR_TYPE"); opt.addr = required_getenv("SOCKS_ADDR"); + options = &opt; + if(opt.rulestype == 0) { xexec(argv); } @@ -166,22 +187,25 @@ int main (int argc, char const *const *argv) check_result result = { S6_ACCESSRULES_ALLOW, S6_ACCESSRULES_PARAMS_ZERO }; if(strcmp(opt.addr_type, "dns") == 0) { - check_access_dns(&opt, &result); + check_access_dns(&result); } else if ( strcmp(opt.addr_type, "ip4") == 0 || strcmp(opt.addr_type, "ip6") == 0) { - check_access_ip(&opt, &result); + check_access_ip(&result); } else { strerr_dieinvalid(100, "SOCKS_ADDR_TYPE") ; } switch (result.accepted) { case S6_ACCESSRULES_ERROR: + socks_reply_fail_generic(SOCKS5_REPLY_ERR_GENERAL); strerr_diefu6sys(111, "check ", rulestypestr[opt.rulestype], " ruleset for ", opt.addr_type, " in ", opt.rules); case S6_ACCESSRULES_ALLOW: break ; case S6_ACCESSRULES_DENY: + socks_reply_fail_generic(SOCKS5_REPLY_ERR_FORBIDDEN); // if (verbosity >= 2) log_deny(getpid(), &remoteip) ; return 1; case S6_ACCESSRULES_NOTFOUND: + socks_reply_fail_generic(SOCKS5_REPLY_ERR_FORBIDDEN); // if (flagdnslookup) { // break; // } diff --git a/src/ucspi-socksserver.c b/src/ucspi-socksserver.c @@ -31,10 +31,13 @@ void socks5_command(socks5_request_header *rhdr); void handle_socks4(void); void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char *buf, unsigned short int port); +char const *const *new_argv = NULL; + int main (int argc, char const *const *argv) { fd_block(STDIN_FILENO); fd_block(STDOUT_FILENO); + new_argv = argv+1; interact(); } @@ -333,14 +336,6 @@ void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char snprintf(port_string, sizeof(port_string), "%d", port); xenv("SOCKS_PORT", port_string); - const char *argv[] = { - "importas", "-i", "SOCKS_ADDR", "SOCKS_ADDR", - "importas", "-i", "SOCKS_PORT", "SOCKS_PORT", - "s6-tcpclient", "-v", "$SOCKS_ADDR", "$SOCKS_PORT", - "ucspi-socksserver-connected", "s6-ioconnect", - 0 - }; - switch (addr_type) { case SOCKS5_ADDR_TYPE_IP4: socks_env_ip4(buf); @@ -356,7 +351,7 @@ void do_connect(unsigned char socks_version, socks5_addr_type_t addr_type, char } log_connect(socks_version, addr_type, buf, port); - xmexec(argv); + xmexec(new_argv); } /* vim: sw=4 sts=4 et